Installation Guide for Cisco Secure ACS for Windows 4.2.1
Installing Cisco Secure ACS for Windows
Downloads: This chapterpdf (PDF - 334.0KB) The complete bookPDF (PDF - 1.41MB) | Feedback

Installing Cisco Secure ACS for Windows

Table Of Contents

Installing Cisco Secure ACS for Windows

Understanding Your ACS System

Preparing to Install or Upgrade ACS

System Requirements

ACS for Windows and Windows AD

Third Party Software Requirements

Network and Port Requirements

Backing Up Data Before Installation

Gathering Answers for the Installation Questions

Disabling NetBIOS

Installation and Upgrade Scenarios

Installing ACS for the First Time

Reinstalling or Upgrading ACS

Reinstalling or Upgrading an Existing Configuration

Reinstalling or Upgrading ACS without Data Preservation

ACS on a Windows 64-bit Machine

Installing ACS 4.2 on a Windows 64-bit Machine

Upgrading to ACS 4.2.1 on a Windows 64-bit Machine


Installing Cisco Secure ACS for Windows


This chapter provides information about installing, reinstalling, and upgrading to Cisco Secure Access Control Server Release 4.2.1 for Windows, hereafter referred to as ACS.

This chapter contains:

Understanding Your ACS System

Preparing to Install or Upgrade ACS

Installation and Upgrade Scenarios

Installing ACS for the First Time

Reinstalling or Upgrading ACS

ACS on a Windows 64-bit Machine

Understanding Your ACS System

You can use ACS network security software to authenticate users by controlling access to an Authentication, Authorization, and Accounting (AAA) client—any one of many network devices that you can configure to defer authentication and authorization of network users to a AAA server. ACS operates as a set of Windows-based services that controls the authentication, authorization, and accounting of user access to networks.

ACS operates on Windows 2000 server, Windows 2003 server, and Windows 2008 server. ACS can run on a domain controller or a member server. For information about supported operating systems, see System Requirements, or the latest version of the Release Notes at:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html

ACS can also run on a Windows Server with Network Basic Input/Output System (NetBIOS) disabled.


Note If you want to authenticate users with a Windows Security Account Manager user database or an Active Directory (AD) user database, additional Windows configuration is required after you install ACS. For more information, see Windows Authentication Configuration.


For additional information about ACS, see the User Guide for Cisco Secure Access Control Server 4.2.

Preparing to Install or Upgrade ACS

The following sections describe actions to take before you install or upgrade ACS:

System Requirements

Third Party Software Requirements

Network and Port Requirements

Backing Up Data Before Installation

Gathering Answers for the Installation Questions

Disabling NetBIOS


Note ACS will not install properly if a Sybase server is installed on the same machine.


System Requirements

Your ACS server must meet certain minimum hardware and operating system requirements.

The following tables list these requirements:

ACS for Windows Server Requirements, Table 1-1

ACS for Windows Web Client Requirements, Table 1-2

ACS for Windows Server UCP Requirements, Table 1-3


Note ACS for Windows supports the multiprocessor feature on dual processor computers.


The Windows 2000 Datacenter server is not a supported operating system.

You can apply windows service packs before or after installing ACS. If you do not install a required service pack before installing ACS, the ACS installation program may warn you that the required service pack is not present. If you receive a service pack error message, continue the installation, and then install the required service pack before starting user authentication.

Table 1-1 ACS for Windows Server Requirements 

Component
Minimum Requirement

Hardware

Intel Pentium or Xeon family with Intel 64 technology or compatible processor with 2.13 GHz or faster.

Color monitor with minimum graphics resolution of 256 colors at 800 x 600 resolution

CD-ROM drive

100BaseT or faster connection

Operating System

Windows Server 2000 (English version only)

Windows 2000 Advanced Server Service Pack 4 without features specific to Windows 2000 Advanced Server enabled or without Microsoft clustering service installed (English version only)

Windows Server 2003 Service Pack 1, Enterprise Edition or Standard Edition (English version only)

Japanese Windows 2003 server, Service Pack 1

Japanese Windows 2003 server, Service Pack 2, Enterprise Edition.

Japanese Windows 2003 server, Service Pack 2, R2, Enterprise Edition.

Japanese Windows 2003 server, Service Pack 2, Standard Edition.

Japanese Windows 2003 server, Service Pack 2, R2, Standard Edition.

Windows Server 2003, R2, Standard Edition

Windows Server 2003, Service Pack 2

Windows Server 2003, R2, Service Pack 2

Windows Server 2003 R2 x64, Standard Edition Services Pack 2

Windows Server 2003 R2 x64, Enterprise Edition Services Pack 2

Windows Server 2008 x32 and x64, Standard Edition Services Pack 2

Windows Server 2008 x32 and x64, Enterprise Edition Services Pack 2.

Note ACS 4.2.1 for Windows supports 64-bit operating systems.

Note ACS 4.2.1 does not support Windows Server 2008 R2.

File System

New Technology File System (NTFS)

Memory

4 Gigabyte, recommended.

Virtual Memory

1 Gigabyte, minimum

Hard Drive Space

At least 4 GB of free hard drive space, minimum. 16 GB of free hard drive space is recommended.

Note The actual amount of hard drive space required depends on several factors, including log file growth, and replication or back up purposes.


ACS 4.2.1 supports Oracle database 10g. The following features are supported on Oracle database 10g:

ODBC logging

Authentication (PAP, CHAP)

For more information on these features see the User Guide for Cisco Secure Access Control Server 4.2.1.

We also tested ACS 4.2.1 on the following VMWare platform:

VMWare ESX server 3.0.0

RAM—16.0 GB

Processor—AMD Opteron Dual core

HDD—300 GB

Number of Virtual machines—4

Guest operating system—Windows 2003 Standard Edition and Windows 2008 standard Edition.

RAM for each guest operation system—3 GB

Table 1-2 ACS for Windows Web Client Requirements  

Component
Minimum Requirement

Hardware/Software

IBM PC compatible computer with Pentium IV processor running:

Windows 2000 Server, or Advanced Server, Service Pack 4

Windows 2000, Service Pack 4

Windows XP, Service Pack 2

Windows 2003, Service Pack 1, Enterprise or Standard Edition (English version only)

Windows Server 2003, R2, Standard Edition

Windows Server 2003, Service Pack 2

Windows Server 2003, R2, Service Pack 2

Windows Vista, Service Pack 1

Windows Server 2008, Standard Edition

Windows Server 2008, Enterprise Edition

Hard Drive Space

400 MB virtual memory

Memory

256 MB minimum

Browser

You must also install one of the following HTML browsers:

Microsoft Internet Explorer 6 Service Pack 1 and 5.5 for Windows-English and Japanese versions

Microsoft Internet Explorer 7 Service Pack 2 for Windows Server 2003 and Service Pack 2 for Windows XP

Mozilla Firefox 2.0 and 2.0.0.6

Netscape Web Browser 7.0, 7.1, and 7.2 for Windows-English and Japanese versions1

Java Run-time Environment (JRE)

Sun JRE 1.4.2_04

Sun JRE 1.4.2_16

Sun JRE 5.0 Update 13

Sun JRE 6.0 Update 3

1 Several known problems result from using Netscape Communicator with ACS. For more information, see the Release Notes for Cisco Secure ACS for Windows 4.2.1 on Cisco.com.


Table 1-3 ACS for Windows Server UCP Requirements

Component
Minimum Requirement
User Changeable Password (UCP) Web Server

Microsoft IIS 5.0

Apache 1.3 web server


ACS for Windows and Windows AD

Following are the supported operating system options for ACS for Windows and Windows Active Directory (AD):

ACS 4.2.1 on a 64-bit OS to Windows AD on a 64-bit OS

ACS 4.2.1 on a 64-bit OS to Windows AD on a 32-bit OS

ACS 4.2.1 on a 32-bit OS to Windows AD on a 64-bit OS

ACS 4.2.1 on a 32-bit OS to Windows AD on a 32-bit OS


Note Service Pack 2 is required for Windows 2003 and Windows 2008 on 32-bit or 64-bit operating system.


Third Party Software Requirements

The release notes provide information about third party software products that we tested with ACS and support, including applications such as:

Web browsers and Java virtual machines

Novell Directory Server (NDS) clients

Token-card clients

Other than the software products described in the release notes, we have not tested the interoperability of ACS and other software products on the same computer. We only support the interoperability issues of software products that the Release Notes mention.

The most recent version of the Release Notes is posted on Cisco.com, accessible from:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html

Network and Port Requirements

Your network should meet the following requirements before you begin deploying ACS:

For full Terminal Access Controller Access Control System + (TACACS+)and Remote Access Dial-in User Service (RADIUS) support on Cisco IOS devices, AAA clients must run Cisco IOS Release 11.1 or later.

You must configure non-Cisco IOS AAA clients with TACACS+, RADIUS, or both.

Dial-in, Virtual Private Network (VPN), or wireless clients must be able to connect to the applicable AAA clients.

The computer that is running ACS must be able to ping all AAA clients.

Gateway devices between ACS and other network devices must permit communication over the ports needed to support the applicable feature or protocol. For information about ports to which ACS listens, see Table 1-4.

You must install a supported web browser on the computer that is running ACS. For the most recent information about tested browsers, see the Release Notes, available on Cisco.com: http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_notes_list.html

You must enable all network cards in the computer that is running ACS. If you disable a network card, the wrong IP might be selected, and the installing of ACS may proceed slowly, due to delays caused by Microsoft CryptoAPI.


Note We tested ACS on computers that contain only one network interface card.


When authorizing network users, if you want ACS to use the Grant Dial-in Permission to User feature in Windows, you must check this check box in the Windows User Manager or AD Users and Computers for the applicable user accounts.

Table 1-4 lists the ports on which ACS listens for communications with AAA clients, other ACS machines and applications, and web browsers. ACS uses other ports to communicate with external user databases; however, it initiates those communications rather than listening to specific ports. For example, if ACS initiates communications with Lightweight Directory Access Protocol (LDAP) or RADIUS token server databases, you can configure these destination ports in ACS. For more information about ports to which a particular external user database listens, see the documentation for that database.

Table 1-4 Ports that ACS Listens on 

Feature or Protocol
UDP or TCP
Ports

RADIUS authentication and authorization

UDP

1645, 1812

RADIUS accounting

UDP

1646, 1813

TACACS+

TCP

49

Cisco Secure Database Replication

TCP

Default port 2000. Configurable port 2010 through 2025

RDBMS Synchronization with synchronization partners

TCP

Default port 2000. Configurable port 2010 through 2025

User-Changeable Password web application

TCP

2000

Logging

TCP

2001

Administrative HTTP port for new sessions

TCP

2002

Administrative HTTP port range

TCP

Configurable; default 1024 through 65535


Backing Up Data Before Installation

Before you install or upgrade ACS, we strongly recommend that you back up the computer on which you install ACS by using a Windows backup utility of your choice. Include the Windows registry in the backup.

If you are upgrading or reinstalling ACS, use the ACS Backup feature to back up the ACS configuration and database, and then copy the backup file to a drive that is not local to the computer on which ACS is running. For information about backing up ACS, see the User Guide for Cisco Secure ACS 4.2.1.

You can use a new back up and restore option in the ACS System Restore Setup page to back up and restore the ACS System Configuration and User and Group database, when upgrading from ACS version 4.2 to 4.2.1. This feature is applicable for both Windows and SE platforms of ACS.


Note If you are upgrading ACS rather than reinstalling, the backups that you create cannot be used for the upgraded installation; they provide for recovery if you need to restore your previous installation of ACS. But, in ACS 4.2.1, you can restore the ACS 4.2 or ACS 4.2 patch configuration after installing ACS 4.2.1.


Gathering Answers for the Installation Questions

During new installations, or upgrades and reinstallations that do not preserve the existing configuration, the installation requires specific information about the computer on which you want to install ACS. To facilitate the installation, collect the applicable information before you begin the installation.


Note You do not need to perform the following procedure, if you are upgrading or reinstalling ACS and intend to keep the existing configuration and database. This procedure requires information that is already recorded in your ACS installation.


To collect information that is required during the installation of ACS:


Step 1 Determine whether the computer on which you will install ACS is a domain controller or a member server. If you want ACS to authenticate users with a Windows domain user database, after you install ACS, you must perform the additional Windows configuration, in Windows Authentication Configuration.

Step 2 Confirm that:

End user clients can successfully connect to AAA clients.

This Windows Server can ping the AAA clients.

Any Cisco IOS clients are running Cisco IOS release 11.1 or later.

You installed Microsoft Internet Explorer 6.0 Service Pack 1 or Microsoft Internet Explorer 7.0 or Mozilla Firefox 2.0 or Netscape 7.02. or Netscape 8.x.

Step 3 Create a password for your database access. You will need this password to manage your database information. Keep this password in a safe, accessible place so that technical support can gain access to the database.


Disabling NetBIOS

NetBIOS (NBT or NetBT) is an API that allows applications on different computers to communicate with each other over a LAN. NBT is a broadcast-based, non routable, insecure transport protocol and session-level interface that normally runs over TCP/IP. NetBT found its way into the early versions of Windows and still functions on many legacy machines like Windows 9x and Windows NT. These machines require NetBIOS to function properly on the network. However, since the evolution of Windows 2000, Domain Name Service (DNS) has become the default name-resolution method for windows-based networking. Although Windows 2000, Windows XP, and Windows Server 2003 provide the option of disabling NetBIOS over TCP/IP, many corporate networks are reluctant to do so because they still use legacy machines on their networks. ACS 4.2.1 supports the Windows server with NetBIOS disabled. You must disable NetBT in Windows.

Installation and Upgrade Scenarios

This installation guide provides detailed procedures for installing, reinstalling, and upgrading ACS. You must select the right procedure for your situation.

ACS for Windows supports the following upgrade scenarios:

ACS 3.3.x to ACS 4.2— You can upgrade from ACS 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, 3.3.2, or 3.3.4) to ACS 4.2 on Windows.

ACS 4.0 to ACS 4.2— You can upgrade from ACS 4.0 to ACS 4.2 on Windows.

ACS 4.1 to ACS 4.2— You can upgrade from ACS 4.1.1.23, 4.1.1.24, 4.1.2, 4.1.3 or 4.1.4 to ACS 4.2 on Windows.

ACS 4.2 to ACS 4.2.1— You can upgrade from ACS 4.2 to ACS 4.2.1 on Windows.


Note You cannot directly upgrade ACS 3.2.x or 3.3.x or 4.x to ACS 4.2.1. You must first upgrade to ACS 4.2, back up the ACS 4.2 configuration and then upgrade to ACS 4.2.1.



Note If you are upgrading from ACS 4.0 to ACS 4.1, you must install the CSCsh32888 patch on the 4.0 installation before upgrading to ACS 4.1.


Table 1-5 lists the possible installation and upgrade scenarios. Determine which procedure applies to your situation.


Note Before you perform any installation or upgrade procedure, we strongly recommend that you read Preparing to Install or Upgrade ACS, and perform the applicable tasks in that section.


Table 1-5 Installation and Upgrade Scenarios 

If your installation scenario is a:
Refer to ...

First time installation

Installing ACS for the First Time

Reinstallation, preserving the ACS internal database and ACS configuration

Reinstalling or Upgrading an Existing Configuration

Reinstallation, overwriting the ACS internal database and ACS configuration

Reinstalling or Upgrading ACS without Data Preservation

Upgrade, preserving the ACS internal database and ACS configuration

Reinstalling or Upgrading an Existing Configuration

Upgrade, overwriting the ACS internal database and ACS configuration

Reinstalling or Upgrading ACS without Data Preservation


Depending on the ACS version you are upgrading from, there are different paths for upgrading to ACS 4.2.1. Table 1-6 describes the various upgrade use cases that you can use to decide the appropriate upgrade path to follow.

Table 1-6 Upgrade Use Cases  

Upgrade Path
Results

Full Upgrade for versions Prior to 3.3.3 to 4.2.1

To perform a full upgrade with data restore from:

1. ACS SW 3.3.x to ACS SW 3.3.4

a. Back up your ACS SW 3.3.x configuration.

b. Use the ACS SW 4.2 Overall Upgrade CD.

c. From the CD, use the ACS SW 3.3.4 upgrade.

ACS SW 3.3.4 is installed.

For instructions on upgrading to ACS 3.3.3, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 3.3 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_solution_engine/3.3/release/notes/
RNsol331.html

2. ACS SW 3.3.4 to ACS SW 4.1.1.24

a. Back up your ACS SW 3.3.4 configuration.

b. Use the ACS SW 4.2 Overall Upgrade CD.

c. From the CD, use the 4.1.1.24 upgrade.

ACS SW 4.1.1.24 is installed.

For instructions on upgrading to ACS 3.3.3, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 3.3 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_solution_engine/3.3/release/notes/
RNsol331.html

3. ACS SW 4.1.1.24 to ACS SW 4.2

a. Back up your ACS 4.1.1.24 configuration.

b. Use the ACS SW 4.2 Recovery CD or DVD to re-image the appliance with the 4.2 version.

Note Use the ACS SW 4.2 Recovery CD for the Cisco 1112 SW appliance and the ACS SW 4.2 Recovery DVD for the Cisco 1113 SW appliance.

ACS SW 4.2 is installed.

For instructions on upgrading to ACS 4.1.1.24, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.1.1.24 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.1.2/release/notes/acs412.html

ACS SW 3.3.4 is installed.

ACS SW 4.1.1.24 is installed.

ACS SW 4.2 is installed.

