Installation Guide for Cisco Secure ACS Solution Engine 4.2 - Upgrading and Migrating to Cisco Secure Solution Engine 4.2 [Cisco Secure Access Control Server Solution Engine]

Table Of Contents

Upgrading and Migrating to Cisco Secure ACS Solution Engine 4.2

Upgrade Scenarios

Migration Scenarios

Upgrade Paths

Upgrade Procedure

Performing a Full Upgrade from ACS SE 3.3.3 to ACS SE 4.1

Reimaging the Appliance with the ACS 4.2 Recovery CD or DVD

Restoring the ACS SE 4.1.1.24 Configuration

Appliance Upgrade and Patches Procedure

About Appliance Upgrades and Patches

Distribution Server Requirements

Upgrading an Appliance

Transferring an Upgrade Package to an Appliance

Applying an Upgrade to an Appliance

Migrating from ACS for Windows to ACS SE

Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.2 on the Cisco 1113 Platform

Upgrading and Migrating to Cisco Secure ACS Solution Engine 4.2

This chapter details how to:

•Upgrade to Cisco Secure ACS SE 4.2.

•Migrate from an ACS for Windows server to ACS SE.

•Migrate ACS SE from an earlier hardware platform to the Cisco 1113 platform.

This chapter contains:

•Upgrade Scenarios

•Migration Scenarios

•Upgrade Paths

•Upgrade Procedure

•Appliance Upgrade and Patches Procedure

•Migrating from ACS for Windows to ACS SE

•Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.2 on the Cisco 1113 Platform

Upgrade Scenarios

ACS Solution Engine supports the following upgrade scenarios:

•ACS 3.x to ACS 3.3.x—You can upgrade ACS 3.2.x or 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, 3.3.2) to ACS 3.3.3 or 3.3.4 on all ACS SE hardware platforms (the Cisco 1111 SE appliance, the Cisco 1112 SE appliance, and the Cisco 1113 SE appliance).

•ACS 3.3.3 to 3.3.4— You can upgrade ACS 3.3.3 to ACS 3.3.4 on all ACS SE hardware platforms (the Cisco 1111 SE appliance, the Cisco 1112 SE appliance, and the Cisco 1113 SE appliance).

•ACS 3.3.x to ACS 4.1.1.23 or ACS 4.1.1.24— You can upgrade from ACS 3.3.x (ACS 3.2.1, 3.2.2, 3.2.3, 3.3.1, 3.3.2, or 3.3.4) to ACS 4.1.1.23 or ACS 4.1.1.24 on all ACS SE hardware platforms (the Cisco 1111 SE appliance, the Cisco 1112 SE appliance, and the Cisco 1113 SE appliance).

•ACS 4.0 to ACS 4.1.1.23 or ACS 4.1.1.24— You can upgrade from ACS 4.0 to ACS 4.1.1.23 or ACS 4.1.1.24 on all ACS SE hardware platforms (the Cisco 1111 SE appliance, the Cisco 1112 SE appliance and the Cisco 1113 SE appliance).

•ACS 4.1.1.23 or ACS 4.1.1.24 to ACS 4.1.3 or ACS 4.1.4— You can upgrade from ACS 4.1.1.23, 4.1.1.24, to ACS 4.1.3 or 4.1.4 on all ACS SE hardware platforms (the Cisco 1111 SE appliance, the Cisco 1112 SE appliance and the Cisco 1113 SE appliance).

•ACS 4.1 to ACS 4.2— You can upgrade from ACS 4.1.1.23, 4.1.1.24, 4.1.2, 4.1.3 or 4.1.4 to ACS 4.2 on all ACS SE hardware platforms (the Cisco 1112 SE appliance and the Cisco 1113 SE appliance) supported by 4.2. You must do a re-image of ACS 4.2 and restore the ACS 4.1 configuration.

Note You cannot directly upgrade ACS 3.2.x or 3.3.x or 4.0 to ACS 4.2.You must upgrade to ACS 4.1 and then do a re-image of ACS 4.2. Before you begin the 4.2 upgrade procedure, you must back up the ACS 4.1 configuration.

Migration Scenarios

ACS Solution Engine supports the following migration scenarios:

•ACS for Windows to ACS SE Migration— You can migrate data from an ACS for Windows server to the ACS SE 4.2.

•Hardware to Hardware Migration—You can migrate data from earlier versions of the ACS SE
(the Cisco 1111 and 1112 platformS) to the Cisco 1113 platform.

Note Before you begin any migration process, we recommend that you back up the ACS 4.1 configuration (either from 1111 or 1112) and then restore the ACS 4.1 configuration in ACS 4.2. ACS 4.2 does not support the Cisco 1111 platform.

