Re: NAC firmware upgrade from 4.1.3 to 4.7 or 4.8, anyone?

rosa_casale · ‎02-03-2011

I currently have 1 CAS 3310 Failover Bundle for Wireless user, and 1 CAM Lite Failover Bundle for management.

ACAS, CAM and Clean Access Agents are running 4.1.3. We are considering an upgrade in particular because some end-users machine are soon to be Windows 7. Our authenticaion for users is provided by AD SSO.

I would like to know your experience when doing such a major jump (4.1.3 to 4.8.1). Looking for gotchas and known issues. Also what the incremetal upgrade path look like.

I was thinking we can go 4.1.3 -> 4.6.1-> 4.8.1. Any other way or recommendation. CIsco is highly recommending we go to 4.8.1 if all possioblem.

I am also aware that we need to create new root certificates.

Appreciate input.

Thanks,

Rosa

e.bayon · ‎02-04-2011

Hi, Rosa.

We had the same problem many months a go, and we followed carefully step by step the Cisco Upgrade instructions manual to upgrade from 4.(1).2 to 4.(7).2 because 4.(8).1 didn´t exist in that moment, and every think went fine, now we´ve got 2 CAM+2 CAS wotking fine with Window 7 clients to authenticate against AD 2008 domain servers.

Note.- Respect to the certificate, we was working at 4.(1).2 version with the self perfigo certificate, and when we installed the new versión we keep this certificate, but this is not recommended from Cisco and advise to you to use a certificate from external CA, but we´re working with the old one and no problem.

fredyvalle · ‎07-09-2011

Hi all,

I'm thinking to do an upgrade from 4.1.3 -> 4.5.x -> 4.7.2.

At this moment PC clients has a self perfigo certificate. How can you keep the same certificate when you did the update?

I have 1 pair of CAM and 4 pairs of CAS in a failover scenario and you know that certificate must has Virtual IP address from CAS. So, at this time perfigo certificate not has any ip.

Regards,

Tiago Antunes · ‎02-05-2011

Hi,

Yes, that is the correct upgrade path: 4.1.3 -> 4.6.1 -> 4.8.1.

I would recomend you to go through the Release notes for 4.6.1 and 4.8.1 for all the known gotchas and detailed upgrade process.

Gotchas/changes/upgrade process for 4.6.1: http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/461/461rn.html#wp65900.

Gotchas/changes/upgrade process for 4.8.1:http://www.cisco.com/en/US/docs/security/nac/appliance/release_notes/48/481rn.html#wp65900.

Regarding the certificates, you should not use the self signed certs due to security reasons, and they should only be used for lab purposes.

This means that it still works with the self signed, but you need to import the CAS cert into the CAM trusted certification authorities and vice-versa, so that the CAM trusts the CAS cert and vice-versa.

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

leonardo_liberati · ‎05-04-2011

We've done an upgrade from 4.1.6 to 4.8.1 with two steps...4.1.6 to 4.6.1 --- 4.6.1 to 4.8.1. All the process (2 CAS and 2 CAM) takes at least 90 minutes for the first step and 120 minutes for the second step.

I reccomend you to do this upgrade with a keyboard and a monitor!!!

:-)