Solved: Re: license issues when re-imaging without a repositary?

joopv · ‎08-02-2012

We have an ACS 1121 running 5.1, so far unused.

Now we have to start using it, from scratch. But before that, i would like it to upgrade it to the latest and greatest version 5.3

It's not connected to any network yet. So i can't configure any remote repositary.

If i re-image it by booting from a DVD burned with the acs_v5.3.0.40.iso, without any backup or whatever, will i run into any license issues? Will i get a fully functional ACS again?

Thanks !

Tarik Admani · ‎08-02-2012

Yes,

The license will be backed up if you perform a backup. Just remember when you restore, you will have to restore the backup through cli if you decide to reimage to 5.3 and then restore the 5.1 database if you use this method.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1194934

Make sure you install the latest patch (4 or 5) before restoring the database, that is one of the last steps mentioned in the guide but should be done before restoring.

Good luck!

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎08-14-2012

There isnt a best practices guide in the way you configure ACS, however, if you look at the options on the left and take it from a "top to down" approach it will help you understand the process much better.

You add your network resources (i.e AAA clients) followed by your identities (internal, AD, LDAP..etc) followed by your Policy Elements (authorization profiles such as: ACLs, Dynamic Vlan assignment..etc or Shell Profiles for tacacs: priv levels, command authorization sets), then all these conditions then combine into authorization policies. You take each of the components (network device, identity) and set a result which is your policy element.

Just when you are ready to pull your hair out by thinking that the ACS is a very limited product, down on the bottom right is a button called the customize button, that is where you can add other condtions which will help create more specific results for any use case you come across.

Here is the ACS 5 reference material to get your started:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html

I hope that helps!

Tarik Admani
*Please rate helpful posts*

View solution in original post

Tarik Admani · ‎08-02-2012

Did you install the licenses already? If this is an unused ACS, it doesnt come with a licenses pre-installed. You will see that if you were to connect this to the network and try to access the management interface. One of the first steps is to install the license after logging in for the first time and you can only do that through the web management interface.

So once you reimage you will have to dig up the license, or the PAK for this acs and you can register it online at this url:

https://tools.cisco.com/SWIFT/LicensingUI/Home

If you dont have the PAK then you will have to open a case with licensing and they will request more information about this ACS such as the serial number (show udi) should get this for you. Then they can look up the contract and go from there.

thanks,

Tarik Admani
*Please rate helpful posts*

joopv · ‎08-02-2012

Thanks for your quick reply !

I was not really complete with my question. The unit was used by a collegue of mine, but it was never put into production and has been laying on a shelf because of migration complexity's.

So i thougt it would be best to start again with a clean and uptodate system.

I will dig up the license paperwork or - if i can't find it - open a license case.

The other option would be to connect it to a temporary network, setup an ftp server, create a remote repositary and do a backup, will the license be backed-up and restore-able after re-imaging to 5.3?

Tarik Admani · ‎08-02-2012

Yes,

The license will be backed up if you perform a backup. Just remember when you restore, you will have to restore the backup through cli if you decide to reimage to 5.3 and then restore the 5.1 database if you use this method.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/guide/csacs_upg.html#wp1194934

Make sure you install the latest patch (4 or 5) before restoring the database, that is one of the last steps mentioned in the guide but should be done before restoring.

Good luck!

Tarik Admani
*Please rate helpful posts*

joopv · ‎08-14-2012

Thanks Tarik, this went exactly as predicted. License is restored.

I still have some questions about re-furnituring 5.3, since it seems to be quite a bit different than the ACS 3.x and 4.x versions that i have experience with.

Maybe there is a best-practices document that you can point me to, or i will open a new discussion thread.

Regards,

Joop

Tarik Admani · ‎08-14-2012

There isnt a best practices guide in the way you configure ACS, however, if you look at the options on the left and take it from a "top to down" approach it will help you understand the process much better.

You add your network resources (i.e AAA clients) followed by your identities (internal, AD, LDAP..etc) followed by your Policy Elements (authorization profiles such as: ACLs, Dynamic Vlan assignment..etc or Shell Profiles for tacacs: priv levels, command authorization sets), then all these conditions then combine into authorization policies. You take each of the components (network device, identity) and set a result which is your policy element.

Just when you are ready to pull your hair out by thinking that the ACS is a very limited product, down on the bottom right is a button called the customize button, that is where you can add other condtions which will help create more specific results for any use case you come across.

Here is the ACS 5 reference material to get your started:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/my_wkspc.html

I hope that helps!

Tarik Admani
*Please rate helpful posts*