Migration Guide for the Cisco Secure Access Control System 5.3
ACS 5.3 Migration Utility Support
Downloads: This chapterpdf (PDF - 117.0KB) The complete bookPDF (PDF - 7.79MB) | Feedback

ACS 5.3 Migration Utility Support

Table Of Contents

ACS 5.3 Migration Utility Support

ACS 4.x to 5.3 Migration Version Support

ACS 4.0 Migration Support

ACS 4.x Appliance Support

CSACS-1120 Series Appliance Support

Remote Desktop Support

Multiple-Instance Support

ACS 4.x Elements Supported in the Migration Process

ACS 4.x Elements Not Supported in the Migration Process

User Interface

CLI-Based Migration Utility

Phases of the CLI-Based Migration Utility


ACS 5.3 Migration Utility Support


This chapter describes:

ACS 4.x to 5.3 Migration Version Support

ACS 4.0 Migration Support

ACS 4.x Appliance Support

CSACS-1120 Series Appliance Support

Remote Desktop Support

Multiple-Instance Support

ACS 4.x Elements Supported in the Migration Process

ACS 4.x Elements Not Supported in the Migration Process

User Interface

ACS 4.x to 5.3 Migration Version Support

You can migrate the following ACS 4.x versions:

ACS 4.1.1.24

ACS 4.1.4

ACS 4.2.0.124

ACS 4.2.1

ACS 4.0 Migration Support

You must upgrade from ACS for Windows Server 4.0 to ACS for Windows Server 4.1.1.24 to migrate your data to ACS 5.3. Refer to the Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.

ACS 4.x Appliance Support

You can only migrate data from ACS 4.x on Windows software. If you have an ACS 4.x appliance, you must back up the ACS 4.x configuration and restore and upgrade it to ACS for Windows Server 4.1.1.24.

If the appliance version is ACS 4.1.1.24, you must install the corresponding ACS 4.x version on the Windows server and then restore the data from the appliance.

If you are using the ACS version 4.1.1.24 or above you do not have to upgrade. Refer to the Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.

CSACS-1120 Series Appliance Support

The CSACS-1120 appliance could be used to install either ACS 4.2 or ACS 5.0. You can also run ACS  5.3 on this appliance. If you currently have ACS 4.2 installed on a CSACS-1120 appliance, and want to install ACS 5.3 on the same appliance, you must first backup the ACS 4.2 data before proceeding to the ACS 5.3 installation.

To migrate data from ACS 4.2 to ACS 5.3 on a CSACS-1120 series appliance:


Step 1 Backup ACS 4.2 data on the appliance.

Step 2 Restore the ACS 4.2 data on an intermediate migration machine.

Step 3 Install ACS 5.3 on the appliance.

Step 4 Migrate ACS 4.2 objects from the intermediate migration machine to ACS 5.3 installed on the appliance.


Remote Desktop Support

The Migration Utility does not support Remote Desktop Connection. You must run the Migration Utility on the migration machine; or, use VNC to connect to the migration machine.

Multiple-Instance Support

In ACS 5.3, multiple distinct database instances (4.x) are combined into a single consolidated database. In ACS 4.x, selective data replication can be defined so that different ACS instances maintain distinct subsets of the overall system configuration, while in ACS 5.3, a single consolidated database is replicated to all ACS instances in the deployment.

As a result, the primary database contains all the local configuration definitions from each of the ACS 4.x instances.

ACS 4.x Elements Supported in the Migration Process

Table 4-1 shows the ACS 4.x elements that the Migration Utility supports and the corresponding ACS 5.3 element.

Table 4-1 ACS Elements the Migration Process Supports 

ACS 4.x Element
ACS 5.3 Element

AAA Client/Network Device

Network Device. Refer to AAA Client/Network Device for more information.

Internal User

Internal User. Refer to Internal User for more information.

User Defined Fields (within Interface Configuration section)

Identity Attributes/Internal User. Refer to User Group for more information.

User Group

Identity Group. Refer to User Group for more information.

Shared Shell Command Authorization Sets

Command Set. Refer to Shared Shell Command Authorization Sets for more information.

Users' T+ Shell Exec Attributes

Identity Attributes/Internal User. Refer to User Group for more information.

Groups' T+ Shell Exec Attributes

Shell Profile. Refer to User Group Policy Components for more information.

