Table Of Contents
Upgrading and Migrating to Cisco Secure ACS Solution Engine 4.1
Upgrade Scenarios
Migration Scenarios
Upgrade Paths
Upgrade Procedure
Performing a Full Upgrade From ACS SE 4.0.1 to ACS SE 4.1
Performing a Full Upgrade from ACS SE 3.3.3 to ACS SE 4.1
Migrating from ACS for Windows to ACS SE
Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.1 on the Cisco 1113 Platform
Upgrading and Migrating to Cisco Secure ACS Solution Engine 4.1
This chapter describes how to:
•
Upgrade to Cisco Secure ACS Solution Engine (ACS SE) 4.1.
•Migrate from an ACS for Windows server to ACS SE.
•Migrate ACS SE from an earlier hardware platform to the Cisco 1113 platform.
This chapter contains:
•Upgrade Scenarios
•Migration Scenarios
•Upgrade Paths
•Upgrade Procedure
•Migrating from ACS for Windows to ACS SE
•Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.1 on the Cisco 1113 Platform
Upgrade Scenarios
Cisco Secure ACS Solution Engine 4.1 supports the following upgrade scenarios:
•ACS 3.x to ACS 4.1—You can upgrade ACS 3.2.x or 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, 3.3.2, or 3.3.4) to ACS 4.1 on all ACS SE hardware platforms (The Cisco 1111 SE appliance, the Cisco 1112 SE appliance, and the Cisco 1113 SE appliance).
•ACS 4.0.1 to ACS 4.1—You can upgrade ACS 4.0.1 to ACS 4.1 on all ACS SE hardware platforms.
Migration Scenarios
•ACS for Windows to ACS SE Migration— You can migrate data from an ACS for Windows server to the ACS SE 4.1.
•Hardware to Hardware Migration—You can migrate data from earlier versions of the ACS SE (the Cisco 1111 or the Cisco 1112 platform) to the Cisco 1113 platform.
Upgrade Paths
Depending on the ACS version you are upgrading from, there are different paths for upgrading to ACS SE 4.1. You can upgrade to ACS 4.1 from ACS version 3.2.x, 3.3.x, 3.3.3 or 4.0.1:
1. ACS 3.2.x or 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, or 3.3.2) to 4.1.
The ACS 3.2.x or 3.3.x upgrade package contains three CDs:
–ACS 3.3.3 Upgrade CD. Use this CD to upgrade from ACS 3.2.x or 3.3.x to ACS 3.3.3.
–ACS 4.1 Upgrade CD. After upgrading to ACS 3.3.3, use this CD to upgrade to ACS 4.1.
–ACS 1113 Recovery CD for 1113. To restore the ACS 1113 system software, use the ACS SE 4.1 Recovery CD for 1113.
Note If you are upgrading on an ACS 1111 or 1112 device and need to restore the ACS 1111 or 1112 system software, obtain the required recovery CD from the Cisco Technical Assistance Center (TAC). For information on contacting the Cisco TAC, see Obtaining Technical Assistance, page xviii.
2. ACS SE 3.3.3 to 4.1.
The ACS SE 3.3.3 to 4.1 upgrade package includes:
–ACS SE 4.1 Upgrade CD. Use this CD to upgrade an existing ACS SE 3.3.3 installation to ACS 4.1.
–ACS 4.1 Recovery CD for 1113. Use this CD to restore the Cisco 1113 system software if the system fails.
Note If you are upgrading on an ACS 1111 or 1112 device and need to restore the ACS 1111 or 1112 system software, obtain the required recovery CD from the Cisco Technical Assistance Center (TAC). For information on contacting the Cisco TAC, see Obtaining Technical Assistance, page xviii.
3. ACS SE 4.0.1 to 4.1.
The ACS SE 4.0 to 4.1 upgrade package includes two CDs:
–ACS SE 4.1 Upgrade CD. Use this CD to upgrade an existing ACS SE 4.0.1 installation to ACS 4.1.
–ACS 4.1 Recovery CD for 1113. Use this CD to restore the Cisco 1113 system software if the system fails.
Note If you are upgrading on an ACS 1111 or 1112 device and need to restore the ACS 1111 or 1112 system software, obtain the required recovery CD from the Cisco Technical Assistance Center (TAC). For information on contacting the Cisco TAC, see Obtaining Technical Assistance, page xviii.
