Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

605
Views
0
Helpful
3
Replies
Highlighted
michaellambert1980
Beginner
Beginner
‎03-31-2011 06:44 AM
‎03-31-2011 06:44 AM

ACS 4.1.1.24 to 5.2.0.26.3 Network Device Migration issue

Hello all.

I'm getting an error when I run the migration.bat script to migrate data from ACS 4.1 to 5.2 and analyse the Network Devices in the 4.1 database.

hqssec01AnalyzeAndExportNetwork Devicehqsvg22417kerrorinvalid_sharedsecretCannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01AnalyzeAndExportNetwork Devicehqsvg22418kerrorinvalid_sharedsecretCannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01AnalyzeAndExportNetwork Devicemilswi1a1errorinvalid_sharedsecretCannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}
hqssec01AnalyzeAndExportNetwork DeviceDS2000_Storm_Standbyerrorinvalid_sharedsecretCannot migrate Network Device that has Shared secret key with a name that contains any of the following characters: "'{}

We use a common shared secret key for 253 devices to use for TACACS authentication.  Unfortunately ACS 4.1 allows you to use the " character in this key but 5.2 doesn't.  Is there a way of changing  the  key in the 4.1 database for all 253 devices without having to manually change all devices individually?

I can change the AAA client's key with various tools no problem, but the issue is the key stored on the ACS database.

Any help would be great!

Labels:
0 Helpful
Reply
3 REPLIES 3
Highlighted
Yudong Wu
Rising star
Rising star
‎03-31-2011 01:12 PM
‎03-31-2011 01:12 PM

You can use RDBMS sync to update all devices' sharedkey.

http://www.cisco.com/en/US/partner/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/A_RDBMS.html

Refer to the follow table, action ID 224

Table E-6     Action Codes for Modifying Network Configuration.

0 Helpful
Reply
Highlighted
michaellambert1980
Beginner
Beginner
In response to Yudong Wu
‎03-31-2011 02:20 PM
‎03-31-2011 02:20 PM

Thankyou.  I'll try it in the morning.

0 Helpful
Reply
Highlighted
michaellambert1980
Beginner
Beginner
In response to michaellambert1980
‎04-02-2011 02:18 AM
‎04-02-2011 02:18 AM

Just to update.

RDBMS syncronization using csv files is only available on 4.2 so I updated from 4.1 to 4.2.

Using the accountActions.csv file, I made a copy accountActions2.csv and used the action id 225 to dump the NAS database to a file DumpNAS.txt.

I then imported the relevant fields from DumpNAS.txt into a new file accountActions3.csv and used action ID 224 to update the NAS database.

The issue I had was that the Value 3 field "Vendor ID" I could not locate the corrent string to use.

In the end I used the 'File Operations' function in ACS 5.2 and used the network device template to load the devices into ACS 5.2 with the new shared secret.  The only thing missing from was Network Device Groups, which had to be created manually and then manually move each device into the relevant NDG.

This may prove useful for anyone having a similar problem.

0 Helpful
Reply
Latest Contents
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
No cts dot1x command in interface configuration mode
Created by tanzhy on 01-14-2021 01:49 AM
3
0
3
0
Anyone know why there are no cts dot1x command in interface configure mode?I  just find cts manual and cts role-based command      Hardware is  C9300-48PSoftware is   Cisco IOS XE Software, Version 16.12.04License i... view more
Unable to access Firepower Management Center via web browser
Created by Thomas321 on 01-13-2021 04:16 PM
0
5
0
5
Hi all, I have ASA 5506W and everything work great without any issue by access from ASDM or SSH, however I am unable to access FMC via web browser then getting following error message "Onbox NGFW is managed by ASDM. Please use your ASDM Client or dow... view more
Cognitive Release Note, December 2020: CWS end-of-life and n...
Created by aligarci on 01-13-2021 09:34 AM
0
0
0
0
User Experience Enhancements As part of the Cisco Common User Experience program, we are working towards a more uniform user experience and terminology alignment. This program runs across all Cisco security products.   Cognitive Intelligence en... view more
Content for Community-Ad