4. ACS SW 4.2 to ACS SW 4.2.1

a. Back up your ACS 4.2 configuration

b. Download the ACS SW 4.2.1 software image.

c. Upgrade to ACS SW 4.2.1.

AS SW 4.2.1 is installed

For instructions on upgrading to ACS 4.2.1, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2.1.

ACS SW 4.2.1 is installed.

Full Upgrade from versions 3.3.3 or 3.3.4 to 4.2.1

To perform a full upgrade with data restore from:

1. ACS SW 3.3.3 or 3.3.4 to ACS SW 4.1.1.24

a. Back up your ACS SW 3.3.3 or 3.3.4 configuration.

b. Use the ACS SW 4.2 Overall Upgrade CD.

c. From the CD, use the ACS SW 4.1.1.24 upgrade.

ACS SW 4.1.1.24 is installed.

For instructions on upgrading to ACS 4.1.1.24, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.1.1.24 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.1.2/
release/notes/acs412.html

2. ACS SW 4.1.1.24 to ACS SW 4.2

a. Back up your 4.1.1.24 configuration.

b. Use the ACS SW 4.2 Recovery CD or DVD to re-image the appliance with the 4.2 version.

Note Use the ACS SW 4.2 Recovery CD for the Cisco 1112 SW appliance and the ACS SW 4.2 Recovery DVD for the Cisco 1113 SW appliance.

ACS SW 4.2 is installed.

For instructions on upgrading to ACS 4.2, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html

3. ACS SW 4.2 to ACS SW 4.2.1

a. Back up your ACS 4.2 configuration.

b. Download the ACS SW 4.2.1 software image.

c. Upgrade to ACS SW 4.2.1.

AS SW 4.2.1 is installed

For instructions on upgrading to ACS 4.2.1, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2.1.

ACS SW 4.1.1.24 is installed.

ACS SW 4.2 is installed.

ACS SW 4.2.1 is installed.

ACS SW 4.1.1.24 configuration is upgraded to ACS SW 4.2.1 configuration.

Full Upgrade from version 4.0 to 4.2.1

To perform a full upgrade with data restore from:

1. ACS SW 4.0 to ACS SW 4.1.1.24

a. Install the CSCsh32888 patch before taking a back up of the ACS SW 4.0 configuration.

b. Back up your ACS SW 4.0 configuration.

c. Use the ACS SW 4.2 Overall Upgrade CD.

d. From the CD, use the ACS SW 4.1.1.24 upgrade.

ACS SW 4.1.1.24 is installed.

For instructions on upgrading to ACS 4.1.1.24, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.1.1.24 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.1.2/
release/notes/acs412.html

2. ACS SW 4.1.1.24 to ACS SW 4.2

a. Back up your 4.1.1.24 configuration.

b. Use the ACS SW 4.2 Recovery CD or DVD to re-image the appliance with the 4.2 version.

Note Use the ACS SW 4.2 Recovery CD for the Cisco 1112 SW appliance and the ACS SW 4.2 Recovery DVD for the Cisco 1113 SW appliance.

ACS SW 4.2 is installed.

c. Restore the 4.1.1.24 configuration.

For instructions on upgrading to ACS 4.2, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
release/notes/ACS42_RN.html

3. ACS SW 4.2 to ACS SW 4.2.1

a. Back up your ACS 4.2 configuration.

b. Download the ACS SW 4.2.1 software image.

c. Upgrade to ACS SW 4.2.1.

AS SW 4.2.1 is installed

For instructions on upgrading to ACS 4.2.1, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2.1.

ACS SW 4.1.1.24 is installed.

ACS SW 4.2 is installed.

ACS SW 4.2.1 is installed.

ACS SW 4.1.1.24 configuration is upgraded to ACS SW 4.2.1 configuration.


Installing ACS for the First Time

This section contains information on how to install ACS for the first time.


Note For information about upgrading or reinstalling an existing ACS installation, see Table 1-5.


Before You Begin

For information about what must be completed before installing ACS,

see Preparing to Install or Upgrade ACS.


Note We did not test, nor do we support, remote installations that you perform by using Windows Terminal Services or Remote Desktop (RDP). Do not install or upgrade over a remote connection using Terminal Services or RDP. We recommend that you disable Terminal Services and RDP while performing any installation or upgrade. We have tested Virtual Network Computing (VNC) successfully.


To install ACS:


Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.

Step 2 Insert the ACS CD into a CD-ROM drive on the computer.

If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.

If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears; otherwise, run Setup.exe, which resides in the root directory of the ACS CD.

Step 3 In the Cisco Secure ACS for Windows dialog box, click Install.

If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but you must install the required service pack after the installation is complete; otherwise, ACS may not function reliably.

The Cisco Secure ACS v4.2 Setup dialog box displays the software license agreement.

Step 4 If you read and accept the software license agreement, click ACCEPT.

The Welcome dialog box displays information about the setup program.

Step 5 Read the information in the Welcome dialog box and click Next.

The IMPORTANT NOTICE dialog box displays information about the processes running on your computer which may affect some ACS operations.

Step 6 Read the information in the IMPORTANT NOTICE dialog box and click Next.

The Before You Begin dialog box appears.

Step 7 After you complete the items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next. For more information about these items, see Gathering Answers for the Installation Questions.

If you did not complete all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparing to Install or Upgrade ACS.

After you click Next, the Choose Destination Location dialog box appears.

Step 8 To change the installation location, enter the new path name or click the Browse button to choose the drive and path where the setup program installs ACS.

The installation must reside on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder.


Note Do not specify a path with a folder that contains only a percent symbol (%). If you do, installation may appear to continue properly but will fail before it ends.


Step 9 Click Next.

The Authentication Database Configuration dialog box appears.

Step 10 Choose an option. To authenticate users with:

The ACS internal database only, check Check the ACS Internal database only.

A Windows Security Access Manager (SAM) user database or AD user database in addition to the ACS internal database, check Also check the Windows User Database.

