ACS 5.8.1 Migration Utility Support
This chapter describes:
■ACS 4.x to 5.8.1 Migration Version Support
■ACS 4.0 Migration Support
■ACS 4.x Appliance Support
■CSACS-1120 Series Appliance Support
■Upgrading ACS 5.8 or a lower version on CSACS 1120 or 3400 series appliance to ACS 5.8.1 on 3500 series appliance
■Remote Desktop Support
■Multiple-Instance Support
■ACS 4.x Elements Supported in the Migration Process
■ACS 4.x Elements Not Supported in the Migration Process
■User Interface
ACS 4.x to 5.8.1 Migration Version Support
You can migrate the following ACS 4.x versions:
■ACS 4.1.1.24
■ACS 4.1.4
■ACS 4.2.0.124
■ACS 4.2.1
ACS 4.0 Migration Support
You must upgrade from ACS for Windows Server 4.0 to ACS for Windows Server 4.1.1.24 to migrate your data to ACS 5.8.1. seethe Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.
ACS 4.x Appliance Support
You can migrate data from ACS 4.x only on Windows software. If you have an ACS 4.x appliance, you must back up the ACS 4.x configuration and restore and upgrade it to ACS for Windows Server 4.1.1.24.
■If the appliance version is ACS 4.1.1.24, you must install the corresponding ACS 4.x version on the Windows server and then restore the data from the appliance.
■If you are using ACS version 4.1.1.24 or above, you do not have to upgrade. seethe Installation Guide for Cisco Secure ACS for Windows 4.1 for more information.
CSACS-1120 Series Appliance Support
The CSACS-1120 appliance can be used to install either ACS 4.2 or ACS 5.0. You cannot run ACS 5.8.1 on CSACS-1120. If you currently have ACS 4.2 installed on a CSACS-1120 appliance, and you want to migrate to ACS 5.8.1, you must first back up the ACS 4.2 data before proceeding to the ACS 5.8.1 installation.
To migrate data from ACS 4.2 on CSACS-1120 to ACS 5.8.1 on a 3400 or 3500 series appliance:
1. Back up ACS 4.2 data from CSACS-1120 appliance.
2. Restore the ACS 4.2 data on an intermediate migration machine.
3. Install ACS 5.8.1 on a 3400 or 3500 series appliance.
4. Migrate ACS 4.2 objects from the intermediate migration machine to ACS 5.8.1 that is installed on the 3400 or 3500 series appliance.
Upgrading ACS 5.8 or a lower version on CSACS 1120 or 3400 series appliance to ACS 5.8.1 on 3500 series appliance
To upgrade data from ACS 5.8 or a lower version on CSACS 1120 or 3400 series appliance to ACS 5.8.1 on 3500 series appliance:
1. Back up ACS 5.8 or a lower version data from CSACS-1120 or a 3400 series appliance.
2. Install ACS 5.8.1 on the 3500 series appliance.
3. Restore the backup taken from ACS 5.8 or a lower version on CSACS 1120 or 3400 series appliance in ACS 5.8.1 on a 3500 series appliance.
Remote Desktop Support
The Migration Utility does not support Remote Desktop Connection. You must run the Migration Utility on the migration machine or use VNC to connect to the migration machine.
Multiple-Instance Support
In ACS 5.8.1, multiple distinct database instances (4.x) are combined into a single consolidated database. In ACS 4.x, selective data replication can be defined so that different ACS instances maintain distinct subsets of the overall system configuration, while in ACS 5.8.1, a single consolidated database is replicated to all ACS instances in the deployment.
As a result, the primary database contains all the local configuration definitions from each of the ACS 4.x instances.
ACS 4.x Elements Supported in the Migration Process
Table 1 shows the ACS 4.x elements that the Migration Utility supports and the corresponding ACS 5.8.1 element.