You can upgrade your exiting ACS appliance with the latest ACS software and appliance management software.
Table 5-1 describes various upgrade use cases that you can use to decide the appropriate upgrade path to follow.
Note Before you begin any upgrade procedure, we recommend that you back up your existing data and configuration.
Note If you use ACS Remote Agents, after any type of upgrade to ACS SE 4.1, you must uninstall your old version of ACS Remote Agents, and install Remote Agents for ACS SE 4.1.
Upgrade Procedure
You can perform a full upgrade from:
•ACS SE 4.0.1 to ACS SE 4.1.
•ACS SE 3.3.3 to ACS SE 4.1
Performing a Full Upgrade From ACS SE 4.0.1 to ACS SE 4.1
This section describes the procedure for performing a full upgrade from ACS SE 4.0.1 to ACS SE 4.1.
Before You Begin
Make a backup of your existing data and configuration.
To upgrade ACS SE 4.0.1 to ACS SE 4.1:
Step 1 Obtain the ACS 4.0 to 4.1 upgrade package.
Step 2 If the ACS SE is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the web interface (ACS GUI). Using the:
•Console, enter show. If the CSAgent service is running, enter stop csagent.
•Web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not checked. If it is checked, uncheck the CSA Enabled check box and click Submit.
Step 3 If you do not already have a GUI administrator account on the ACS SE, create a new GUI administrator account from the web interface:
a. Start the web interface.
b. Click Administration Control.
The Administration Control page opens.
c. Click Add Administrator.
The Add Administrator page opens.
d. Add a new administrator and grant all administrative privileges to the administrator.
Note When you create a GUI administrator account, you will have two administrator accounts for the ACS SE: one each for a GUI and CLI.
Warning If you do not have a GUI administrator account; then, after the upgrade is complete, you will not be able to log in to the ACS SE from the web interface.
Step 4 Insert the ACS SE 4.1 Upgrade CD into the CD-ROM drive on the distribution server (the server from which you are performing the upgrade).
Step 5 Download the ACS Management Upgrade package:
a. Open the upgrade CD.
b. Go to the /Upgrade Appliance management ACS 4.1 folder.
c. Double-click the autorun.bat icon.
The download utility starts. You are prompted to enter the hostname or IP address of the appliance, as shown in Figure 5-1.
Figure 5-1 Appliance Prompt
d. Enter the hostname or the IP address of the distribution server and then click Install.
The web interface starts.
e. Log in to the web interface.
f. Choose System Configuration > Appliance Upgrade Status.
The Appliance Upgrade page opens, as shown in Figure 5-2.
Figure 5-2 Appliance Upgrade Page
g. Click Download.
The Appliance Upgrade Form page opens, as shown in Figure 5-3. On this page you enter the IP address of the distribution server.
Figure 5-3 Appliance Upgrade Form with Text Box for the Distribution Server
h. Enter the IP address of the distribution server and then click Connect.
The Appliance Upgrade Form page opens, as shown in Figure 5-4. This page lists the current appliance-management software version number.
Figure 5-4 Appliance Upgrade Form
i. Click Download Now.
The upgrade utility downloads the upgrade image.
The Appliance Upgrade page opens, as shown in Figure 5-5. The Appliance Versions table provides information about the software version.
Figure 5-5 Appliance Upgrade Page
j. Click Apply Upgrade.
The upgrade utility applies the management software upgrade.
Note This process takes several minutes. The system reboots several times.
Step 6 Download and apply the ACS Software Upgrade package.
a. Go to the /Upgrade package software for appliance ACS 4.1 folder on the upgrade CD.
b. Double-click the autorun.bat icon.
The download utility starts. You are prompted to enter the hostname of IP address of the appliance, as shown in Figure 5-1.
c. Enter the hostname or the IP address of the distribution server and then click Install.
The ACS web interface starts.
d. Log in to the web interface.
e. Choose System Configuration > Appliance Upgrade Status.
The Appliance Upgrade page opens, as shown in Figure 5-2.
f. Download and install the software upgrade.
The steps for downloading and installing the software upgrade package are the same as the steps for installing the management software as described in Step 5.
