topic Re: Patch ACS 5.3 in Network Access Control

Patch ACS 5.3

dpatkins — Thu, 10 Mar 2022 07:15:36 GMT

Currently, we are configured in a Primary/Secondary with two Cisco ACS 1121 Applainces running Version 5.3.40.1. We want to uipgrade to teh lastest patch, which was patch 5.

I know I need to deregister the backup and then upgrade the primary. While that is rebooting, the secondary should take over and then I would upgrade the secondary. At this point, I would then register the secondary with the primary to create redundancy.

Are there any lessons to be learned from this? I do not expect an outage at all because of the redundancy.

Are there any written steps to complete this process without a hitch?

thanks to all.

Dwane

Patch ACS 5.3

Tarik Admani — Fri, 03 Aug 2012 18:32:16 GMT

Dwane,

I think you have upgrading the ACS version and installing a patch confused. I have installed patches without breaking apart the distributed deployment. I usually start with the secondary, install the patch and wait for the services to start.

You can use cli commands from one of the ASAs or IOS device to test the authentication, once it passes that check, then I move to the primary and repeat the same steps.

If for some reason you run into issues with the sync, you can force a full replication.

Here are the steps on how to install the patch - http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/release/notes/acs_53_rn.html#wp198690

Hope that helps,

Tarik Admani
*Please rate helpful posts*

Patch ACS 5.3

dpatkins — Fri, 03 Aug 2012 19:31:58 GMT

Thank you Tarik.

If it has been a while, is there like a show repository so I can get the name of the repository that we created during set up? Also, if we are in redundant mode, do you or the group feel that we will experience an outage or a loss of service? Patch 5 has been stable for all?

Thanks

Dwane

Re: Patch ACS 5.3

Tarik Admani — Fri, 03 Aug 2012 20:40:49 GMT

You can issue a show run to get name of the configured repository.

My environment has patch 4 installed and works just fine.

As long as both server entries are configured on all your network devices and you follow my steps above you are good to go.

If you experience any issues with patch 5 you can always remove it by using the acs patch remove command.

Thanks,

Sent from Cisco Technical Support iPad App

Patch ACS 5.3

dpatkins — Mon, 10 Sep 2012 21:47:07 GMT

Tarik,

My apologies for taking so long to respond. I have done a show run on both devices and there is no mention of a repository. I need to create one prior to upgrading patches, correct? Can I do this by doing a configuration terminal and then just typing in a repository FTP and write memory?

And once that is done, I can FTP the file to the repository at this point by using the acs patch install? How do I get the file from my desktop to the repository? I cannot seem to find step by step instructions on the Cisco page but i will continue looking.

Thanks

Dwane

Re: Patch ACS 5.3

Tarik Admani — Mon, 10 Sep 2012 22:48:24 GMT

Dwane,

I have installed the patch on any box, but you start with monitoring ACS (since that can take a little longer) to start the upgrade.

Yes you will need to create a repository first before installing a patch:

SSH: login > config t > repository name > url ftp://x.x.x.x/ > username password plain

After you create the repository,

acs patch install repository

that should get you going.

Here are the steps:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp151352

Thanks,

Tarik Admani
*Please rate helpful posts*

Re: Patch ACS 5.3

Amjad Abdullah — Mon, 17 Dec 2012 07:17:53 GMT

Tarik: Is that correct even for version 5.3.0.40 without patched? can I upgrade to patch 8 (which is the latest now) by applying the patch to the secondary (then reboot) then the primary (then reboot) without having to remove the redunduncy configuration between them? and I can maintain the service up?

Rating useful replies is more useful than saying "Thank you"

Re: Patch ACS 5.3

jrabinow — Mon, 17 Dec 2012 07:48:52 GMT

Yes you can