Upgrade Paths

Depending on the ACS version from which you upgrade, you can take different paths for upgrading to ACS SE 4.2. You only can upgrade to ACS 4.2 from ACS version 3.2.x, 3.3.x, 3.3.3 or 4.0, if you have first upgraded to ACS 4.1.

Note Before you begin any upgrade procedure, we recommend that you back up your existing data and configuration. When, upgrading do a re-image of ACS 4.2 and then restore the ACS 4.1 configuration.

Table B-1 describes the various upgrade use cases that you can use to decide the appropriate upgrade path to follow.

Note The ACS SE 4.2 Overall Upgrade CD contains: the 3.3.4 SE upgrade, 4.1.1.24 SE upgrade, and Enable Password-CSCsh32888 patch files. You can use this CD to perform full upgrades with data restores.

Table B-1 Upgrade Use Cases

Upgrade Path

Results

Full Upgrade for versions Prior to 3.3.3 to 4.2

To perform a full upgrade with data restore from:

1. ACS SE 3.3.x to ACS SE 3.3.4

a. Back up your ACS SE 3.3.x configuration.

b. Use the ACS SE 4.2 Overall Upgrade CD.

c. From the CD, use the ACS SE 3.3.4 upgrade.

ACS SE 3.3.4 is installed.

For instructions on upgrading to ACS 3.3.3, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 3.3 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_solution_engine/3.3/release/notes/
RNsol331.html

2. ACS SE 3.3.4 to ACS SE 4.1.1.24

a. Back up your ACS SE 3.3.4 configuration.

b. Use the ACS SE 4.2 Overall Upgrade CD.

c. From the CD, use the 4.1.1.24 upgrade.

ACS SE 4.1.1.24 is installed.

For instructions on upgrading to ACS 3.3.3, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 3.3 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_solution_engine/3.3/release/notes/
RNsol331.html

3. ACS SE 4.1.1.24 to ACS SE 4.2

a. Back up your ACS 4.1.1.24 configuration.

b. Use the ACS SE 4.2 Recovery CD or DVD to re-image the appliance with the 4.2 version.

Note Use the ACS SE 4.2 Recovery CD for the Cisco 1112 SE appliance and the ACS SE 4.2 Recovery DVD for the Cisco 1113 SE appliance.

ACS SE 4.2 is installed.

c. Restore the 4.1.1.24 configuration.

For instructions on upgrading to ACS 4.1.1.24, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.1.1.24 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.1.2/release/notes/acs412.html

ACS SE 3.3.4 is installed.

ACS SE 4.1.1.24 is installed.

ACS SE 4.2 is installed.

ACS SE 4.1.1.24 configuration is upgraded to ACS SE 4.2 configuration.

Full Upgrade from versions 3.3.3 or 3.3.4 to 4.2

To perform a full upgrade with data restore from:

1. ACS SE 3.3.3 or 3.3.4 to ACS SE 4.2

a. Back up your ACS SE 3.3.3 or 3.3.4 configuration.

b. Use the ACS SE 4.2 Overall Upgrade CD.

c. From the CD, use the ACS SE 4.1.1.24 upgrade.

ACS SE 4.1.1.24 is installed.

For instructions on upgrading to ACS 4.1.1.24, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.1.1.24 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.1.2/
release/notes/acs412.html

2. ACS SE 4.1.1.24 to ACS SE 4.2

a. Back up your 4.1.1.24 configuration.

b. Use the ACS SE 4.2 Recovery CDor DVD to re-image the appliance with the 4.2 version.

Note Use the ACS SE 4.2 Recovery CD for the Cisco 1112 SE appliance and the ACS SE 4.2 Recovery DVD for the Cisco 1113 SE appliance.

ACS SE 4.2 is installed.

c. Restore the 4.1.1.24 configuration.

For instructions on upgrading to ACS 4.2, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html

ACS SE 4.1.1.24 is installed.

ACS SE 4.2 is installed.

ACS SE 4.1.1.24 configuration is upgraded to ACS SE 4.2 configuration.

Full Upgrade from version 4.0 to 4.2

To perform a full upgrade with data restore from:

1. ACS SE 4.0 to ACS SE 4.1.1.24

a. Install the CSCsh32888 patch before taking a back up of the ACS SE 4.0 configuration.

b. Back up your ACS SE 4.0 configuration.

c. Use the ACS SE 4.2 Overall Upgrade CD.

d. From the CD, use the ACS SE 4.1.1.24 upgrade.

ACS SE 4.1.1.24 is installed.

For instructions on upgrading to ACS 4.1.1.24, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.1.1.24 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.1.2/
release/notes/acs412.html

2. ACS SE 4.1.1.24 to ACS SE 4.2

a. Back up your 4.1.1.24 configuration.

b. Use the ACS SE 4.2 Recovery CD or DVD to re-image the appliance with the 4.2 version.

Note Use the ACS SE 4.2 Recovery CD for the Cisco 1112 SE appliance and the ACS SE 4.2 Recovery DVD for the Cisco 1113 SE appliance.

ACS SE 4.2 is installed.

c. Restore the 4.1.1.24 configuration.

For instructions on upgrading to ACS 4.2, see the latest version of the Release Notes for Cisco Secure Access Control Server Solution Engine 4.2 at:

http://www.cisco.com/en/US/docs/net_mgmt/
cisco_secure_access_control_server_for_windows/4.2/
release/notes/ACS42_RN.html

ACS SE 4.1.1.24 is installed.

ACS SE 4.2 is installed.

ACS SE 4.1.1.24 configuration is upgraded to ACS SE 4.2 configuration.

Note If you use ACS Remote Agents, after any type of upgrade to ACS SE 4.2, you must uninstall your old version of ACS Remote Agents, and install Remote Agents for ACS SE 4.2.

Upgrade Procedure

This section contains:

•Performing a Full Upgrade from ACS SE 3.3.3 to ACS SE 4.1.

•Reimaging the Appliance with the ACS 4.2 Recovery CD or DVD.

•Restoring the ACS SE 4.1.1.24 Configuration.

Performing a Full Upgrade from ACS SE 3.3.3 to ACS SE 4.1

You can use the ACS upgrade mechanism to upgrade from ACS SE 3.3.3, 3.3.4, 4.0.1 to ACS SE 4.1.1.24. This section describes the procedure for performing a full upgrade from ACS SE 3.3.3 to ACS SE 4.1. using the upgrade package mechanism.

Note You can follow the same procedure for all upgrades mentioned in Table B-1.

Before You Begin

Back up your existing data and configuration. The first back up is for ensuring that you have the 3.3.3 original data backed up.

Caution Back up and restore are supported and tested only when done on the same version. For example, back up on 4.1 and restore on 4.1 is supported; not back up on 3.3.3 and restore on 4.1. However, there is an exception to ACS 4.2 as you can restore the 4.1 configuration after upgrading to 4.2.

To upgrade ACS SE 3.3.3 to ACS SE 4.1:

Step 1 Obtain the ACS SE 4.1.1.24 upgrade CD.

Step 2 If the ACS SE is running CSAgent, you must disable the CSAgent service before upgrading. You can do so at the console or in the web interface (ACS GUI). Using the:

•Console, enter show. If the CSAgent service is running, enter stop csagent.

•Web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is unchecked. If it is checked, then uncheck the CSA Enabled check box and click Submit.

Step 3 If you do not have a GUI administrator account on the ACS SE, create a new GUI administrator account from the web interface:

a. Start the web interface.

b. Click Administration Control.

The Administration Control page opens.

c. Click Add Administrator.

The Add Administrator page opens.

d. Add a new administrator and grant all administrative privileges to the administrator.

Note When you create a GUI administrator account, you will have two administrator accounts for the ACS SE: a GUI account and a CLI account.

Warning If you do not have a GUI administrator account; then, after the upgrade is complete, you will not be able to log in to the ACS SE from the web interface.

Step 4 Insert the ACS SE 4.1.1.24 Upgrade CD into the CD-ROM drive on the distribution server (the server from which you are performing the upgrade).

Step 5 Download the ACS Management Upgrade package:

a. Open the upgrade CD.

b. Go to the /Upgrade Appliance management ACS 4.1 folder.

c. Double-click the autorun.bat icon.

The download utility starts. You are prompted to enter the hostname or IP address of the appliance, as shown in Figure B-1.

Figure B-1 Appliance Prompt

d. Enter the hostname or the IP address of the distribution server and click Install.

The web interface starts.

e. Log in to the web interface.

f. Choose System Configuration > Appliance Upgrade Status.

The Appliance Upgrade page opens, as shown in Figure B-2.

Figure B-2 Appliance Upgrade Page

g. Click Download.

The Appliance Upgrade Form page opens, as shown in Figure B-3. On this page, enter the IP address of the distribution server.

Figure B-3 Appliance Upgrade Form with Text Box for the Distribution Server

h. Enter the IP address of the distribution server and click Connect.

The Appliance Upgrade Form page opens, as shown in Figure B-4. This page lists the current version number of the appliance-management software.

Figure B-4 Appliance Upgrade Form

i. Click Download Now.

The upgrade utility downloads the upgrade image.

The Appliance Upgrade page opens, as shown in Figure B-5. The Appliance Versions table provides information about the software version.

Figure B-5 Appliance Upgrade Page

j. Click Apply Upgrade.

The upgrade utility applies the management software upgrade.

Note This process takes several minutes. The system reboots several times.

Step 6 Download and apply the ACS Software Upgrade package.

a. Go to the /Upgrade package software for appliance ACS 4.1 folder on the upgrade CD.

b. Double-click the autorun.bat icon.

