Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
10
Helpful
3
Replies

ACS 4.2 - 5.4 Migration - EAP-FAST

Mark Tizzard
Level 1
Level 1

‎07-03-2013 06:24 AM - edited ‎03-10-2019 08:36 PM

Hi All,

I just had a quick question regarding EAP-FAST migration for ACS 4.x to 5.x. I have all the pieces in place to do the migration, all tests seems to be working fine, my question is about EAP-FAST master keys, exporting from 4.x to 5.x and the relation it has on configuration of the 5.x system.

Do I simply configure 5.x with appropriate EAP-FAST settings then import the master keys so that all 4.x clients can still authenticate securely against the ACS or do I need to do something else\more.

So far I've exported the test 4.x EAP-FAST keys to the test 5.x system and I see no changes in the GUI under "System Administration > Configuration >  Global System Options >  EAP-FAST >  Settings". The Authority ID is what I set when testing and doesn't match the authority ID from ACS 4.x test system which is simply "TEST" - so I wanted to confirm if things are as they should be. If so, the next test is going to be export the real EAP-FAST keys from my production 4.x system into my new 5.x systems and see what happens.

To note - the migration utility did report successful importation of the EAP-FAST master keys... 2 of them.


Any tips\tricks would be appreciated.

Thanks


Mark                  

Labels:
0 Helpful
3 Replies 3

Jatin Katyal
Cisco Employee
Cisco Employee

‎07-07-2013 10:36 PM

Hi Mark,

You're on the right track. In order to import/export the EAP-FAST PAC master key from ACS 4.x to ACS 5.x can only be done via migration utility with ACS 5. I guess you've followed the below mentioned steps.

From a command prompt, run the migration.bat script

Select option '1' from the "Choose one of the following:" menu to export the keys

After the export completes, select option '2' from the "Choose one of the following:" menu to import the export the keys.

When complete, a report will be displayed showing you what was imported. In this case, since you only exported the master keys, there should be no change to your overall configuration on the ACS 5.

Because the keys are stored in different formats in ACS 4 and ACS 5, the migration utility is the only way to move the keys between the two.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Mark Tizzard
Level 1
Level 1
In response to Jatin Katyal

‎07-08-2013 06:13 AM

Great! Thanks for the info guys.

My concern was this part that I read:

Import

In ACS 5.1, the objects are added to the Master Key table and are not available through the GUI. The authority ID is migrated to the EAP-FAST global settings.

The part in bold regarding the authority ID is what I didnt see change post migration test. So question is, should it have changed? I dont mind re-doing the global EAP-FAST settings as there isnt much to do but i just want to make sure post migration my EAP-FAST devices can communicate seemlessly with the new ACS 5.x install. It may be a simple as having the old master key be part of the ACS 5.x system and nothing else matters but i just want to be sure.

Thanks again


Mark

0 Helpful
Customers Also Viewed These Support Documents