Table 1 ACS Elements that Migration Process Supports
|
|
AAA Client/Network Device |
Network Device. See AAA Client/Network Device for more information. |
Internal User |
Internal User. See Internal User for more information. |
User Defined Fields (within Interface Configuration section) |
Identity Attributes/Internal User. See User Group for more information. |
User Group |
Identity Group. See User Group for more information. |
Shared Shell Command Authorization Sets |
Command Set. See Shared Shell Command Authorization Sets for more information. |
User T+ Shell Exec Attributes |
Identity Attributes/Internal User. See User Group for more information. |
Group T+ Shell Exec Attributes |
Shell Profile. See User Group Policy Components for more information. |
User T+ Command Authorization Sets |
Command Set. See User Group for more information. |
MAC Authentication Bypass (MAB) Addressed |
Internal Host Database. See MAC Addresses and Internal Hosts for more information. |
Shared Downloadable Access Control List (DACL) |
Downloadable ACL. See Shared DACL Objects for more information. |
EAP-FAST Master keys |
EAP-FAST Master keys. See EAP-Fast Master Keys and the Authority ID for more information. |
Shared RADIUS Authorization Components |
Authorization Profiles. See Shared RACs for more information. |
Customer Vendor-Specific Attributes |
Customer VSAs. See Customer VSAs for more information. |
Max User Sessions |
Maximum User Sessions. See Max User Sessions for more information. |
Note: You migrate command sets from shared objects or from within the user or group definitions. Shell profiles are created from the shell exec parameters within group definitions. However, shell exec parameters stored in user records are migrated as identity attributes associated with the individual user.
ACS 4.x Elements Not Supported in the Migration Process
The Migration Utility does not support:
■Group DACLs
■Group RADIUS Attributes
■Active Directory (AD) Configuration
■AD Group Mapping
■Admin Accounts
■Admin Users
■Authority Certificates
■Certificate Trust List (CTL)
■Certificate Revocation List (CRL)
■Date and Time
■External Database Configuration
■Generic Lightweight Directory Access Protocol (LDAP) Configuration
■Group Shell Custom Attributes
■Group Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command Authorization Sets
■Group Network Access Restrictions (NARs)
■Internal ID Password Enforcement—Sarbanes-Oxley (SOX)
■LDAP Group Mapping
■Logging Configuration
■Machine Access Restrictions (MARs)
■Network Access Profiles (NAPs)
■Protocol Settings (system and global authentication)
■Proxy RADIUS and T+ (migrates only external access control server credentials)
■TACACS+ Dictionary
■RADIUS One-Time Password (OTP)
■RSA OTP
■Shared NARs
■Server Certificate
■Shared Network Access Filtering (NAF)
■Shared PIX and ASA Command Authorization Sets
■Time-of-Day Access Settings
■User PIX/ASA Shell Command Authorization
■User DACLs
■User NARs
■User RADIUS Attributes
■IP Pools
■Dial-In Support
See the User Guide for Cisco Secure Access Control Server 4.2 for descriptions of the attributes that do not migrate.
User Interface
This section describes the end user interface for the ACS 5.8.1 Migration Utility.
CLI-Based Migration Utility
ACS 5.8.1 supports a CLI-based Migration Utility. For more information on the migration settings, see Running the Migration Utility.
Phases of the CLI-Based Migration Utility
The CLI-based Migration Utility consists of the following parts:
■Settings
■Object Group Selection
■Operation Selection
Settings
The Migration Utility uses operator-configured settings that can be saved persistently. Every invocation of the Migration Utility prompts you to use the previously defined values or select new ones. For more information on the migration settings, see Running the Migration Utility.
The settings are of two types:
■ACS 5.8.1 Identification and Credentials—IP address or hostname of the ACS 5.8.1 server to which the data is being migrated. The administrator username and password that are used to import data in the ACS 5.8.1 server are also specified.
We recommend that you define a unique administrator for the migration operations to make it easy to identify them while browsing the configuration records. While running the Migration Utility, only the default superadmin account acsadmin or the recovery superadmin should be used for ACS 5.8.1, while running the Migration Utility.
■Configuration Options—Associated with the migration of certain object types. After you configure the settings, you are prompted to acknowledge whether to save them as the defaults for use during subsequent invocations of the utility.
Object Group Selection
You can migrate either a group of the object types that are supported by the Migration Utility or all supported object types. For more information on the details of the various phases in the migration procedure and the impact and considerations for each object type, see Migration of ACS 4.x Objects.
For a detailed procedure on selecting the available options, seeRunning the Migration Utility.
The following groups of objects are available for selection:
■All Objects—All ACS objects
■All User Objects—Identity groups and all objects that are extracted from users
■All Device Objects—Network devices and NDGs
■Shared command sets
■Shared DACLs
■Master Keys—EAP-FAST master keys
■Shared RACs and VSAs
Operation Selection
After you select a set of object types, you must select the migration phase to be performed. The following options are available:
■Analyze and Export
■Import
After you select an option, the corresponding process runs, and the relevant reports are displayed on the screen. For each operation, two type of reports are displayed:
■Summary
■Detailed
For more information on the reports that are generated during different phases of the migration, see Printing Reports and Report Types.