Migration Guide for the Cisco Secure Access Control System 5.0
ACS 5.0 Attribute Migration Support
Downloads: This chapterpdf (PDF - 60.0KB) The complete bookPDF (PDF - 3.44MB) | Feedback

ACS 5.0 Attribute Migration Support

Table Of Contents

ACS 5.0 Attribute Migration Support

Introduction

ACS 4.x to 5.0 Migration

AAA Client/Network Device

NDG

Internal User

User Policy Components

User Group

User Group Policy Components

Shared Shell Command Authorization Sets

MAB

DACL

EAP-FAST Master Keys


ACS 5.0 Attribute Migration Support


This chapter contains:

Introduction

ACS 4.x to 5.0 Migration

Introduction

This chapter describes ACS 4.x to ACS 5.0 attribute migration. To migrate ACS 4.x attributes, they must meet ACS 5.0 criteria. You can migrate some ACS 4.x elements to ACS 5.0, even though some of the attributes for an element might not migrate (or translate) to ACS 5.0. For example, ACS 5.0 supports the user shell exec privilege level as a numeric value from 1 through 15. If the privilege level for the ACS 4.x User element is not a numeric value from 1 through 15, the User element is migrated, but the user shell exec privilege level attribute is not migrated.

ACS 4.x to 5.0 Migration

The following sections contain element information for:

AAA Client/Network Device

NDG

Internal User

User Policy Components

User Group

User Group Policy Components

Shared Shell Command Authorization Sets

MAB

DACL

EAP-FAST Master Keys

AAA Client/Network Device

Table A-1 describes the differences between the ACS 4.x network device and the ACS 5.0 network device definitions.

Table A-1 ACS Network Device Definitions

ACS element
ACS 4.x
ACS 5.0 Status

RADIUS and TACACS+

Defines one network device for each protocol. For example, network device1 for RADIUS, network device2 for TACACS+.

Defines one network device for RADIUS and TACACS+. Refer to Overlapping IP Addresses, page B-3.

IP Address

Use regular expressions to define the IP address.

You can define more than 40 IP addresses.

Includes wildcards and ranges.

Define IP addresses as a pair of IP addresses and mask definitions.

Limited to 40 IP addresses.

Definition is in the form of a subnet mask. Refer to Untranslatable IP Addresses, page B-4.



Note ACS 5.0 does not support ACS 4.x authentication by using an attribute for network devices. ACS 5.0 only supports RADIUS and TACACS+. You cannot define a specific vendor.


NDG

ACS 5.0 does not support the ACS 4.x shared key password attribute for network device groups (NDGs). The Analysis Report flags shared key passwords on the NDG level. You can only use shared key passwords on the network device level.


Note If a shared key password resides on the NDG level, the shared key password is migrated to all the network devices that belong to this NDG. The network devices's shared key password is migrated only if the NDG shared key password is empty.


Internal User

ACS 5.0 does not support the ACS 4.x Password Authentication Type. ACS 5.0 only supports authentication on internal databases. You migrate the User object with a default authentication password if the administrator uses Windows or LDAP. You can supply a different password when you run the Migration Utility. Refer to Migration Script User Preferences.

User Policy Components

In ACS 4.x, the policy-related authorization data is embedded within the user definitions. In ACS 5.0, policy related authorization data is included in shared components that are referenced from within the ACS 5.0 policy tables. Table A-2 shows the attributes for the ACS 4.x user policy components and describes the status in ACS 5.0.

Table A-2 User Policy Component Attributes

ACS 4.x Attribute
ACS 5.0 Status

TACACS+ Shell (exec) Privilege level:

The privilege level is a string field without validity checks.

In ACS 5.0, the Default Privilege Level cannot be larger than Maximum Privilege Level.

ACS 5.0 supports the privilege level as a numeric value (1-15).

TACACS+ Shell Custom attributes

Phase II does not support Custom attributes for privilege levels and shell commands.

TACACS+ Shell Command Authorization Set:

You do not have to specify a value for each attribute.

Migration only supports Per User Command Authorization and does not support the following attributes:

Assign a Shell Command Authorization Set for any network device.

Assign a Shell Command Authorization Set on a per Network Device Group Basis.

Note You must specify a value for each attribute.


User Group

In ACS 4.x, each user was associated to a single group. The User Group element includes general identity attributes as well as policy component attributes such as shell exec and RADIUS attributes. In ACS 5.0, the equivalent to User Group is the Identity Group. However, each Identity Group is purely a logical container and does not include policy components.

User Group Policy Components

In ACS 4.x, policy authorization data is embedded within User Group definitions. In ACS 5.0, policy authorization data is defined in Session Authorization Profiles. Table A-3 shows the attributes for the policy components of the ACS 4.x User Group and describes the status in ACS 5.0.

Table A-3 User Group Policy Component Attributes

ACS 4.x Attribute
ACS 5.0 Status

TACACS+Shell (exec) Privilege level:

The privilege level is a string field without validity checks.

ACS 5.0 supports the privilege level as a numeric value (1-15).

In ACS 5.0, the Default Privilege Level cannot be larger than the Maximum Privilege Level.

TACACS+Shell (exec) Custom attributes

ACS 5.0 does not support shell command Custom attributes.

TACACS+Shell Command Authorization Set

You do not have to specify a value for each attribute.

ACS 5.0 only supports Per User Command Authorization and does not support the following attributes:

Assign a Shell Command Authorization Set for any network device.

Assign a Shell Command Authorization Set on a per Network Device Group Basis.

Note You must specify a value for each attribute.


Shared Shell Command Authorization Sets

No attributes are missing. In ACS 4.x, Shell Command Authorization Sets are defined as shared elements included in device administration. The export and import phases migrate these elements to command sets. The ACS 5.0 name and description of each element is the same as in ACS 4.x.

MAB

In ACS 4.x, you can define MAC addresses in the User table as part of the Network Access Profile (NAP) configuration. ACS 5.0 migrates MAC IDs as MacId objects. Each MacId object is added to the MAC Authentication Bypass (MAB) Identity store.

DACL

In ACS 4.x, the shared downloadable ACL (DACL) is defined as a shared object to be included in NAP table, and the User and User Group objects. A shared DACL consists of a list of sets of ACL content and Network Access Filter (NAF) ID. You can migrate a single DACL from ACS 4.x to multiple DACLs on ACS 5.0. You can only migrate the ACL content because ACS 5.0 does not support NAFs.

EAP-FAST Master Keys

The Master Keys definition in ACS 4.x has a schema that is different from that of the ACS 5.0 schema. Therefore, Master Keys are migrated to different ACS 5.0 Information Model objects.