The download utility starts. You are prompted to enter the hostname or IP address of the appliance, as shown in Figure B-1.

c. Enter the hostname or the IP address of the distribution server and click Install.

The ACS web interface starts.

d. Log in to the web interface.

e. Choose System Configuration > Appliance Upgrade Status.

The Appliance Upgrade page opens, as shown in Figure B-2.

f. Download and install the software upgrade.

The steps for downloading and installing the software upgrade package are the same as the steps for installing the management software as described in Step 5.

Note If you complete the upgrade and the ACS console displays the message Appliance upgrade in progress, this indicates that the upgrade progress is hanging.

If this condition occurs, start an ACS console session and enter the command download [hostAddress], where hostAddress can be any IP address. This action releases the ACS console from the upgrade process.

Step 7 Back up the upgraded ACS SE data and configuration.

To upgrade the ACS SE appliance to the latest Microsoft hotfixes, you must re-image the ACS SE device. Because reimaging destroys all of the existing data on the device, you must first back up your existing data and then restore it by using one of the following features:

•ACS Backup, which is available in the System Configuration section of the web interface. For more information, see the latest version of the User Guide for Cisco Secure ACS 4.2.

•The CLI backup command, which you enter from the serial console. For more information, see Backing Up ACS Data from the Serial Console.

Note Use this backup to restore the data after you recover the ACS SE 4.1 base image.

Step 8 Use the Recovery package for your ACS SE hardware version. If your ACS SE is a:

•Cisco 1113 device, use the ACS SE 4.2 Recovery CD for 1113 (provided with your upgrade package) to update the ACS database on the appliance.

•Cisco 1111 or Cisco 1112 device, obtain a Recovery CD image from Cisco.com. To obtain the image, contact the Cisco TAC.

For information on contacting the Cisco TAC, see Obtaining Documentation and Submitting a Service Request.

Note The recovery procedure destroys all previous data and installs a new image. Ensure that you have the correct version for your hardware.

For more information about reimaging the hard drive, see Re-imaging the Solution Engine Hard Drive.

Step 9 Perform an initial configuration of the ACS SE. For more information, see Configuring ACS SE.

Step 10 Restore the data that you previously backed up in Step 7 by using one of the following features:

•ACS Restore, which is available in the System Configuration section of the web interface. For more information, see the latest version of the User Guide for Cisco Secure ACS 4.2.

•The restore command, which you enter from the serial console. For more information, see Restoring ACS Data from the Serial Console.

Step 11 Verify that CSAgent is enabled by using one of the following features:

•At the console, enter show. If the CSAgent service is not running, enter start csagent.

•In the web interface, choose System Configuration > Appliance Configuration and verify that the CSA Enabled check box is checked. If not, check it and click Submit.

Reimaging the Appliance with the ACS 4.2 Recovery CD or DVD

This section describes the procedure of reimaging the appliance using the ACS 4.2 Recovery CD or DVD.

Note There is a difference in the re-image process for the Old Quanta and New Quanta. To re-image the Cisco 1113 SE appliance (New Quanta), you must use the ACS SE 4.2 Recovery DVD. To re-image the Cisco 1112 SE appliance (Old Quanta), you must use the ACS SE 4.2 Recovery CD's.

To re-image the appliance:

New Quanta

Step 1 Obtain the ACS SE 4.2 Recovery DVD.

Step 2 Insert the ACS SE 4.2 Recovery DVD into the DVD drive and reboot the appliance.

Result: The console displays:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]
Step 3 From the list of options on the screen, enter two in the Enter menu item number: [ ]: prompt.

The re-image process begins automatically.

Step 4 This process may take a few minutes. Once the re-image process is complete, the console displays:
Remove disk and press enter.
Step 5 Remove the ACS SE 4.2 Recovery DVD and press Enter.

The appliance reboots and the initial configuration screen appears.

Step 6 Configure the ACS SE by following the steps provided in the section, Configuring ACS SE.

Old Quanta

Step 1 Obtain the ACS SE 4.2 Recovery CD's.

Step 2 Insert the ACS SE 4.2 Recovery CD - Disk 1 into the CD drive and reboot the appliance.

Result: The console displays:
ACS Appliance Recovery Options
[1] Reset administrator account
[2] Restore hard disk image from CD
[3] Exit and reboot
Enter menu item number: [ ]
Step 3 From the list of options on the screen, enter two in the Enter menu item number: [ ]: prompt.

The re-image process begins automatically.

Step 4 After the re-image process is partially completed, the HDD/CD activity lamp goes off. Insert the ACS SE 4.2 Recovery CD - Disk 2 into the CD drive.

Step 5 Press Enter to continue.

Step 6 After the re-image process is partially completed, the HDD/CD activity lamp goes off. Insert the ACS SE 4.2 Recovery CD - Disk 3 into the CD drive.

Step 7 Press Enter to continue.

Step 8 Once the re-image process is complete, the console displays:
The system has been reimaged successfully...........
Please remove this recovery CD from the drive. then hit RETURN to restart the system.
Step 9 The appliance reboots and the initial configuration screen appears.

Step 10 Configure the ACS SE by following the steps provided in the section, Configuring ACS SE.

Restoring the ACS SE 4.1.1.24 Configuration

This section describes the procedure for restoring the ACS SE 4.1.1.24 configuration in the appliance after installing ACS SE 4.2.

To restore the ACS SE 4.1.1.24 configuration:

Step 1 Log in as the GUI administrator.

Step 2 In the navigation bar, click System Configuration.

The System Configuration page opens.

Step 3 Click ACS Restore.

The ACS System Restore Setup page opens.

Step 4 Enter the name of the directory where you have backed up the file and click Ok.

A list backed up files will appear.

Step 5 From the list, select the ACS SE 4.1.1.24 file to be restored.

Step 6 In the Select Components To Restore dialog box, check the components you want to restore.

Step 7 In the Restore Settings dialog box, check the Restore from 4.1 backup file to ACS 4.2 option.

Click Restore Now.

The restore process begins.

Appliance Upgrade and Patches Procedure

This section contains:

•About Appliance Upgrades and Patches

•Distribution Server Requirements

•Upgrading an Appliance

•Transferring an Upgrade Package to an Appliance

•Applying an Upgrade to an Appliance

About Appliance Upgrades and Patches

All upgrades and patches for ACS are packaged by using the upgrade mechanism. Use the following three-phase process to upgrade or patch your existing ACS.

Note To upgrade to ACS 4.2, you must re-image the appliance. You do not need to use the upgrade package mechanism.

•Phase One—Obtain an upgrade package and load it onto a computer designated as a distribution server for ACS upgrade distribution. The upgrade is available as a CD-ROM or a file that you download from Cisco.com.

•Phase Two—Transfer installation package files from the distribution server to the appliance. The HTTP server that is part of the installation package performs the file transfer. The upgrade files are signed and the signature is verified after uploading to ensure that the files have not been corrupted.

•Phase Three—Apply the upgrade to the appliance. Before the upgrade files are applied to the appliance, ACS verifies the digital signature on the files to ensure their authenticity and to verify that they are not corrupt.

Note While you apply the upgrade, ACS cannot provide AAA services. If it is not critical to immediately apply an upgrade package, you should consider performing this phase when ACS downtime will have the least impact on users. For example, when you apply the upgrade, it will stop the AAA servers, apply the new patch, and then restart the AAA servers again.

Figure B-6 Appliance Upgrade Process

Distribution Server Requirements

The distribution server must meet the following requirements:

•For support, the distribution server must use an English-language version of one of the following operating systems:

–Windows Server 2003 R2, Enterprise Edition

–Windows 2000 Server with Service Pack 3 installed

–Windows XP Professional with Service Pack 1 installed

–Solaris 2.8

–Windows Server 2008, Standard Edition

–Windows Server 2008, Enterprise Edition

Note While the upgrade process may succeed by using an unsupported operating system, the list reflects the operating systems that we used to test the upgrade process. We do not support upgrades from distribution servers that use untested operating systems.

•If you acquire the upgrade package on CD, the distribution server must have a CD-ROM drive or must be able to use the CD-ROM drive on another computer that you can access.

•TCP port 8080 should not be in use on the distribution server. The upgrade process requires exclusive control of port 8080.

Tip We recommend that no other web server runs on the distribution server.

•A supported web browser should be available on the distribution server. If necessary, you can use a web browser on a different computer than the distribution server. For a list of supported browsers, see the latest version of the Release Notes for Cisco Secure ACS Release 4.2. The most recent revision to the Release Notes is posted on Cisco.com.

Gateway devices between the distribution server and any appliance that you want to upgrade must permit HTTP traffic to the distribution server on port 8080. They must also permit an ACS remote administrative session; therefore, they must permit HTTP traffic to the appliance on port 2002 and the range of ports allowed for administrative sessions. For more information, see the latest version the User Guide for Cisco Secure Access Control Server 4.2.

Note ACS 4.2 does not support 64-bit operating systems.

Upgrading an Appliance

Use the information in this section to upgrade the appliance software.

Before You Begin

Always back up ACS before upgrading. For information on backing up ACS, see the latest version of the User Guide for Cisco Secure Access Control Server 4.2.

To upgrade an appliance:

Step 1 Acquire the upgrade package. Acquisition of an upgrade package differs depending on the type of upgrade package and service agreement. For:

•Commercial upgrade packages—Contact your Cisco sales representative.

•Maintenance contracts—You may be able to download upgrade packages from Cisco.com. Contact your Cisco sales representative.

•Upgrade packages that apply patches for specific issues—Contact your TAC representative.

Step 2 Choose a computer to use as the distribution server. The distribution server must meet the requirements discussed in Distribution Server Requirements

Step 3 If you have acquired the upgrade package in a compressed file format, such as a .zip or .gz:

a. If you have not already done so, copy the upgrade package file to a directory on the distribution server.

b. Use the appropriate file decompression utility to extract the upgrade package.

Tip Consider extracting the upgrade package in a new directory that you create for the contents of the upgrade package.

Step 4 If you have acquired the upgrade package on CD, do not insert the CD in a CD-ROM drive until instructed to do so. The CD contains autorun files, and if the distribution server uses Microsoft Windows, the CD-ROM drive can prematurely start the autorun process.

Step 5 Transfer the upgrade package to an appliance. For detailed steps, see Transferring an Upgrade Package to an Appliance

The upgrade package is now on the appliance and ready to be installed.

Step 6 If the Cisco Security Agent is running on the appliance, disable the Cisco Security Agent. For detailed steps, see the latest version of the User Guide for Cisco Secure Access Control Server 4.2.

Step 7 Apply the upgrade package to the appliance. For detailed steps, see Applying an Upgrade to an Appliance.

ACS applies the upgrade and runs using the upgraded software.

Step 8 If you want the Cisco Security Agent to protect the appliance, enable it. For detailed steps, see the latest version of the User Guide for Cisco Secure Access Control Server 4.2.

Note System restarts performed during the upgrade do not re enable CSAgent.

Transferring an Upgrade Package to an Appliance

Use this procedure to transfer an upgrade package from a distribution server to an appliance.

Note After you have performed this procedure, you must still apply the upgrade for it to become effective. For information on applying the upgrade, see Applying an Upgrade to an Appliance. For more general information about the upgrade process, see About Appliance Upgrades and Patches.

Before You Begin

You must have the upgrade package and a distribution server. For more information, see Upgrading an Appliance .

To transfer an upgrade to your appliance:

Step 1 If the distribution server uses Solaris, go to Step 2. If the distribution server uses Microsoft Windows:

a. If you have acquired the upgrade package on CD, insert the CD in a CD-ROM drive on the distribution server.

Tip You can also use a shared CD drive on a different computer. If you do this and autorun is enabled on the shared CD drive, the HTTP server included in the upgrade package starts on the other computer. For example, if computer A and computer B share a CD drive, and you use the CD drive on computer B where autorun is also enabled, the HTTP server starts on computer B.

b. If either of the following conditions are true:

•You have acquired the upgrade package as a compressed file.

•autorun is not enabled on the CD-ROM drive.

Locate the autorun.bat file on the CD or in the directory to which you extracted the compressed upgrade package, and start the autorun.

c. The HTTP server starts, messages from autorun.bat appear in a console window, and ACS displays the following two browser windows:

•Use Appliance Upgrade to enter the appliance hostname or IP address.

•Use New Desktop to start transfers to other appliances.

Step 2 If the distribution server uses Sun Solaris:

a. If you have acquired the upgrade package on CD, insert the CD in a CD-ROM drive on the distribution server.

b. Locate the autorun.sh file on the CD or in the directory to which you extracted the compressed upgrade package.

c. Run autorun.sh.

Tip If autorun.sh has insufficient permissions, enter chmod +x autorun.sh and repeat step c.

d. The HTTP server starts, messages from autorun.bat appear in a console window, and the following two browser windows appear:

•Use Appliance Upgrade to enter the appliance hostname or IP address.

•Use New Desktop to start transfers to other appliances.

Step 3 If no web browser opens after you have run the autorun file, start a web browser on the distribution server and open the following URL:

http://127.0.0.1:8080/install/index.html

Tip You can access the HTTP server on the distribution server from a web browser on a different computer using the following URL: http://IP address:8080/install/index.html, where IP address is the IP address of the distribution server.

Step 4 In the Appliance Upgrade browser window, enter the appliance IP address or hostname in the Enter appliance hostname or IP address box, and click Install.

The ACS login page for the specified appliance appears.

Step 5 Log in to the ACS web interface:

a. Enter a valid ACS administrator user name.

b. Enter the administrator password.

c. Click Log in.

Step 6 In the navigation bar, click System Configuration.

Step 7 Click Appliance Upgrade Status.

ACS displays the Appliance Upgrade page.

Step 8 Click Download.

ACS displays the Appliance Upgrade Form page. This page contains the Transfer Setup table, which enables you to identify the distribution server.

Step 9 In the Install Server box, enter the hostname or IP address of the distribution server.

Step 10 Click Connect.

The Appliance Upgrade Form page displays the Software Install table, which details the version and name of the upgrade available from the distribution server.

Step 11 Examine the Software Install table to confirm that the version, name, and condition of the upgrade is satisfactory, and click Download Now.

