Solved: Upgrade ACS 5.2 to 5.4

Rachid Zahraoui · ‎05-20-2013

Hello,

I have an ACS 5.2 deployment and i want to upgrade it to 5.4 version.

I have 2 server in my deplyement:

1/ Primary Server as Authentication server & log collector

2/ Secondary server as Authentication server.

What is the best way to do the migration?

Normaly, i can proceed as follows:

1/ Deregidter each server from the deployement ==> Make both the servers standaone

2/ Upgrade the Secondary server.

3/ Upgrade the Primary server (without migrate the log server).

4/ Join Servers to the deployement.

steps 2/ and 3/ can be reversed?

Thank you for your reply.

Jatin Katyal · ‎05-23-2013

sure, you may use sftp as well. However, SFTP server must meet some requirements:

-The destination directory must have read/write permission

-SCP must be enable and the SFTP server must be FIPS compliant.

-As a result of FIPS certification the SSH client should support the following FIPS compliant cipher suits:

-Key Exchange Cipher: diffie-hellman-group14-sha1 (your SFTP server should be able to negotiate this cipher)

-Encryption Ciphers: aes256-cbc, aes128-cbc, 3des-cbc

-MAC: hmac-sha1

Jatin Katyal
- Do rate helpful posts -

~Jatin

View solution in original post

Jatin Katyal · ‎05-20-2013

You are at the right path. Just make sure you apply the latest patch on ACS 5.2 and take backup of configuration before you proceed with the upgrade.

yes, step 2 and 3 can be reversed.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Rachid Zahraoui · ‎05-20-2013

Thanks For your help,

Where can i found the last patch of ACS 5.2 version (or i have to do that mannualy in the servers).

Rachid.

kussriva · ‎05-21-2013

Hi,

You can go to cisco.com and then browse to

Downloads Home -> Products -> Security -> Access Control and Policy -> Policy and Access Management

Cisco Secure Access Control System -> Cisco Secure Access Control System 5.2 -> Secure Access Control System Software-5.2.0.26 and download the latest patch for ACS 5.2 (ACS 5.2.0.26.11 cumulative patch).

Here are the steps to apply the patch:

1. open CLI console

2. define new repository in which the 5-2-0-26-11.tar.gpg resides

3. issue: 'acs patch install 5-2-0-26-11.tar.gpg repository (repository name).

4. verify installation by getting the following version information via CLI by issuing:

#show application version acs

For assistance on pre-production issues, you can open a case at http://www.cisco.com/web/partners/tools/pdihd.html

Regards,

Kush

Cisco PDI Help Desk

http://www.cisco.com/go/pdihelpdesk

Rachid Zahraoui · ‎05-23-2013

Thank you Srivastava,

Other question please, how to configure a repository in a ACS server?

Regards.

Jatin Katyal · ‎05-23-2013

Create a repository

https://supportforums.cisco.com/docs/DOC-24802#Create_a_repository

Make sure we don't have TFTP as a protocol because it has some known issues with ACS.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Rachid Zahraoui · ‎05-23-2013

Thanks.

I will use SFTP.

Jatin Katyal · ‎05-23-2013

sure, you may use sftp as well. However, SFTP server must meet some requirements:

-The destination directory must have read/write permission

-SCP must be enable and the SFTP server must be FIPS compliant.

-As a result of FIPS certification the SSH client should support the following FIPS compliant cipher suits:

-Key Exchange Cipher: diffie-hellman-group14-sha1 (your SFTP server should be able to negotiate this cipher)

-Encryption Ciphers: aes256-cbc, aes128-cbc, 3des-cbc

-MAC: hmac-sha1

Jatin Katyal
- Do rate helpful posts -

~Jatin

Jatin Katyal · ‎05-23-2013

In case you are comfortable to create it using CLI.

==============================

##Steps to create repository##

==============================

Go to the CLI mode of this ACS

AAA/admin(config)# repository FTP ---> (could be any name)

AAA/admin(config-Repository)# url ftp://

AAA/admin(config-Repository)# user password plain

AAA/admin(config-Repository)# exit

AAA/admin(config)#exit

On the FTP make sure you have all admin rights.

Once done use "show repository " to ensure that ACS is able to read the repository

Jatin Katyal

- Do rate helpful posts -

~Jatin

harvisin · ‎05-24-2013

Hello,

This link my help you out:-

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1199565

Rachid Zahraoui · ‎05-25-2013

Thank you Singh !

I found it already, but it suppose that we have multiple secondary servers ==> So we can migrate the fonction of collection log to another server before upgrading and make standalone the log collector...

In my special case (with only two servers in the deployment) i think i can upgrade the primary server without changing his fonction of log collector, right?

Regards.

Jatin Katyal · ‎05-25-2013

Upgrading an ACS Deployment from 5.2 to 5.4

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.4/installation/guide/csacs_upg.html#wp1199421

I'd still suggest you to choose secondary as a log collector. Upgrade the primary box and move it back.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Muhammad Munir · ‎09-16-2013

Hi

For complete information regarding configuration, implementation, please go through this link:

http://www.cisco.com/en/US/partner/docs/net_mgmt/prime/unified_operations_manager/9.0/install/guide/prereq.html