The Yes, refer to "Grant dial-in permission to user" check box is enabled when you select the Also check the Windows User Database option. This option applies to all forms of access that ACS controls; not just dial-in access. For example, a user who accesses your network through a VPN tunnel is not dialing in to a network access server; however, if you check Yes, refer to "Grant dial-in permission to user" check box, ACS applies the Windows user dial-in permissions to determine whether to grant the user access to your network.

If you want to grant access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, check Yes, refer to "Grant dial-in permission to user" check box.


Note After you install ACS, you can configure authentication support for all external user database types in addition to Windows user databases.


Step 11 Click Next.

The setup program installs ACS and updates its configuration.

The Advanced Options dialog box appears.

Step 12 Choose the features that you want to enable.

These features are not enabled by default; they appear in the ACS web interface only if you enable them. To view the web interface:

In the navigation bar, click Interface Configuration.

Click Advanced Options.

The web interface appears.

For more information about these features, see the User Guide for Cisco Secure ACS 4.2.1.


Note After installation, you can enable or disable advanced features on the Advanced Options page in the Interface Configuration section.


Step 13 Click Next.

The Active Service Monitoring dialog box appears.

Step 14 Choose service monitoring features:

If you want ACS to monitor user authentication services, check Enable Login Monitoring. From the Script to execute list, choose the option that you want applied in the event of authentication service failure. The options are:

No Remedial Action—ACS does not run a script. This option is useful if you enable event e-mail notifications.

Reboot—ACS runs a script that reboots the computer that runs ACS.

Restart All—ACS restarts all ACS services.

Restart RADIUS/TACACS+—ACS restarts only the RADIUS and TACACS+ services.

If you want ACS to send an e-mail message when service monitoring detects an event, check the Enable Mail Notifications checkbox. The SMTP mail server and Mail account to notify fields are enabled. You must enter the following information:

SMTP mail server - Name and domain of the mail server that is sending the notification.

Mail account to notify- The e-mail address of the intended recipient.


Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.


Step 15 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 16 You must enter a password and for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters.

The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and you have to access the database manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.

Step 17 Click Next.

The setup program ends and the Cisco Secure ACS Service Initiation dialog box appears.

Step 18 For each option that you require, check the corresponding check box. The actions that are associated with the options occur after the setup program ends. The check boxes are:

Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not check this check box, the ACS web interface is not available; unless you reboot the computer or start the CSAdmin service.

Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS web interface in the default web browser for the current Windows user account.

Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.

Step 19 Click Next.

The ACS service installation starts. The Setup Complete dialog box displays information about the ACS web interface.

Step 20 Click Finish.

The setup program exits. If, in Step 17, you chose the options to view the web interface or README.TXT file, those options become effective now.

Step 21 If you did not choose the options in Step 17. To:

Start ACS services, reboot the computer, or type net start csadmin at a DOS prompt.

Access the ACS web interface, use the ACS Admin desktop icon, or use this URL in a supported web browser:

http://127.0.0.1:2002

http://localhost:2002


Note For more information on supported web browsers see Browser




Note During installation a setup log text file, acssetup.log, is created in the C: drive. This log records each stage of the installation process that is completed, and can be used for troubleshooting.


What to Do Next

If you want ACS to authenticate users with a Windows domain user database, after you install ACS, you must perform the additional Windows configuration, which Windows Authentication Configuration.

You can also disable NetBIOS on Windows Server since ACS can support Windows Server with NetBIOS disabled.

Reinstalling or Upgrading ACS

You can reinstall ACS over the same version that is already installed. This procedure is also known as overinstalling ACS. You can also upgrade to ACS 4.2.1 from ACS 4.2.

You can upgrade and reinstall ACS with the existing configuration and database information, or without preserving the data from the existing installation.

You can back up and restore the ACS system configuration and user and group database, when upgrading from ACS version 4.2 to 4.2.1. This feature is applicable for the Windows and SE platforms of ACS.

The upgrade process to ACS 4.2.1 transforms the data from ACS 4.2 to conform to the data structures and values in ACS 4.2.1.


Note You cannot directly upgrade from ACS 4.0 to ACS 4.2.1, you must first upgrade to ACS 4.1, then to ACS 4.2, and then upgrade to ACS 4.2.1. Before upgrading from ACS 4.0 to ACS 4.2, you must install the CSCsh32888 patch on the 4.0 installation and then upgrade to ACS 4.2.


The new ACS 4.2.1 attributes are set to the default values, which do not affect the existing configuration, except for:

The timestamps for Administrator passwords are reset to the time of the upgrade.

MAC addresses that reside in the ACS internal database are converted to a single hexadecimal format. If the database contained multiple representations of the same MAC address, the redundant MAC addresses that the conversion creates are removed.


Note We did not test, nor do we support remote installations that you perform by using Windows Terminal Services or RDP. Do not install or upgrade over a remote connection using Terminal Services or RDP. We recommend that you disable Terminal Services and RDP while performing any installation or upgrade. VNC has been tested successfully.


For upgrading or reinstalling ACS, see:

Reinstalling or Upgrading an Existing Configuration

Reinstalling or Upgrading ACS without Data Preservation

If you are installing ACS for the first time, see Installing ACS for the First Time.

Reinstalling or Upgrading an Existing Configuration

Use this procedure to reinstall or upgrade ACS if you want to preserve all existing configuration and database information.

Before You Begin

For information about what you must complete before reinstalling or upgrading ACS, see Preparing to Install or Upgrade ACS.

Close all applications or command windows that are accessing any directory in the ACS directory. The installation cannot succeed if another process is using the ACS directory or any of its subdirectories. For example, if Windows Explorer is displaying the contents of a ACS directory, installation fails.

To reinstall or upgrade ACS, and preserve the existing configuration and ACS internal database:


Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.

Step 2 Download the ACS 4.2.1 upgrade image from Cisco.com.

Step 3 Extract the ACS-4.2.1.15-BIN-K9.zip file and run the Setup.exe file

If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.

Step 4 In the Cisco Secure ACS for Windows Server dialog box, click Install.

If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but you must apply the required service pack after the installation is complete; otherwise, ACS may not function reliably.

An informational dialog box displays some details about Windows authentication.

Step 5 Click OK.

The Cisco Secure ACS Setup dialog box displays the software license agreement.

Step 6 If you read and accept the software license agreement, click ACCEPT.

The Welcome dialog box displays basic information about the setup program.

Step 7 Read the information in the Welcome dialog box, click Next.

The IMPORTANT NOTICE dialog box displays information about the processes running on your computer which may affect some ACS operations.

Step 8 Read the information in the IMPORTANT NOTICE dialog box and click Next.

The Before You Begin dialog box appears.

Step 9 After you complete the items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next. For more information about these items, see Gathering Answers for the Installation Questions.

If you did not complete all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparing to Install or Upgrade ACS.

After you click Next, the Previous Installation Location dialog box appears.

Check Yes, keep the existing configuration.


Note You can back up and restore the ACS system configuration and database by checking this option. This is applicable to the Windows and SE platforms of ACS.



Caution If you proceed without checking the Yes, keep the existing configuration check box, the setup program deletes all existing AAA client, user, and group information.

If you are uncertain about keeping the configuration, click Explain to see details on keeping the existing configuration.

Step 10 Click Next.

The Choose Destination Location dialog box appears.

Step 11 To change the installation location, enter the new path name or click the Browse button to choose the drive and path where the setup program installs ACS.

The installation location must reside on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder.


Note Do not specify a path that contains a percent symbol (%). If you do, installation might appear to continue properly but will fail before it ends.


Step 12 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 13 You must enter a password and for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters.

The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and you have to access the database manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.

Step 14 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 15 For each option that you require, check the corresponding check box. The actions that are associated with each option occur after the setup program ends. The check boxes are:

Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not check this check box, the web interface is not available. You can start the ACS service later.

Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS web interface in the default web browser for the current Windows user account.

Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.

Step 16 Click Next.

If you chose so, the ACS services start. The Setup Complete dialog box displays information about the ACS web interface.

Step 17 Click Finish.

The setup program exits. If, in Step 15, you chose the options to view the web interface or README.TXT file, those options become effective now.

If you failed to meet the minimum system requirements, a message might appear warning you to address the problem. Click OK to continue and resolve the problem where possible.

Step 18 If you did not choose the options in Step 15, to:

Start ACS services, reboot the computer, or type net start csadmin at a DOS prompt.

Access the ACS web interface, use the ACS Admin desktop icon, or use this URL in a supported web browser:

http://127.0.0.1:2002

http://localhost:2002


Note If you previously configured ACS services to run by using a specific username, that configuration was lost during the reinstallation.



What to Do Next

If you want ACS to authenticate users with a Windows domain user database, after you install ACS, you must perform the additional Windows configuration, which Windows Authentication Configuration describes.

Reinstalling or Upgrading ACS without Data Preservation

Use this procedure to reinstall or upgrade ACS if you do not intend to preserve the existing configuration.


Caution Performing this procedure deletes the existing configuration of ACS, including all AAA client, user, and group information. Unless you first back up your ACS data and the Windows Registry, you cannot recover the previous configuration and database.

Before You Begin

For information about what you must complete before reinstalling or upgrading ACS, see Preparing to Install or Upgrade ACS.

Close all applications or command windows that are accessing any directory in the ACS directory. The installation cannot succeed if another process is using the ACS directory or any of its subdirectories. For example, if Windows Explorer is displaying the contents of an ACS directory, installation fails.

To reinstall or upgrade ACS without preserving the existing configuration or ACS internal database:


Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.

Step 2 Download the ACS 4.2.1 upgrade image from Cisco.com.

Step 3 Extract the ACS-4.2.1.15-BIN-K9.zip file and run the Setup.exe file

If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.

Step 4 In the Cisco Secure ACS for Windows Server dialog box, click Install.

If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but the required service pack must be applied after the installation is complete; otherwise, ACS may not function reliably.

An informational dialog box displays some details about Windows authentication.

Step 5 Click OK.

The Cisco Secure ACS Setup dialog box displays the software license agreement.

Step 6 If you read and accept the software license agreement, click ACCEPT.

The Welcome dialog box displays basic information about the setup program.

Step 7 Read the information in the Welcome dialog box and click Next.

The IMPORTANT NOTICE dialog box displays information about the processes running on your computer which may affect some ACS operations.

Step 8 Read the information in the IMPORTANT NOTICE dialog box and click Next.

The Before You Begin dialog box appears.

Step 9 After you complete the items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next. For more information about these items, see Gathering Answers for the Installation Questions.

If you did not complete all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparing to Install or Upgrade ACS.

After you click Next, the Previous Installation Location dialog box appears.

Step 10 Leave the check box unchecked and click Next.

If ACS services are running, the Cisco Secure ACS Uninstall dialog box appears. Click Continue.

The setup program removes the previous installation of ACS.

The Choose Destination Location dialog box appears.

Step 11 To change the installation location, enter the new path name or click the Browse button to choose the drive and path where the setup program installs ACS.

The installation location must reside on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder.


Note Do not specify a path that contains a percent symbol (%). If you do, installation may appear to continue properly but will fail before it ends.


Step 12 Click Next.

The Authentication Database Configuration dialog box appears.

Step 13 Choose an option. To authenticate users with:

The ACS internal database only, check Check the Cisco Secure ACS database only.

A Windows SAM user database or AD user database in addition to the ACS internal database, click Also check the Windows User Database.

The Yes, refer to "Grant dial-in permission to user" check box is enabled when you select the Also check the Windows User Database option. This option applies to all forms of access that ACS controls; not just dial-in access. For example, a user who accesses your network through a VPN tunnel is not dialing in to a network access server; however, if you check Yes, refer to "Grant dial-in permission to user" check box, ACS applies the Windows user dial-in permissions to determine whether to grant the user access to your network.

If you want to grant access to users who are authenticated by a Windows domain user database only when they have dial-in permission in their Windows account, check Yes, refer to "Grant dial-in permission to user" check box.


Note After you install ACS, you can configure authentication support for all external user database types in addition to Windows user databases.


Step 14 Click Next.

The setup program installs ACS and updates its configuration.

The Advanced Options dialog box lists several ACS features that are not enabled by default. For more information about these features, refer to the User Guide for Cisco Secure ACS 4.2.1.


Note The features appear in the ACS web interface only if you enable them. After installation, you can enable or disable them by choosing Interface Configuration > Advanced Options.


For each feature that you want to enable, check the corresponding check box.

Step 15 Click Next.

The Active Service Monitoring dialog box appears.

Step 16 Choose service monitoring features:

If you want ACS to monitor user authentication services, check Enable Login Monitoring. From the Script to execute list, choose the option that you want applied in the event of authentication service failure. The options are:

No Remedial Action—ACS does not run a script. This option is useful if you enable event e-mail notifications.

Reboot—ACS runs a script that reboots the computer that runs ACS.

Restart All—ACS restarts all ACS services.

Restart RADIUS/TACACS+—ACS restarts only the RADIUS and TACACS+ services.

If you want ACS to send an e-mail message when service monitoring detects an event, check the Enable Mail Notifications checkbox. The SMTP mail server and Mail account to notify fields are enabled. You must enter the following information:

SMTP mail server - Name and domain of the mail server that is sending the notification.

Mail account to notify- The e-mail address of the intended recipient.


Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.


Step 17 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 18 You must enter a password and for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters.

The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and you have to access the database manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.

Step 19 Click Next.

The setup program ends and the Cisco Secure ACS Service Initiation dialog box appears.

Step 20 For each option that you require, check the corresponding check box. The actions that are associated with each option occur after the setup program ends. The check boxes are:

Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not check this check box, the ACS web interface is not available; unless you reboot the computer or start the CSAdmin service.

Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS web interface in the default web browser for the current Windows user account.

Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.

Step 21 Click Next.

If you chose so, the ACS services start. The Setup Complete dialog box displays information about the ACS web interface.

Step 22 Click Finish.

The setup program exits. If, in Step 20, you chose the options to view the web interface or README.TXT file, those options become effective now.

On the computer that is running ACS, to access the ACS web interface click the ACS Admin desktop icon or enter this URL in a supported web browser:

http://127.0.0.1:2002

http://localhost:2002


Note The ACS web interface is available only if you chose to start ACS services in Step 20. If you did not, to make the web interface available, you can reboot the computer; or, at a DOS prompt type net start csadmin.



Note If you previously configured ACS services to run by using a specific username, that configuration was lost during the reinstallation.



What to Do Next

If you want ACS to authenticate users with a Windows domain user database, after you install ACS, you must perform the additional Windows configuration, which Windows Authentication Configuration describes.

Use this procedure to reinstall or upgrade ACS if you want to preserve all existing configuration and database information.

ACS on a Windows 64-bit Machine

ACS 4.2.1 supports the Windows 64-bit operating system. Since you can upgrade to ACS 4.2.1 only from ACS 4.2, you must first install ACS 4.2 on a Windows 64-bit machine and then upgrade to ACS 4.2.1.

In this section, we discuss about:

Installing ACS 4.2 on a Windows 64-bit Machine

Upgrading to ACS 4.2.1 on a Windows 64-bit Machine

Installing ACS 4.2 on a Windows 64-bit Machine

This section contains information on how to install ACS 4.2 on a 64-bit machine for the first time.


Note For information about upgrading or reinstalling an existing ACS installation, see Table 1-5.


Before You Begin

For information about what must be completed before installing ACS, see Preparing to Install or Upgrade ACS.


Note We did not test, nor do we support, remote installations that you perform by using Windows Terminal Services or Remote Desktop (RDP). Do not install or upgrade over a remote connection using Terminal Services or RDP. We recommend that you disable Terminal Services and RDP while performing any installation or upgrade. We have tested Virtual Network Computing (VNC) successfully.



Note After installing ACS 4.2 and before upgrading to ACS 4.2.1, do not restart the ACS services on the
Windows 64-bit machine.


To install ACS 4.2 on a Windows 64-bit machine:


Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.

Step 2 Insert the ACS CD into a CD-ROM drive on the computer.

If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.

If the CD-ROM drive supports the Windows autorun feature, the ACS for Windows dialog box appears; otherwise, run Setup.exe, which resides in the root directory of the ACS CD.

Step 3 In the Cisco Secure ACS for Windows dialog box, click Install.

If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but you must install the required service pack after the installation is complete; otherwise, ACS may not function reliably.

The Cisco Secure ACS v4.2 Setup dialog box displays the software license agreement.

Step 4 If you read and accept the software license agreement, click ACCEPT.

The Welcome dialog box displays information about the setup program.

Step 5 Read the information in the Welcome dialog box and click Next.

The IMPORTANT NOTICE dialog box displays information about the processes running on your computer which may affect some ACS operations.

Step 6 Read the information in the IMPORTANT NOTICE dialog box and click Next.

The Before You Begin dialog box appears.

Step 7 After you complete the items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next. For more information about these items, see Gathering Answers for the Installation Questions.

If you did not complete all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparing to Install or Upgrade ACS.

After you click Next, the Choose Destination Location dialog box appears.

Step 8 To change the installation location, enter the new path name or click the Browse button to choose the drive and path where the setup program installs ACS.

The installation must reside on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder.


Note Do not specify a path with a folder that contains only a percent symbol (%). If you do, installation might appear to continue properly but will fail before it ends.


Step 9 Click Next.

The Authentication Database Configuration dialog box appears.

Step 10 To authenticate users with the ACS internal database only, check Check the ACS Internal database only.

Step 11 Click Next.

The setup program installs ACS and updates its configuration.

The Active Service Monitoring dialog box appears.

Step 12 Choose service monitoring features:

If you want ACS to monitor user authentication services, check Enable Login Monitoring. From the Script to execute list, choose the option that you want applied in the event of authentication service failure. The options are:

No Remedial Action—ACS does not run a script. This option is useful if you enable event e-mail notifications.