Note If you complete the upgrade and the ACS console displays the message Appliance upgrade in progress, this indicates that the upgrade progress is hanging.
If this condition occurs, start an ACS console session and enter the command download [hostAddress], where hostAddress can be any IP address. This action releases the ACS console from the upgrade process.
Step 7 Download and install the MS Hotfixes package.
a. Go to the /Upgrade package MS Hotfixes for ACS 4.0 to 4.1 folder on the upgrade CD.
b. Double-click the autorun.bat icon.
The download utility starts. You are prompted to enter the hostname of IP address of the appliance, as shown in Figure 5-1.
c. Enter the hostname or the IP address of the distribution server and then click Install.
The ACS web interface starts.
d. Log in to the web interface.
e. Choose System Configuration > Appliance Upgrade Status.
The Appliance Upgrade page opens, as shown in Figure 5-2.
f. Download and install the MS Hotfixes.
The steps for downloading and installing the MS Hotfixes package are the same as the steps for installing the management software as described in Step 5.
g. Follow the prompts that the upgrade program displays to install the upgrade.
Performing a Full Upgrade from ACS SE 3.3.3 to ACS SE 4.1
This section describes the procedure for performing a full upgrade from ACS SE 3.3.3 to ACS SE 4.1.
Before You Begin
Make a backup of your existing data and configuration. The first backup is for ensuring that you have the 3.3.3 original data backed up.
Caution Back up and restore are supported and tested only when done on the same version. For example, backup on 4.1 and restore on 4.1 is supported; not backup on 3.3.3 and restore on 4.1.
To upgrade ACS SE 3.3.3 to ACS SE 4.1:
Step 1 Obtain the ACS SE 4.1 upgrade CD.
Step 2 If the ACS SE is running Cisco Security Agent, you must disable the CSAgent service before upgrading. You can do so at the console or in the web interface (ACS GUI). Using the:
•Console, enter show. If the CSAgent service is running, enter stop csagent.
•Web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is not checked. If it is checked, uncheck the CSA Enabled check box and click Submit.
Step 3 If you do not already have a GUI administrator account on the ACS SE, create a new GUI administrator account from the web interface:
a. Start the web interface.
b. Click Administration Control.
The Administration Control page opens.
c. Click Add Administrator.
The Add Administrator page opens.
d. Add a new administrator and grant all administrative privileges to the administrator.
Note When you create a GUI administrator account, you will have two administrator accounts for the ACS SE: one each for a GUI and CLI.
Warning If you do not have a GUI administrator account; then, after the upgrade is complete, you will not be able to log in to the ACS SE from the web interface.
Step 4 Insert the ACS SE 4.1 Upgrade CD into the CD-ROM drive on the distribution server (the server from which you are performing the upgrade).
Step 5 Download the ACS Management Upgrade package:
a. Open the upgrade CD.
b. Go to the /Upgrade Appliance management ACS 4.1 folder.
c. Double-click the autorun.bat icon.
The download utility starts. You are prompted to enter the hostname or IP address of the appliance, as shown in Figure 5-6.
Figure 5-6 Appliance Prompt
d. Enter the hostname or the IP address of the distribution server and then click Install.
The web interface starts.
e. Log in to the web interface.
f. Choose System Configuration > Appliance Upgrade Status.
The Appliance Upgrade page opens, as shown in Figure 5-7.
Figure 5-7 Appliance Upgrade Page
g. Click Download.
The Appliance Upgrade Form page opens, as shown in Figure 5-8. On this page, you enter the IP address of the distribution server.
Figure 5-8 Appliance Upgrade Form with Text Box for the Distribution Server
h. Enter the IP address of the distribution server and then click Connect.
The Appliance Upgrade Form page opens, as shown in Figure 5-9. This page lists the current version number of the appliance-management software.
Figure 5-9 Appliance Upgrade Form
i. Click Download Now.
The upgrade utility downloads the upgrade image.
The Appliance Upgrade page opens, as shown in Figure 5-10. The Appliance Versions table provides information about the software version.
Figure 5-10 Appliance Upgrade Page
j. Click Apply Upgrade.
The upgrade utility applies the management software upgrade.
Note This process takes several minutes. The system reboots several times.
Step 6 Download and apply the ACS Software Upgrade package.
a. Go to the /Upgrade package software for appliance ACS 4.1 folder on the upgrade CD.
b. Double-click the autorun.bat icon.
The download utility starts. You are prompted to enter the hostname of IP address of the appliance, as shown in Figure 5-6.
c. Enter the hostname or the IP address of the distribution server and then click Install.
The ACS web interface starts.
d. Log in to the web interface.
e. Choose System Configuration > Appliance Upgrade Status.
The Appliance Upgrade page opens, as shown in Figure 5-7.
f. Download and install the software upgrade.
The steps for downloading and installing the software upgrade package are the same as the steps for installing the management software as described in Step 5.
Note If you complete the upgrade and the ACS console displays the message Appliance upgrade in progress, this indicates that the upgrade progress is hanging.
If this condition occurs, start an ACS console session and enter the command download [hostAddress], where hostAddress can be any IP address. This action releases the ACS console from the upgrade process.
Step 7 Download and install the MS Hotfixes package.
a. Go to the /Upgrade package MS Hotfixes for ACS 4.0 to 4.1 folder on the upgrade CD. (verify folder
b. Double-click the autorun.bat icon.
The download utility starts. You are prompted to enter the hostname of IP address of the appliance, as shown in Figure 5-1.
c. Enter the hostname or the IP address of the distribution server and then click Install.
The ACS web interface starts.
d. Log in to the web interface.
e. Choose System Configuration > Appliance Upgrade Status.
The Appliance Upgrade page opens, as shown in Figure 5-7.
f. Download and install the MS Hotfixes.
The steps for downloading and installing the MS Hotfixes package are the same as the steps for installing the management software as described in Step 5.
g. Follow the prompts that the upgrade program displays to install the upgrade.
Step 8 Back up the upgraded ACS SE data and configuration.
To upgrade the ACS SE appliance to the latest Microsoft hotfixes, you must reimage the ACS SE device. Because reimaging destroys all of the existing data on the device, you must first back up your existing data and then restore it by using one of the following features:
•ACS Backup, which is available in the System Configuration section of the web interface. For more information, see the User Guide for Cisco Secure ACS 4.1.
•The CLI backup command, which you enter from the serial console. For more information, see Backing Up ACS Data From the Serial Console, page 4-12.
Note Use this backup to restore the data after you recover the 4.1 base image.
Step 9 Use the Recovery package for your ACS SE hardware version. If your ACS SE is a:
•Cisco 1113 device, use the ACS SE 4.1 Recovery CD for 1113 (provided with your upgrade package) to update the ACS database on the appliance.
•Cisco 1111 or Cisco 1112 device, obtain a Recovery CD image from Cisco.com. To obtain the image, contact the Cisco TAC.
For information on contacting the Cisco TAC, see Obtaining Technical Assistance, page xviii.
Note The recovery procedure destroys all previous data and installs a new image. Ensure that you have the correct version for your hardware.
For more information about reimaging the hard drive, see Re-imaging the Solution Engine Hard Drive, page 4-25.
Step 10 Perform an initial configuration of the ACS SE. For more information, see Configuring ACS SE, page 3-11.
Step 11 Restore the data that you previously backed up in Step 8 by using one of the following features:
•ACS Restore, which is available in the System Configuration section of the web interface. For more information, see the User Guide for Cisco Secure ACS 4.1.
•The restore command, which you enter from the serial console. For more information, see Restoring ACS Data From the Serial Console, page 4-14.
Step 12 Verify that Cisco Security Agent is enabled by using one of the following features:
•At the console, enter show. If the CSAgent service is not running, enter start csagent.
•In the web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is checked. If not, check it and click Submit.
Migrating from ACS for Windows to ACS SE
Migrating from Cisco Secure ACS for Windows Server (ACS for Windows) to ACS SE uses the backup and restore features of ACS. Backup files produced by ACS for Windows are compatible with ACS SE, provided that both are using the same version of ACS software.
Before You Begin
Before upgrading or transferring data, back up your original ACS database and configuration, and save the backup file in a location on a drive that is not local to the computer on which ACS is running.
Note If ACS runs on Windows NT 4.0, the following procedure will advise you when it is necessary to upgrade to Windows 2000 Server. Because the use of the backup and restore features is only supported between ACSs of the same version, you must use ACS for Windows 4.1, to transfer data from ACS for Windows to ACS SE. ACS for Windows 4.1 supports Windows 2000 Server and Windows Server 2003, not Windows NT 4.0. See the following procedure for more details.
To migrate from a Windows version of ACS to ACS SE:
Step 1 Set up the appliance, following the steps in Chapter 3, "Installing and Configuring Cisco Secure ACS Solution Engine 4.1."
Step 2 On the ACS server, upgrade ACS for Windows to version 4.1. If you do not have a license for version 4.1, you can use the trial version, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des.
Note If you are running ACS 2.0 on Windows NT 4.0, upgrade to ACS 3.0, and then migrate to Windows 2000 Server before upgrading to ACS 4.1. Only ACS 3.0 and previous releases can run on Windows NT. For information about upgrading to ACS 3.0 or about migrating to Windows 2000 Server, see Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers. You can acquire the trial version of ACS 3.0 at http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des.
Step 3 In the web interface of ACS for Windows 4.1, use the ACS Backup feature to back up the database. For more information about the ACS Backup feature, see the User Guide for Cisco Secure ACS for Windows Server.
Step 4 Copy the backup file from the computer that is running ACS for Windows 4.1 to a directory on an FTP server. The directory must be accessible from the FTP root directory. ACS SE must be able to contact the FTP server. Any gateway devices must permit FTP communication between the appliance and the FTP server.
Step 5 In the web interface for ACS 4.1, use the ACS Restore feature to restore the database. For more information about restoring databases, see the User Guide for Cisco Secure ACS 4.1.
The ACS SE contains the original configuration of the ACS for Windows version from which you migrated.
Step 6 Continuing in the web interface, verify that the settings for the (Default) entry in the Proxy Distribution Table are correct. To do so, choose Network Configuration > (Default) and ensure that the Forward To list contains the entry for the appliance.
Step 7 To replace the computer that is running ACS for Windows with ACS SE, you must change the IP address of the appliance to that used by the computer that is running ACS for Windows:
a. Record the IP address of the computer that is running ACS for Windows.
b. Change the IP address of the computer that is running ACS for Windows to a different IP address.
c. Change the IP address of the ACS SE to the IP address used previously by the computer that is running ACS for Windows. This is the IP address that you recorded in Step a. For detailed steps, see Reconfiguring the Solution Engine IP Address, page 4-18.
Note If you do not change the IP address of the ACS SE to the address of the computer that is running ACS for Windows, you must reconfigure all AAA clients to use the IP address of the ACS SE.
Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.1 on the Cisco 1113 Platform
The ACS SE 4.1 release uses the Cisco 1113 platform. ACS SE on the Cisco 1113 platform can only run the ACS 4.0.1 software release or the ACS 4.1 software release. Table 5-2 indicates the Cisco Secure ACS software versions that each Cisco Secure ACS SE platform supports.
Table 5-2 Supported Versions
Cisco Secure ACS
Solution Engine Platform
|
Cisco Secure ACS version 4.0.1 and 4.1
|
Cisco Secure ACS version 3.3
|
Cisco Secure ACS version 3.2
|
Cisco 1111
|
Yes
|
Yes
|
Yes
|
Cisco 1112
|
Yes
|
Yes
|
No
|
Cisco 1113
|
Yes
|
No
|
No
|
To migrate ACS software running on a previous SE appliance platform (the Cisco 1112 or the Cisco 1113) to run on the Cisco 1113 platform:
Step 1 Upgrade the software on a previous SE hardware platform (the Cisco 1111 or the Cisco 1112) to ACS version 4.1 by using the full upgrade method. For information on this method, see Upgrade Procedure
Step 2 Back up the software on the previous SE hardware platform.
Step 3 On the new hardware platform—the Cisco 1113 platform:
a. Install the ACS SE 4.1 version, or use the existing ACS SE 4.1 installation (which is preloaded on the Cisco 1113).
b. Use the ACS restore feature to restore the information that was backed up in Step 2.
For information on Steps 2 and 3, see Migrating from ACS for Windows to ACS SE.
Feedback
