Upgrade ACS 4.2 to 5.5 with client certificate authentication

y.lo · ‎02-26-2014

I understand that there is a migration tool that can help upgrade ACS 4.2 on windows platform to 5.5 apliance. However, it does not support certificate migration.

Customer is using client certificate for wireless client authentication. Does that mean I have to generate CSR on the new ACS 5.5 appliance and have it signed by an external CA, for every client certificate on the existing ACS 4.2?

Muhammad Munir · ‎03-04-2014

Hi

FYI

•Certificate Authentication Profiles allows you to customize the authentication for different certificate profiles.

•Identity store authorization is optional for certificate-based authentication.

•Root CA certificates must be imported.

Trusted certificate authorities are defined under the certificate configuration options in Users and Identity Stores. Here, the authentication characteristics of different certificate profiles are also specified.

Certificate authentication profiles are referenced in access service identity policy, and they allow you to specify:

•The certificate field that should be used as the principal username.

•Whether a binary comparison of the certificate should be performed.

Migration Notes

•PEM- or DER-formatted X.509 certificates can be imported to create a list of trusted CAs.

•ACS 5.5 does not check whether the certificate owner exists in a directory, but you can check the existence of a user attribute in an access service authorization policy.

for more details please go through the following link:

http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-5/migration/guide/migration_guide/Migration_Configure.html#wp1053387