ACS 5.3 Migration Utility Support
This chapter describes:
•ACS 4.x to 5.3 Migration Version Support
•ACS 4.0 Migration Support
•ACS 4.x Appliance Support
•CSACS-1120 Series Appliance Support
•Remote Desktop Support
•ACS 4.x Elements Supported in the Migration Process
•ACS 4.x Elements Not Supported in the Migration Process
ACS 4.x to 5.3 Migration Version Support
You can migrate the following ACS 4.x versions:
ACS 4.0 Migration Support
You must upgrade from ACS for Windows Server 4.0 to ACS for Windows Server 220.127.116.11 to migrate your data to ACS 5.3. Refer to the Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.
ACS 4.x Appliance Support
You can only migrate data from ACS 4.x on Windows software. If you have an ACS 4.x appliance, you must back up the ACS 4.x configuration and restore and upgrade it to ACS for Windows Server 18.104.22.168.
•If the appliance version is ACS 22.214.171.124, you must install the corresponding ACS 4.x version on the Windows server and then restore the data from the appliance.
•If you are using the ACS version 126.96.36.199 or above you do not have to upgrade. Refer to the Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.
CSACS-1120 Series Appliance Support
The CSACS-1120 appliance could be used to install either ACS 4.2 or ACS 5.0. You can also run ACS 5.3 on this appliance. If you currently have ACS 4.2 installed on a CSACS-1120 appliance, and want to install ACS 5.3 on the same appliance, you must first backup the ACS 4.2 data before proceeding to the ACS 5.3 installation.
To migrate data from ACS 4.2 to ACS 5.3 on a CSACS-1120 series appliance:
Step 1 Backup ACS 4.2 data on the appliance.
Step 2 Restore the ACS 4.2 data on an intermediate migration machine.
Step 3 Install ACS 5.3 on the appliance.
Step 4 Migrate ACS 4.2 objects from the intermediate migration machine to ACS 5.3 installed on the appliance.
Remote Desktop Support
The Migration Utility does not support Remote Desktop Connection. You must run the Migration Utility on the migration machine; or, use VNC to connect to the migration machine.
In ACS 5.3, multiple distinct database instances (4.x) are combined into a single consolidated database. In ACS 4.x, selective data replication can be defined so that different ACS instances maintain distinct subsets of the overall system configuration, while in ACS 5.3, a single consolidated database is replicated to all ACS instances in the deployment.
As a result, the primary database contains all the local configuration definitions from each of the ACS 4.x instances.
ACS 4.x Elements Supported in the Migration Process
Table 4-1 shows the ACS 4.x elements that the Migration Utility supports and the corresponding ACS 5.3 element.
Table 4-1 ACS Elements the Migration Process Supports
AAA Client/Network Device
Network Device. Refer to AAA Client/Network Device for more information.
Internal User. Refer to Internal User for more information.
User Defined Fields (within Interface Configuration section)
Identity Attributes/Internal User. Refer to User Group for more information.
Identity Group. Refer to User Group for more information.
Shared Shell Command Authorization Sets
Command Set. Refer to Shared Shell Command Authorization Sets for more information.
Users' T+ Shell Exec Attributes
Identity Attributes/Internal User. Refer to User Group for more information.
Groups' T+ Shell Exec Attributes
Shell Profile. Refer to User Group Policy Components for more information.
Users' T+ Command Authorization Sets
Command Set. Refer to User Group for more information.
MAC Authentication Bypass (MAB) Addressed
Internal Host Database. Refer to MAC Addresses and Internal Hosts for more information.
Shared Downloadable Access Control List (DACL)
Downloadable ACL. Refer to Shared DACL Objects for more information.
EAP-FAST Master keys
EAP-FAST Master keys. Refer to EAP-Fast Master Keys and Authority ID for more information.
Shared RADIUS Authorization Components
Authorization Profiles. Refer to Shared RACs for more information.
Customers' Vendor Specific Attributes
Customers' VSAs. Refer to Customer VSAs for more information.
Note You migrate command sets from shared objects or from within the user or group definitions. Shell profiles are created from the shell exec parameters within group definitions. However, shell exec parameters stored in user records are migrated as identity attributes associated with the individual user.
ACS 4.x Elements Not Supported in the Migration Process
The Migration Utility does not support:
•Groups' RADIUS Attributes
•Active Directory (AD) Configuration
•AD Group Mapping
•Certificate Trust List (CTL)
•Certificate Revocation List (CRL)
•Date and Time
•External Database Configuration
•Generic Lightweight Directory Access Protocol (LDAP) Configuration
•Groups' Shell Custom Attribute
•Groups' Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command Authorization Sets
•Groups' Network Access Restrictions (NARs)
•Internal ID Password Enforcement—Sarbanes-Oxley (SOX)
•LDAP Group Mapping
•Machine Access Restrictions (MARs)
•Network Access Profiles (NAPs)
•Protocol Settings (system and global authentication)
•Proxy RADIUS and T+ (migrates only external access control servers' credentials)
•RADIUS One-Time Password (OTP)
•Shared Network Access Filtering (NAF)
•Shared PIX and ASA Command Authorization Sets
•Time-of-Day Access Settings
•Users' PIX/ASA Shell Command Authorization
•Users' RADIUS Attributes
•Max User Session
•Dial in Support
Refer to the User Guide for Cisco Secure Access Control Server 4.2 for descriptions of the attributes that do not migrate.
This section describes the end user interface for the ACS 5.3 Migration Utility.
CLI-Based Migration Utility
ACS 5.3 supports a CLI-based Migration Utility. For more information on the migration settings, see Running the Migration Utility.
Phases of the CLI-Based Migration Utility
The CLI-based Migration Utility consists of the following parts:
•Object Group Selection
The Migration Utility uses operator-configured settings that can be saved persistently. Every invocation of the Migration Utility prompts you to use the previously defined values or select new ones. For more information on the migration settings, see Running the Migration Utility.
The settings are of two types:
•ACS 5.3 Identification and Credentials—IP address or hostname of the ACS 5.3 server to which the data is being migrated. The administrator username and password that are used to import data in the ACS 5.3 server are also specified.
We recommend that you define a unique administrator for the migration operations, to make it easy to identify them while browsing the configuration records. Only default superadmin account acssdmin should be used for ACS 5.3, while running the Migration Utility.
•Configuration Options—Associated with the migration of certain object types. After you configure the settings, you are prompted to acknowledge whether to save them as the defaults for use during subsequent invocations of the utility.
Object Group Selection
You can migrate either a group of the object types supported by the Migration Utility or all supported object types. For more information on the details of the various phases in the migration procedure and the impact and considerations for each object type, refer to Migration of ACS 4.x Objects.
For a detailed procedure on selecting the available options, refer to Running the Migration Utility.
The following groups of objects are available for selection:
•All Objects—All ACS objects.
•All User Objects—Identity groups and all objects extracted from users.
•All Device Objects—Network devices and NDGs.
•Shared command sets
•Master Keys—EAP-FAST master keys.
•Shared RACs and VSAs
After you select a set of object types, you must select the migration phase to be performed. The following options available:
•Analyze and Export
After you select an option, the corresponding process runs and the relevant reports are displayed on the screen. For each operation, two type of reports are displayed:
For more information on the reports generated during different phases of the migration, see Printing Reports and Report Types.