I just had a quick question regarding EAP-FAST migration for ACS 4.x to 5.x. I have all the pieces in place to do the migration, all tests seems to be working fine, my question is about EAP-FAST master keys, exporting from 4.x to 5.x and the relation it has on configuration of the 5.x system.
Do I simply configure 5.x with appropriate EAP-FAST settings then import the master keys so that all 4.x clients can still authenticate securely against the ACS or do I need to do something else\more.
So far I've exported the test 4.x EAP-FAST keys to the test 5.x system and I see no changes in the GUI under "System Administration > Configuration > Global System Options > EAP-FAST > Settings". The Authority ID is what I set when testing and doesn't match the authority ID from ACS 4.x test system which is simply "TEST" - so I wanted to confirm if things are as they should be. If so, the next test is going to be export the real EAP-FAST keys from my production 4.x system into my new 5.x systems and see what happens.
To note - the migration utility did report successful importation of the EAP-FAST master keys... 2 of them.
You're on the right track. In order to import/export the EAP-FAST PAC master key from ACS 4.x to ACS 5.x can only be done via migration utility with ACS 5. I guess you've followed the below mentioned steps.
From a command prompt, run the migration.bat script
Select option '1' from the "Choose one of the following:" menu to export the keys
After the export completes, select option '2' from the "Choose one of the following:" menu to import the export the keys.
When complete, a report will be displayed showing you what was imported. In this case, since you only exported the master keys, there should be no change to your overall configuration on the ACS 5.
Because the keys are stored in different formats in ACS 4 and ACS 5, the migration utility is the only way to move the keys between the two.
In ACS 5.1, the objects are added to the Master Key table and are not available through the GUI. The authority ID is migrated to the EAP-FAST global settings.
The part in bold regarding the authority ID is what I didnt see change post migration test. So question is, should it have changed? I dont mind re-doing the global EAP-FAST settings as there isnt much to do but i just want to make sure post migration my EAP-FAST devices can communicate seemlessly with the new ACS 5.x install. It may be a simple as having the old master key be part of the ACS 5.x system and nothing else matters but i just want to be sure.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :