User Guide for the Cisco Secure Access Control System 5.0
Migrating from ACS 4.x to ACS 5.0
Downloads: This chapterpdf (PDF - 153.0KB) The complete bookPDF (PDF - 12.93MB) | Feedback

Migrating From ACS 4.x to ACS 5.0

Table Of Contents

Migrating From ACS 4.x to ACS 5.0

New Functionality in ACS

Features Not Available in ACS 5.0

Migrating from ACS 4.x to ACS 5.0

Functionality Mapping from ACS 4.x to ACS 5.0

Downloading ACS 4.x to 5.0 Migration Files


Migrating From ACS 4.x to ACS 5.0


This section contains the following topics:

New Functionality in ACS

Features Not Available in ACS 5.0

Migrating from ACS 4.x to ACS 5.0

Functionality Mapping from ACS 4.x to ACS 5.0

Downloading ACS 4.x to 5.0 Migration Files

New Functionality in ACS

ACS 5.0 provides major new architecture and functionality, including:

A revised, rules-based policy model, to allow much greater flexibility in addressing policy needs. See Chapter 3, "ACS 5.0 Policy Model" for more information.

Improved management interfaces—The web interface has been completely redesigned and reorganized, and the command line interface (CLI) provides a text-based interface in which you can perform some configuration tasks and monitoring. See ACS Management Interfaces, page 1-3 for more information.

Integrated monitoring, reporting and troubleshooting capabilities, similar to those available in the ACS View 4.0 product. See ACS 4.x Versus ACS 5.0 Logging, page 17-10 for information on the differences in logging functionality between ACS 4.x and ACS 5.0.

Improved integration with Windows Active Directory and LDAP back-end stores.

A revised high-performance runtime system, based on field-proven code.

A new platform architecture, providing greatly enhanced centralized management in a distributed deployment, delivered as a Linux-based appliance. See ACS Distributed Deployment, page 1-2 for more information.

Support for the Cisco identity solution features: wired 802.1x support, and NAC RADIUS integration with Cisco NAC Appliance - Clean Access Manager. Also support for Cisco TrustSec solutions. See ACS and NAC RADIUS, page 4-17, and ACS and Cisco TrustSec, page 4-25 for more information.

Related Topics

Features Not Available in ACS 5.0

Migrating from ACS 4.x to ACS 5.0

Functionality Mapping from ACS 4.x to ACS 5.0

ACS 4.x and 5.0 Replication, page 1-3

Features Not Available in ACS 5.0

The following features, which were available in ACS 4.2, are not available in ACS 5.0:

Integration with RSA server or RADIUS Token OTP servers.

Integration via ODBC with SQL databases for external authentication and identity information.

The following EAP methods: LEAP, EAP-FAST/GTC, EAP-FAST/TLS, PEAP/GTC, and PEAP/TLS.

Support for locally significant external resources (ID stores, and so on) in a distributed deployment.

RADIUS and TACACS+ Proxy.

Terminal server access control (port-based TACACS+ access control).

Complete TACACS+ support for device administration (password change, and so on).

RADIUS VPN and RADIUS-based device administration (for shell access to CLI for third-party network devices).

ACS administrator and internal user password policies.

Application access control for CiscoWorks applications.

CSUtil features.

See the following tables for additional information about features available in ACS 4.2 and ACS 5.0:

Table 2-1RADIUS Authentication Methods in ACS 4.2 and ACS 5.0

Table 2-2TACACS+ Feature Availability in ACS 4.2 and ACS 5.0

Table 2-3Identity Store Feature Availability in ACS 4.2 and ACS 5.0

Table 2-4Management Feature Availability in ACS 4.2 and ACS 5.0

Table 2-1 RADIUS Authentication Methods in ACS 4.2 and ACS 5.0

RADIUS Authentication Methods in ACS 4.2
Available in ACS 5.0?

PAP

Yes

CHAP

No

MS-CHAPv1

No

MS-CHAPv2

No

EAP-MD5

Yes

EAP-TLS

Yes

PEAP (with EAP-MSCHAPv2 inner method)

Yes

PEAP (with EAP-GTC inner method)

No

PEAP (with EAP-TLS inner method)

No

EAP-FAST (with EAP-MSCHAPv2 inner method)

Yes

EAP-FAST (with EAP-GTC inner method)

No

EAP-FAST (with EAP-TLS inner method)

No

LEAP

No

LEAP proxy

No


Table 2-2 TACACS+ Feature Availability in ACS 4.2 and ACS 5.0  

TACACS+ Feature Available in ACS 4.2
Available in ACS 5.0?

TACACS+ per-command authorization

Yes

TACACS+ accounting

Yes

TACACS+ single connect

Yes

TACACS+ custom services

No

TACACS+ proxy

No

TACACS+ change password

No

TACACS+ optional attributes

No


Table 2-3 Identity Store Feature Availability in ACS 4.2 and ACS 5.0

Identity Store Features Available in ACS 4.2
Available in ACS 5.0?

Internal user database

Yes

Windows Active Directory

Yes

LDAP

Yes

RSA SecuID

No

RADIUS token server

No

OBDC

No


Table 2-4 Management Feature Availability in ACS 4.2 and ACS 5.0

Management Features Available in ACS 4.2
Available in ACS 5.0?

RDMBS sync

No

Command line/scripting interface (CSUtil)

No

Integration with CiscoWorks for Admin RBAC

No

Log viewing and reports

Yes

Export of logs via Syslog

Yes

Log to external database (via OBDC)

No

Centralized logging

Yes

Password complexity

Yes

Password aging

No

Password history

No

Admin session and access restrictions

No

Admin Entitlement report

No


Related Topics

New Functionality in ACS

Migrating from ACS 4.x to ACS 5.0

Functionality Mapping from ACS 4.x to ACS 5.0

Migrating from ACS 4.x to ACS 5.0

ACS 5.0 introduces a new policy model that differs from that of ACS 4.x. ACS 4.x stores policy and authentication information, such as TACACS+ command sets, in the user and user group records. In ACS 5.0, policy and authentication information are independent shared components that you use as building blocks when you configure policies.

The most efficient way to make optimal use of the new policy model is to rebuild policies by using the building blocks, or policy elements, of the new policy model. This method entails creating appropriate identity groups, network device groups (NDGs), conditions, authorization profiles, and rules.

ACS 5.0 provides a migration utility to migrate data from an ACS 4.x Windows machine to an ACS 5.0 Linux machine. The migration process for ACS 5.0 requires, in some cases, administrative support to consolidate and manually resolve data before you import the data to ACS 5.0. This process is different from the upgrade process from versions of ACS 3.x to ACS 4.x, where the ACS 4.x system works the same way as ACS 3.x, and no administrative support is required.

Use the migration utility to migrate these ACS 4.x data entities:

Network device groups

AAA clients and network devices

Internal users

User-defined fields (from the Interface Configuration section)

User groups

Shared shell command authorization sets

User TACACS+ shell exec attributes (migrated to user attributes)

Group TACACS+ shell exec attributes (migrated to shell profiles)

User TACACS+ command authorization sets

Group TACACS+ command authorization sets

Internal hosts (from network access profiles ([NAPs])

Shared, downloadable ACLs

EAP-FAST master keys

The migration utility processes data in three phases:

1. Analyzes existing ACS 4.x data. The analysis process identifies the ACS 4.x data that is incompatible with ACS 5.0. You can then modify this data, if required, before starting the export process.

2. Exports ACS 4.x data that can be migrated to an internal format.

3. Imports the data into ACS 5.0.

You can run the analysis and export phases independently, several times, to ensure that the data is appropriate for the import phase. You run the import phase after your data passes the analysis and export phases.

You must deploy a separate ACS 4.x server with the current configuration for the migration in addition to your production ACS 4.x server and an ACS 5.0 appliance. In this way, you can continue running your ACS 4.x production server while you migrate data to ACS 5.0.

For information about using the migration utility, see ACS 5.0 Migration Guide.

After migrating your data, you can reconstruct your policies with the migrated objects. See Functionality Mapping from ACS 4.x to ACS 5.0 for more information.

Related Topics

New Functionality in ACS

Features Not Available in ACS 5.0

Functionality Mapping from ACS 4.x to ACS 5.0

In ACS 5.0, you define authorizations, shell profiles, attributes, and other policy elements as independent, reusable objects, and not as part of the user or group definition.

Table 2-5 describes where you configure identities, network resources, and policy elements in ACS 5.0. Use this table to view and modify your migrated data identities. See Chapter 3, "ACS 5.0 Policy Model" for an overview of the ACS 5.0 policy model.

Table 2-5 Functionality Mapping from ACS 4.x to ACS 5.0 

To configure...
In ACS 4.x, choose...
In ACS 5.0, choose...
Additional information for 5.0

Network device groups

Network Configuration page

Network Resources > Network Device Groups

See Creating, Duplicating, and Editing Network Device Groups, page 6-2.

You can use NDGs as conditions in policy rules.

(ACS 5.0 does not support NDG shared password. After migration, member devices contain the NDG shared password information.)

Network devices and AAA clients

Network Configuration page

Network Resources > Network Devices and AAA Clients

See Network Devices and AAA Clients, page 6-4.

User groups

Group Setup page

Users and Identity Stores > Identity Groups

See Creating Identity Groups, page 7-2.

You can use identity groups as conditions in policy rules.

Internal users

User Setup page

Users and Identity Stores > Internal Identity Stores > Users

See Managing Internal Identity Stores, page 7-5.

ACS 5.0 authenticates internal users against the internal identity store only. Migrated users that used an external database for authentication have a default authentication password that they must change on first access.

Internal hosts

Network Access Profiles > Authentication

Users and Identity Stores > Internal Identity Stores > Hosts

See Creating Hosts in Identity Stores, page 7-9.

You can use the internal hosts in identity policies for Host Lookup.

Identity attributes (user-defined fields)

Interface Configuration > User Data Configuration

System Administration > Dictionaries > Identity > User

See Configuring Dictionaries, page 16-4.

Defined identity attribute fields appear in the User Properties page; you can use them as conditions in access service policies.

Command sets (command authorization sets)

One of the following:

Shared Profile Components > Command Authorization Set

User Setup page

Group Setup page

Policy Elements > Authorization and Permissions > Device Administration > Command Set

See Creating, Duplicating, and Editing Command Sets for Device Administration, page 8-16.

You can add command sets as results in authorization policy rules in a device administration access service.

Shell exec parameters

User Setup page

System Administration > Dictionaries > Identity > User

See Configuring Dictionaries, page 16-4.

Defined identity attribute fields appear in the User Properties page; you can use them as conditions in access service policies.

Shell profiles (shell exec parameters or shell command authorization sets)

Group Setup page

Policy Elements > Authorization and Permissions > Device Administration > Shell Profile

See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 8-12.

You can add shell profiles as results in authorization policy rules in a device administration access service.

Date and time condition (Time of Day Access)1

Group Setup page

Policy Elements > Session Conditions > Date and Time

See Creating, Duplicating, and Editing a Date and Time Condition, page 8-2.

You can add date and time conditions to a policy rule in the Service Selection policy or in an authorization policy in an access service.

RADIUS Attributes1

One of the following:

Shared Profile Components > RADIUS Authorization Component

User Setup page

Group Setup page

Policy Elements > Authorization and Permissions > Network Access > Authorization Profile > Common Tasks tab

or

Policy Elements > Authorization and Permissions > Network Access > Authorization Profile > RADIUS Attributes tab

See Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 8-6.

You configure RADIUS attributes as part of a network access authorization profile. You can add authorization profiles as results in an authorization policy in a network access service.

Downloadable ACLs

Shared Profile Components

Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs

See Creating, Duplicating, and Editing Downloadable ACLs, page 8-18.

You can add downloadable ACLs (DACLs) to a network access authorization profile. After you create the authorization profile, you can add it as a result in an authorization policy in a network access service.

1 You cannot migrate these data entities. You must recreate them in ACS 5.0.


Related Topics

New Functionality in ACS

Features Not Available in ACS 5.0

Migrating from ACS 4.x to ACS 5.0

Downloading ACS 4.x to 5.0 Migration Files

To download migration application files and the migration guide for ACS 5.0:


Step 1 Select System Administration > Downloads > Migration Utility.

The Migration from 4.x page appears.

Step 2 Click Migration application files, to download the application file you want to use to run the migration utility.

Step 3 Click Migration Guide, to download Migration Guide for Cisco Secure Access Control System 5.0.