ACS displays the Appliance Upgrade page and the upgrade file is downloaded from the distribution server to the appliance. ACS displays the status of the download below the Appliance Versions table.

Tip On the Appliance Upgrade page, the system displays the message Distribution Download in Progress, followed by the number of downloaded kilobytes.

Step 12 If you want to update the transfer status message, click Refresh. Refresh exhibits the following behavior:

Tip During the transfer, you can click Refresh as often as necessary to update the status message.

•If you click Refresh while the transfer is in progress, ACS displays the number of downloaded kilobytes.

•If you click Refresh after the transfer is complete, ACS displays the Apply Upgrade button and the transfer progress text is replaced with a message indicating that an upgrade package is available on the appliance.

Step 13 To ensure that the download was successful and the upgrade is ready to be applied, confirm that the following message appears on the Appliance Upgrade page: Ready to Upgrade to version, where version is the version of the upgrade package you have transferred to the appliance.

The upgrade package is now successfully transferred to the appliance.

Step 14 If you want to transfer the upgrade package to another appliance, access the browser window titled New Desktop, click Install Next, and return to Step 4.

Tip If you know the URL for the web interface of another appliance, you can enter it in the browser location box and return to Step 5 to transfer the upgrade package to that appliance.

Step 15 If you are finished transferring upgrade packages to appliances, access the browser window titled New Desktop and click Stop Distribution Server.

The HTTP server stops and the distribution server releases the resources used by the HTTP server.

Step 16 If you want to apply the upgrade, perform the steps in Applying an Upgrade to an Appliance. Alternatively, you can use the upgrade command by using the serial console.

Applying an Upgrade to an Appliance

You use this procedure to apply an upgrade package to an ACS.

Note As as alternative, you can apply an upgrade package by using the upgrade command on the serial console.

Before You Begin

Before you apply the upgrade, be sure to:

•Transfer the upgrade package to the appliance. For detailed steps, see Transferring an Upgrade Package to an Appliance. For the steps required to upgrade an appliance, see Upgrading an Appliance.

•Back up ACS. For information about backing up ACS, see the latest version of the User Guide for Cisco Secure Access Control Server 4.2.

•Disable the CSAgent service. Application of the upgrade will fail if CSAgent is running. For detailed steps, see the latest version of the User Guide for Cisco Secure Access Control Server 4.2.

Note During the upgrade, ACS cannot provide AAA services. If it is not critical to immediately apply an upgrade package, consider performing this procedure when ACS downtime will have the least impact on users.

To apply an upgrade to an ACS:

Step 1 In the navigation bar, click System Configuration.

Step 2 Click Appliance Upgrade Status.

ACS displays the Appliance Upgrade page.

Step 3 Verify that the message Ready to Upgrade to version appears, where version is the version of the upgrade package that is available on the appliance.

Step 4 Click Apply Upgrade.

ACS displays the Apply Upgrade Message table. This table displays messages about the upgrade process.

Step 5 For each message that ACS displays, you should carefully read the message and click the appropriate button.

Caution You might receive a warning message that an upgrade package is not verified. Before applying an upgrade or patch, ACS attempts to verify that the upgrade or patch is certified by Cisco. Some valid upgrade packages might not pass this verification, such as patches distributed for an urgent fix. Do not apply an upgrade package if you have unresolved concerns about the validity of the upgrade package.

After you have answered all confirmation prompts, ACS applies the upgrade. You should be aware of the following important points:

•During an upgrade, ACS services and the web interface are not available. When the upgrade is complete, the ACS services and the web interface become available.

•Application of an upgrade can take several minutes. A full upgrade of ACS takes longer if the ACS internal database contains a large number of user profiles.

•Upgrade of ACS usually requires the appliance to restart itself once or twice. Smaller patches might not require restarts.

•If the browser window is open and the web interface is not available, wait for the appliance to resume normal operation. Then close the original browser window, open a new browser window, and log in to ACS.

Caution Do not reset the appliance during application of an upgrade unless the TAC directs you to do so.

Step 6 After application of the upgrade, go to the Appliance Upgrade page and verify the versions of the software on the appliance. The Appliance Versions table lists the versions of software running on the appliance. Table entries should reflect the upgrade package that you applied.

Note If the browser window is open and the web interface is not available, wait for the appliance to resume normal operation. Then close the original browser window, open a new browser window, and log in to ACS.

Migrating from ACS for Windows to ACS SE

Migrating from Cisco Secure ACS for Windows Server (ACS for Windows) to ACS SE uses the backup and restore features of ACS. Backup files produced by ACS for Windows are compatible with ACS SE, provided that both are using the same version of ACS software. Whereas with ACS SW 4.1 and 4.2, you can restore the ACS SW 4.1 configuration in the ACS SE 4.2 appliance after migrating from ACS for Windows 4.1 to ACS SE 4.2.