Users' T+ Command Authorization Sets

Command Set. Refer to User Group for more information.

MAC Authentication Bypass (MAB) Addressed

Internal Host Database. Refer to MAC Addresses and Internal Hosts for more information.

Shared Downloadable Access Control List (DACL)

Downloadable ACL. Refer to Shared DACL Objects for more information.

EAP-FAST Master keys

EAP-FAST Master keys. Refer to EAP-Fast Master Keys and Authority ID for more information.

Shared RADIUS Authorization Components

Authorization Profiles. Refer to Shared RACs for more information.

Customers' Vendor Specific Attributes

Customers' VSAs. Refer to Customer VSAs for more information.



Note You migrate command sets from shared objects or from within the user or group definitions. Shell profiles are created from the shell exec parameters within group definitions. However, shell exec parameters stored in user records are migrated as identity attributes associated with the individual user.


ACS 4.x Elements Not Supported in the Migration Process

The Migration Utility does not support:

Groups' DACLs

Groups' RADIUS Attributes

Active Directory (AD) Configuration

AD Group Mapping

Admin Accounts

Admin Users

Authority Certificates

Certificate Trust List (CTL)

Certificate Revocation List (CRL)

Date and Time

External Database Configuration

Generic Lightweight Directory Access Protocol (LDAP) Configuration

Groups' Shell Custom Attribute

Groups' Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command Authorization Sets

Groups' Network Access Restrictions (NARs)

Internal ID Password Enforcement—Sarbanes-Oxley (SOX)

LDAP Group Mapping

Logging Configuration

Machine Access Restrictions (MARs)

Network Access Profiles (NAPs)

Protocol Settings (system and global authentication)

Proxy RADIUS and T+ (migrates only external access control servers' credentials)

TACACS+ Dictionary

RADIUS One-Time Password (OTP)

RSA OTP

Shared NARs

Server Certificate

Shared Network Access Filtering (NAF)

Shared PIX and ASA Command Authorization Sets

Time-of-Day Access Settings

Users' PIX/ASA Shell Command Authorization

Users' DACLs

Users' NARs

Users' RADIUS Attributes

IP Pools

Max User Session

Dial in Support

Refer to the User Guide for Cisco Secure Access Control Server 4.2 for descriptions of the attributes that do not migrate.

User Interface

This section describes the end user interface for the ACS 5.3 Migration Utility.

CLI-Based Migration Utility

ACS 5.3 supports a CLI-based Migration Utility. For more information on the migration settings, see Running the Migration Utility.

Phases of the CLI-Based Migration Utility

The CLI-based Migration Utility consists of the following parts:

Settings

Object Group Selection

Operation Selection

Settings

The Migration Utility uses operator-configured settings that can be saved persistently. Every invocation of the Migration Utility prompts you to use the previously defined values or select new ones. For more information on the migration settings, see Running the Migration Utility.

The settings are of two types:

ACS 5.3 Identification and Credentials—IP address or hostname of the ACS 5.3 server to which the data is being migrated. The administrator username and password that are used to import data in the ACS 5.3 server are also specified.

We recommend that you define a unique administrator for the migration operations, to make it easy to identify them while browsing the configuration records. Only default superadmin account acssdmin should be used for ACS 5.3, while running the Migration Utility.

Configuration Options—Associated with the migration of certain object types. After you configure the settings, you are prompted to acknowledge whether to save them as the defaults for use during subsequent invocations of the utility.

Object Group Selection

You can migrate either a group of the object types supported by the Migration Utility or all supported object types. For more information on the details of the various phases in the migration procedure and the impact and considerations for each object type, refer to Migration of ACS 4.x Objects.

For a detailed procedure on selecting the available options, refer to Running the Migration Utility.

The following groups of objects are available for selection:

All Objects—All ACS objects.

All User Objects—Identity groups and all objects extracted from users.

All Device Objects—Network devices and NDGs.

Shared command sets

Shared DACLs

Master Keys—EAP-FAST master keys.

Shared RACs and VSAs

Operation Selection

After you select a set of object types, you must select the migration phase to be performed. The following options available:

Analyze and Export

Import

After you select an option, the corresponding process runs and the relevant reports are displayed on the screen. For each operation, two type of reports are displayed:

Summary

Detailed

For more information on the reports generated during different phases of the migration, see Printing Reports and Report Types.