Migration Guide for the Cisco Secure Access Control System 5.0
ACS 5.0 Migration Support
Downloads: This chapterpdf (PDF - 58.0KB) The complete bookPDF (PDF - 3.44MB) | Feedback

ACS 5.0 Migration Support

Table Of Contents

ACS 5.0 Migration Support

ACS 4.x to 5.0 Migration Version Support

ACS 4.0 Migration Support

ACS 4.x Appliance Support

Remote Desktop Support

Migrating a 4.x ACS Instance in a Multiple-Server 4.x Deployment

ACS 4.x Elements Supported in the Migration Process

ACS 4.x Elements Not Supported in the Migration Process


ACS 5.0 Migration Support


This chapter describes:

ACS 4.x to 5.0 Migration Version Support

ACS 4.0 Migration Support

ACS 4.x Appliance Support

Remote Desktop Support

Migrating a 4.x ACS Instance in a Multiple-Server 4.x Deployment

ACS 4.x Elements Supported in the Migration Process

ACS 4.x Elements Not Supported in the Migration Process

ACS 4.x to 5.0 Migration Version Support

You can migrate the following ACS 4.x versions:

ACS 4.1.1.23

ACS 4.1.1.24

ACS 4.1.3

ACS 4.1.4

ACS 4.2.0.124

ACS 4.0 Migration Support

You must upgrade from ACS for Windows Server 4.0 to ACS for Windows Server 4.1.1.24 to migrate your data to ACS 5.0. Refer to the Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.

ACS 4.x Appliance Support

You can only migrate data from ACS 4.x on Windows software. If you have an ACS 4.x appliance, you must back up the ACS 4.x configuration and restore and upgrade it to ACS for Windows Server 4.1.1.24. Refer to the Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.

Remote Desktop Support

The Migration Utility does not support Remote Desktop Connection.

Migrating a 4.x ACS Instance in a Multiple-Server 4.x Deployment

You can only migrate data from a single ACS 4.x instance. Cisco recommends that in a multiple-server ACS 4.x deployment:

If your data is divided between ACS servers, in general, you should migrate the server that contains the most data about users and network devices.

If you use EAP-FAST, you should make sure that the ACS instance you are migrating is an EAP-FAST master server. To verify this, in ACS 4.x, choose System Configuration > Global Authentication Setup > EAP-FAST Configuration. In the EAP-FAST Configuration page, verify that Actual EAP-FAST server status is Master.

ACS 4.x Elements Supported in the Migration Process

Table 2-1 shows the ACS 4.x elements that the Migration Utility supports and the corresponding ACS 5.0 element.

Table 2-1 ACS Elements the Migration Process Supports 

ACS 4.x Element
ACS 5.0 Element

AAA Client/Network Device

Network Device. Refer to AAA Client/Network Device, page A-2 for more information.

Internal User

Internal User. Refer to Internal User, page A-2 for more information.

User Defined Fields (within Interface Configuration section)

Identity Attributes/Internal User. Refer to User Group, page A-3 for more information.

User Group

Identity Group. Refer to User Group, page A-3 for more information.

Shared Shell Command Authorization Sets

Command Set. Refer to Shared Shell Command Authorization Sets, page A-4 for more information.

Users' T+ Shell Exec Attributes

Identity Attributes/Internal User. Refer to User Group, page A-3 for more information.

Groups' T+ Shell Exec Attributes

Shell Profile. Refer to User Group Policy Components, page A-4 for more information.

Users' T+ Command Authorization Sets

Command Set. Refer to Shared Shell Command Authorization Sets, page A-4 for more information.

MAC Authentication Bypass (MAB) Addressed

Internal Host Database. Refer to MAB, page A-4 for more information.

Shared Downloadable Access Control List (DACL)

Downloadable ACL. Refer to MAB, page A-4 for more information.

EAP-FAST Master keys

EAP-FAST Master keys. Refer to EAP-FAST Master Keys, page A-5 for more information.



Note You migrate command sets from shared objects or from within the user or group definitions. Shell profiles are created from the shell exec parameters within group definitions. However, shell exec parameters stored in user records are migrated as identity attributes associated with the individual user.


ACS 4.x Elements Not Supported in the Migration Process

The Migration Utility does not support:

Groups' DACLs

Groups' RADIUS Attributes

Active Directory (AD) Configuration

AD Group Mapping

Admin Accounts

Admin Users

Authority Certificates

Certificate Trust List (CTL)

Certificate Revocation List (CRL)

Customer's Vendor Specific Attributes (VSAs)

Date and Time

External Database Configuration

Generic Lightweight Directory Access Protocol (LDAP) Configuration

Groups' Shell Custom Attribute

Groups' Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command Authorization Sets

Groups' Network Access Restrictions (NARs)

Internal ID Password Enforcement—Sarbanes-Oxley (SOX)

LDAP Group Mapping

Logging Configuration

Machine Access Restrictions (MARs)

Network Access Profiles (NAPs)

Protocol Settings (system and global authentication)

Proxy RADIUS and T+ (migrates only external access control servers' credentials)

RADIUS and TACACS+ Dictionary

RADIUS One-Time Password (OTP)

RSA OTP

Shared NARs

Server Certificate

Shared Network Access Filtering (NAF)

Shared PIX and ASA Command Authorization Sets

Shared RADIUS Authorization Components (RACs)

Time-of-Day Access Settings

Users' PIX/ASA Shell Command Authorization

Users' DACLs

Users' NARs

Users' RADIUS Attributes

Refer to the User Guide for Cisco Secure Access Control Server 4.2 for descriptions of the attributes that do not migrate.