Before You Begin

Before upgrading or transferring data, back up your original ACS database and configuration, and save the backup file in a location on a drive that is not local to the computer on which ACS is running.

Note If ACS runs on Windows NT 4.0, the following procedure will advise you when it is necessary to upgrade to Windows 2000 Server. The use of the backup and restore features is only supported between ACSs of the same version, to transfer data from ACS for Windows to ACS SE. But, in ACS 4.2 you can migrate from ACS SW 4.1 to ACS SE 4.2, by backing up the ACS SW 4.1 and restoring it in ACS SE 4.2. ACS for Windows 4.2 supports Windows 2000 Server, Windows Server 2003, and Windows Server 2008, not Windows NT 4.0. See the following procedure for more details.

To migrate from a Windows version of ACS to ACS SE:

Step 1 Set up the appliance, following the steps in Chapter 3 "Installing and Configuring Cisco Secure ACS SE 4.2."

Note If you migrate from ACS SW 4.1 or if you already have ACS SW 4.2 installed, you do not need to install ACS SW 4.2. You only have to back up and restore the ACS SW 4.1 configuration in ACS SW 4.2.

Step 2 On the ACS server, upgrade ACS for Windows to version 4.2. If you do not have a license for version 4.2, you can use the trial version, available at http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des.

Note If you are running ACS 2.0 on Windows NT 4.0, upgrade to ACS 3.0, and then migrate to Windows 2000 Server before upgrading to ACS 4.2. Only ACS 3.0 and previous releases can run on Windows NT. For information about upgrading to ACS 3.0 or about migrating to Windows 2000 Server, see the latest version of the Installing Cisco Secure ACS 3.0 for Windows 2000/NT Servers. You can acquire the trial version of ACS 3.0 at http://www.cisco.com/pcgi-bin/tablebuild.pl/acs-win-3des.

Step 3 In the web interface of ACS for Windows 4.2, use the ACS Backup feature to back up the database. For more information about the ACS Backup feature, see the latest version of the User Guide for Cisco Secure ACS for Windows Server.

Step 4 Copy the backup file from the computer that is running ACS for Windows 4.2 to a directory on an FTP server. The directory must be accessible from the FTP root directory. ACS SE must be able to contact the FTP server. Any gateway devices must permit FTP communication between the appliance and the FTP server.

Step 5 In the web interface for ACS 4.2, use the ACS Restore feature to restore the database. For more information about restoring databases, see the latest version of the User Guide for Cisco Secure ACS 4.2.

The ACS SE contains the original configuration of the ACS for Windows version from which you migrated.

Step 6 Continuing in the web interface, verify that the settings for the (Default) entry in the Proxy Distribution Table are correct. To do so, choose Network Configuration > (Default) and ensure that the Forward To list contains the entry for the appliance.

Step 7 To replace the computer that is running ACS for Windows with ACS SE, you must change the IP address of the appliance to that used by the computer that is running ACS for Windows:

a. Record the IP address of the computer that is running ACS for Windows.

b. Change the IP address of the computer that is running ACS for Windows to a different IP address.

c. Change the IP address of the ACS SE to the IP address used previously by the computer that is running ACS for Windows. This is the IP address that you recorded in Step a. For detailed steps, see Reconfiguring the Solution Engine IP Address.

Note If you do not change the IP address of the ACS SE to the address of the computer that is running ACS for Windows, you must reconfigure all AAA clients to use the IP address of the ACS SE.

Migrating ACS SE on the ACS 1111 or ACS 1112 Platform to ACS SE 4.2 on the Cisco 1113 Platform

Table B-2 indicates the Cisco Secure ACS software versions that each Cisco Secure ACS SE platform supports.

Table B-2 Supported Versions

Cisco Secure ACS
Solution Engine Platform

Cisco Secure ACS version 4.2

Cisco Secure ACS version 4.0.1 and 4.1

Cisco Secure ACS version 3.3.4

Cisco Secure ACS version 3.2

Cisco 1111

No

Yes

Yes

Yes

Cisco 1112

Yes

Yes

Yes

No

Cisco 1113

Yes

Yes

Yes

No

To migrate the ACS software running on a previous SE appliance platform (the Cisco 1111, the Cisco 1112 or the Cisco 1113) to run on the ACS 4.2 Cisco 1113 platform:

Step 1 Upgrade the software on a previous SE hardware platform (the Cisco 1111 or the Cisco 1112) to ACS version 4.1 by using the full upgrade method. For information on this method, see Upgrade Procedure.

Step 2 Back up the 4.1 software on the previous SE hardware platform.

Step 3 Use the ACS SE 4.2 Recovery DVD to re-image the appliance with ACS 4.2 and then restore the 4.1 configuration.

For information on Steps 2 and 3, see Migrating from ACS for Windows to ACS SE.