Reboot—ACS runs a script that reboots the computer that runs ACS.

Restart All—ACS restarts all ACS services.

Restart RADIUS/TACACS+—ACS restarts only the RADIUS and TACACS+ services.

If you want ACS to send an e-mail message when service monitoring detects an event, check the Enable Mail Notifications checkbox. The SMTP mail server and Mail account to notify fields are enabled. You must enter the following information:

SMTP mail server - Name and domain of the mail server that is sending the notification.

Mail account to notify- The e-mail address of the intended recipient.


Note After installation, you can configure active service monitoring features on the Active Service Management page in the System Configuration section.


Step 13 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 14 You must enter a password and for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters.

The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and you have to access the database manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.

Step 15 Click Next.

The setup program ends and the Cisco Secure ACS Service Initiation dialog box appears.

Step 16 The actions that are associated with the options occur after the setup program ends. The check boxes are:

Yes, I want to start the Cisco Secure ACS Service now—Do not check this check box. This starts the Windows services that ACS comprises.

Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Do not check this check box.

Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.

Step 17 Click Next.

The ACS service installation starts. The Setup Complete dialog box displays information about the ACS web interface.

Step 18 Click Finish.

The setup program exits. If, in Step 16, you chose the options to view the web interface or README.TXT file, those options become effective now.


Note For more information on supported web browsers see Browser.


Upgrading to ACS 4.2.1 on a Windows 64-bit Machine

Before You Begin

For information about what you must complete before reinstalling or upgrading ACS, see Preparing to Install or Upgrade ACS.

Close all applications or command windows that are accessing any directory in the ACS directory. The installation cannot succeed if another process is using the ACS directory or any of its subdirectories. For example, if Windows Explorer is displaying the contents of a ACS directory, installation fails.

To reinstall or upgrade ACS on a Windows 64-bit machine:


Step 1 Using a local administrator account, log in to the computer on which you want to install ACS.

Step 2 Download the ACS 4.2.1 upgrade image from Cisco.com.

Step 3 Extract the ACS-4.2.1.15-BIN-K9.zip file and run the Setup.exe file

If the computer does not have the minimum system requirements, a dialog box appears. You can apply these requirements before or after installing ACS. You can continue with the installation, but you must apply the minimum requirements after the installation is complete; otherwise, ACS may not function reliably.

Step 4 In the Cisco Secure ACS for Windows Server dialog box, click Install.

If the computer does not have a required service pack installed, a dialog box appears. You can apply Windows service packs before or after installing ACS. You can continue with the installation, but you must apply the required service pack after the installation is complete; otherwise, ACS might not function reliably.

An informational dialog box displays some details about Windows authentication.

Step 5 Click OK.

The Cisco Secure ACS Setup dialog box displays the software license agreement.

Step 6 If you read and accept the software license agreement, click ACCEPT.

The Welcome dialog box displays basic information about the setup program.

Step 7 Read the information in the Welcome dialog box, click Next.

The IMPORTANT NOTICE dialog box displays information about the processes running on your computer which may affect some ACS operations.

Step 8 Read the information in the IMPORTANT NOTICE dialog box and click Next.

The Before You Begin dialog box appears.

Step 9 After you complete the items in the Before You Begin dialog box, check the corresponding check box for each item, and then click Next. For more information about these items, see Gathering Answers for the Installation Questions.

If you did not complete all items in the Before You Begin dialog box, click Cancel, and then click Exit Setup. After completing all items in the Before You Begin dialog box, restart the installation. For more information, see Preparing to Install or Upgrade ACS.

After you click Next, the Previous Installation Location dialog box appears.

Do not check Yes, keep the existing configuration check box.

Step 10 Click Next.

The Choose Destination Location dialog box appears.

Step 11 To change the installation location, enter the new path name or click the Browse button to choose the drive and path where the setup program installs ACS.

The installation location must reside on a drive that is local to the computer. If you specified a folder that does not exist, click Yes to confirm the creation of the folder.


Note Do not specify a path that contains a percent symbol (%). If you do, installation might appear to continue properly but will fail before it ends.


Step 12 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 13 You must enter a password and for database encryption. The password should be at least 8 characters long and should contain characters and numbers. There are no invalid characters.

The Database Encryption Password is encrypted and stored in the ACS registry. You might have to reuse this password when critical problems arise and you have to access the database manually. Keep this password in a safe, accessible place so that technical support can gain access to the database.

Step 14 Click Next.

The Cisco Secure ACS Service Initiation dialog box appears.

Step 15 For each option that you require, check the corresponding check box. The actions that are associated with each option occur after the setup program ends. The check boxes are:

Yes, I want to start the Cisco Secure ACS Service now—Starts the Windows services that ACS comprises. If you do not check this check box, the web interface is not available. You can start the ACS service later. Should not

Yes, I want Setup to launch the Cisco Secure ACS Administrator from my browser following installation—Opens the ACS web interface in the default web browser for the current Windows user account.

Yes, I want to view the Readme file—Opens README.TXT in Windows Notepad.

Step 16 Click Next.

If you chose so, the ACS services start. The Setup Complete dialog box displays information about the ACS web interface.

Step 17 Click Finish.

The setup program exits. If, in Step 15, you chose the options to view the web interface or README.TXT file, those options become effective now.

If you failed to meet the minimum system requirements, a message might appear warning you to address the problem. Click OK to continue and resolve the problem where possible.

Step 18 If you did not choose the options in Step 15, to:

Start ACS services, reboot the computer, or type net start csadmin at a DOS prompt.

Access the ACS web interface, use the ACS Admin desktop icon, or use this URL in a supported web browser:

http://127.0.0.1:2002

http://localhost:2002


Note If you previously configured ACS services to run by using a specific username, that configuration was lost during the reinstallation.



What to Do Next

If you want ACS to authenticate users with a Windows domain user database, after you install ACS, you must perform the additional Windows configuration, which Windows Authentication Configuration describes.