Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2095
Views
10
Helpful
12
Replies

Upgrading an ACS Server from 5.0 to 5.1

Go to solution
SUNUTECH
Level 1
Level 1

‎12-08-2009 01:39 PM - last edited on ‎03-25-2019 05:26 PM by Community Manager

I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !

I try to do it by CLI

what CLi command I use and what patch ?

Thanks !

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jrabinow
Level 7
Level 7
In response to SUNUTECH

‎12-09-2009 10:14 AM

Which shell profile is being assigned to the request?

The shell profile contains a field "Maximum Privilege" which defines the maximum privelege for the session that can be setwith an enable request

You need to create a shell profile with this field set to your desired maximum value and then select as result of the authorization profile in the policy you are using. For example if this was the "Default device Admin" service this would be set at tthe following location:

"Access Policies > Access Services > Default Device Admin > Authorization"

View solution in original post

0 Helpful
12 Replies 12

Go to solution
jrabinow
Level 7
Level 7

‎12-08-2009 03:44 PM

there are a couple patches that need to be installed before upgrading to 5.1

1) ACS 5.0 patch 9. On CCO: 5-0-0-21-9.tar.gpg

2) ADE-OS version 1.2    /// upgrades operating system version. On CCO: ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg

Both these steps use the following command "acs patch install patch-name.tar.gpg repository repository-name "

Then can perform the upgrade to 5.1 using following command:

application upgrade application-bundle remote-repository-name

All the patches/upgrade bundles can be downloaded from CCO. 5.1 package is called "ACS_5.1.0.44.tar.gz"

More detailed documentation is at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html#wp1167547

Go to solution
SUNUTECH
Level 1
Level 1
In response to jrabinow

‎12-09-2009 05:00 AM

Thank you very much !


The Application upgrade successful. Now I have :

sh version

Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.146
ADE-OS System Architecture: i386

Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.

There is another problem, I see the Active directory and the users of active directory can be authentified but not access to the privilege mode :

example :

I creat a user in the active directory in admin group

username : admin.ad

password: cisco123


telnet 192.168.1.1

username admin.ad

password cisco123

Router>en

password cisco123

error in aurhentification

This is my problem

0 Helpful

Go to solution
SUNUTECH
Level 1
Level 1
In response to SUNUTECH

‎12-09-2009 05:28 AM

in the monitoring and report I have this

AAA Protocol > TACACS+ Authentication

Authentication Status :
Pass or Fail
Date :
December 09, 2009

Dec 9,09 11:52:20.200 AM
13029 Requested privilege level too highadmin.adswitch
Device Type:All Device Types, Location:All Locations
Default Device Admin
AD1

Thanks !

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to SUNUTECH

‎12-09-2009 08:53 AM

Looks like you have made good progress!

Within each shell profile there are two fields: Default Privelege and Maximum Privelege. You need to check the value for the Maximum Privelege in the shell profile that was selected - can see this in the details for the monitoring report - and see it allows the level you requested.

While, I am here I realize there is one additional step for upgrade that I didn't highlight in the mail although it appears in the instructions that could be accessed from the link.

Configuration data gets upgraded automatically when upgrade to 5.1. However, monitoring and troubleshooting data gets upgraded in the background while the system is running and operational. The following steps relate to the monitoring and troubleshooting data upgrade process:

Step 5 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears with the following information:

Progress—Indicates the progress of the Monitoring and Report Viewer data upgrade.

Status—Indicates whether the Monitoring and Report Viewer data upgrade is complete or not. ACS displays the following message when the upgrade is complete:

The View database conversion is complete.

Step 6 After the data upgrade status is complete, click Switch Database.

0 Helpful

Go to solution
SUNUTECH
Level 1
Level 1
In response to jrabinow

‎12-09-2009 09:50 AM

Thanks !

I see it when I did the migration and I complete this step

0 Helpful

Go to solution
SUNUTECH
Level 1
Level 1
In response to jrabinow

‎12-09-2009 10:03 AM

I creat a group and giving the maximun privilege 15 . The user is store in Active Directory . I can authentified but not access to privilege level

exemple :

telnet 192.168.1.1

username testAD

password cisco 123

Router> en

password cisco123

Access denied

can you help me !!!

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to SUNUTECH

‎12-09-2009 10:14 AM

Which shell profile is being assigned to the request?

The shell profile contains a field "Maximum Privilege" which defines the maximum privelege for the session that can be setwith an enable request

You need to create a shell profile with this field set to your desired maximum value and then select as result of the authorization profile in the policy you are using. For example if this was the "Default device Admin" service this would be set at tthe following location:

"Access Policies > Access Services > Default Device Admin > Authorization"

0 Helpful

Go to solution
SUNUTECH
Level 1
Level 1
In response to jrabinow

‎12-09-2009 12:59 PM

I creat a shell profile called FULL ACCESS and the privilege level is 15 (maximun privilege level ) .And I creat a group called Active_Directory .

I creat  a RULE 1 :

Access Policies--------Access Service-------------Default Device Admin--------------Autorization

Rule 1  in allgroup:Active_Directory  ------ ANY ---------ANY-------------ANY------------FULL ACCESS

telnet 192.168.1.1

username: test.ad  (it's the user of the admin of the domain)

password : cisco123

Router>en

password cisco123


Access  denied

If it's the  internal user there is no problem authentification is succefull !!

I'm very confuse I don't know what to do .  In the ACS version 3 the user of active directory can authentified succefull. There is an option in this version to say that the authentification can be done with wibdows data base .

0 Helpful

Go to solution
SUNUTECH
Level 1
Level 1
In response to SUNUTECH

‎12-10-2009 11:19 AM

Thank you for your support !!! Eveythinks is ok!I Now the users of active directory can be authentified and the inrenal users depending of the access level I give .

Now I have just a question : is it possible to authentified the users of VPN  by the ACS? if yes the authenfication can be done by the active directory?

Thanks you !

0 Helpful

Go to solution
jrabinow
Level 7
Level 7
In response to SUNUTECH

‎12-10-2009 01:42 PM

Yes. This is supported. May be best to lookupfollowing topic in online help for more details: 'VPN Remote Network Access"

Go to solution
SUNUTECH
Level 1
Level 1
In response to jrabinow

‎12-10-2009 02:07 PM

I read in the document :

Supported Authentication Protocols
ACS 5.1 supports the following protocols for inner authentication inside the VPN tunnel:
•RADIUS/PAP
•RADIUS/CHAP
•RADIUS/MS-CHAPv1
•RADIUS/MS-CHAPv2
With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created.

But me I use Tacas + protocol in all the configuration ! do I change the configuration in the ACS  if I wont to configure VPN authentification by  Active Directory?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to jrabinow

‎04-01-2013 04:09 PM

Hello,

Great job on this discussion Jonny

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents