topic Re: ACS and remote agent upgrade question in Network Access Control

ACS and remote agent upgrade question

cmarva — Sun, 10 Mar 2019 23:51:35 GMT

Just looking for a clarification on upgrading. Short story long, 2 ACS

SEs, single remote agent being used for wireless authentication.

Current version 3.3.3.11. Upgrading to 4.1.4.13.

The ACSs are in a primary/backup. My plan is to upgrade the backup appliance offline.

That doesn't worry me, my biggest worry is in the remote agent upgrade for reasons I

won't get into here. Then upgrade the remote agent, then upgrade the primary offline.

My question is, if I do the upgrade this way, when I re-install the remote agent, should I

set the config provider to the IP of the upgraded unit (the backup). The config provider is

currently set to the primary unit. I can't determine from the docs if this is the case, but

the docs to say that the config provider must respond to the remote agent upon startup

of the remote agent. I believe this is what I need to do.

I have no problem adjuting the ini file and restarting the agent, then switching back after the

primary is upgraded, if this is what is needed. Wireless being a rather touchy subject where

I work, I can't afford extended downtime.

Once again, just looking for clarification. Any help/advice is appreciated - chris

Re: ACS and remote agent upgrade question

Jatin Katyal — Wed, 23 Dec 2009 22:15:39 GMT

Chris:

I understand your plan for upgrading appliances and remote agent server. This is actually the right practice.

We should always have the ip address of primary ACS SE as a configuration provider so If you are upgrading backup one first then let the primary server catering the authentication request and upgrade the remote agent server while upgrading the primary ACS SE.

From installation guide:

Although a remote agent can accept inbound communication from many appliances, it accepts configuration instructions from only a single appliance that you specify in the CSAgent.ini file. This special appliance is called a configuration provider.

When a remote agent starts, it reads its CSAgent.ini file to determine which services should be available and which appliance is its configuration provider. Then it contacts the configuration provider and requests its configuration.

After receiving its configuration from the configuration provider, the remote agent is available to provide the services configured in CSAgent.ini.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/remote_agent/rawo.html#wp219996

HTH

Regards,

Plz rate helpful posts-

Re: ACS and remote agent upgrade question

cmarva — Thu, 24 Dec 2009 12:51:30 GMT

JK, I appreciate the reply. That's the clarification I needed, configuration provider is always the primary.

It just seems to me, though, that if the config provider is always the primary, then why not upgrade the primary

first and let the backup handle the auth requests. I mean, it just seems like doing the backup first doesn't

achieve a whole lot if the RA is upgraded when the primary ACS is upgraded. But I'm just thinking out loud......

Thanks again for the help - chris

Re: ACS and remote agent upgrade question

Jatin Katyal — Thu, 24 Dec 2009 14:06:24 GMT

Chris:

Well, yes you can upgrade the primary server but why I suggested you to upgrade the secondary first; all your NAS devices should have the primary server listed first so if there is no communication with primary server there might be some delay while user try to authenticate.

IMP : Whenever we change/delete the primary/secondary remote agent under external user database...group mapping will disappear.

HTH

Regards,

Pla rate helpful posts-

Re: ACS and remote agent upgrade question

cmarva — Thu, 24 Dec 2009 17:31:04 GMT

Understood, just thinking out loud....the procedure just seems a little bit odd unless I'm missing something. No big deal, I'll get through it.

also, on your note about group mappings, I did see this in the documentation, but it didn't quite sink in. Now it is stuck in my head to double

check group mappings after the upgrade is done.

Thanks again, I appreciate it - chris