Solved: ACS 4.2 to 4.2.1 Upgrade Questions

adil.nasser3 · ‎09-26-2013

I have been tasked to upgrade our four ACS servers from

4.2.1.15 to the latest version. The ACS servers are

applianced based. I have browsed the download software page

of cisco.com and have found this file:

app/Acs_4.2.1.15.11.zip (ACS SE 4.2.1.15.11 cumulative

patch).

Can someone confirm if this is the latest/best file to download

the latest 4.2 release of hardware based Cisco Secure ACS?

For those who have upgraded to this latest release, can you

comment on your experience regarding the upgrade process or

ACS performance post-upgrade? Any issues/caveats about the

process or performance post-upgrade?

Thanks in advance for any helpful information you can

provide for this?

Adil

Jatin Katyal · ‎10-01-2013

I don't see patch installation step-by-step documented somewhere because its same as applying upgrade and simple too. Here are the steps you need to perform.

1. Download patch zip file to any PC which we will call the Upgrade Server or distribution server.

2. Unzip the patch

3. Execute autorun.bat (you will see an ACS Appliance Update window appear and it remains in the back ground.

You will also see another IE window lauch that give you a place to put in the IP address or host name of the appliance)

4. Enter in the IP address or host name of the appliance and click Install.

5. This will bring to the logon window for ACS appliance.

6. Log into ACS

7. Click on System Configuration

8. Click on Appliance Upgrade Status

9. Click on Download

10. Enter in the IP address Upgrade Server and click connect

11. You will see the patch that you are trying to install. Click Download Now

12. Click Download again.

13. Click Apply Upgrade

14. Click upgrade again.

15. Click Yes

16. Click Yes again.

17. Click Done.

18. On the Upgrade server click "Stop Distribution Server".

In order to stop csagent, go to system configuration > appliance configuration ( I think so)

P.S. Please open a TAC case if you're not comfortable in applying patch.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎09-26-2013

Hello Adil,

First thing I would like to clear that 4.2.1.15.11 is Just a patch and not an upgrade.

We introduced this patch for users who are using eap-fast and affeceted due to this vulnerability.

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130828-acs

However, with patch 9, 10 and 11 Csutil feature will break and for that we've already filed a defect

CSCuj39621 CSUtil crashes when no arguments are provided from ACS 4.2.1 patch 9

So you only need to apply patch 11 if

you have radius/acs server configured for eap-fast and you're not running csutil for your internal requirement.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

adil.nasser3 · ‎09-26-2013

Ok, I understand now that this is only a patch but can you please advise as to what the step-by-step procedure would be for applying the 11 patch. Would I use the same procedure as doing an upgrade? IE. Use the distribution server to transfer file to ACS appliance, log on to ACS and use System Configuration to verify the download, etc., etc.

I've never performed this procedure so any helpful details you can provide would be greatly appreciated.

Thanks,

Adil

Jatin Katyal · ‎09-26-2013

so yes the steps will remain same, make sure you stop csagent before you start and start csagent once you are done. You need to apply the same code patch on server running remote agent

Remote Agent 4.2.1.15.11 cumulative patch

Acs-4.2.1.15.11-RA.zip

http://tools.cisco.com/squish/127b7

I've attached the steps to install patch for your reference.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Jatin Katyal · ‎09-30-2013

Were you able to install the latest patch 11 with the help of readme file attached and suggestions provided in my last post?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

adil.nasser3 · ‎09-30-2013

Hello Jatin,

I haven't performed the patching yet. This is still in planning stage but I do have another question:

Is there a particular sequence for installing the RA patch and ACS SE patches or doesn't it matter? Also, will the patched ACS SE work with an unpatched Remote Agent until I have a chance to do it? In other words, is there a dependency between the two patching activities?

Adil

Jatin Katyal · ‎09-30-2013

The same patch should be applied on both the sides (ACS SE and Remote agent). It won't work until you patch both the devices with same code. The ACS can only communicate with AD only if they're running on the same code and patch. There is no such sequence, you can start from any of those 2 devices. We generally patch ACS SE first and then remote agent server.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

adil.nasser3 · ‎10-01-2013

Hello Jatin,

The step by step procedure for performing the patching of ACS SE involves some steps at the CLI. Can you point me to a step by step procedure for performing all of the steps using the web interface (including the stopping and starting of services)?

Adil

Jatin Katyal · ‎10-01-2013

I don't see patch installation step-by-step documented somewhere because its same as applying upgrade and simple too. Here are the steps you need to perform.

1. Download patch zip file to any PC which we will call the Upgrade Server or distribution server.

2. Unzip the patch

3. Execute autorun.bat (you will see an ACS Appliance Update window appear and it remains in the back ground.

You will also see another IE window lauch that give you a place to put in the IP address or host name of the appliance)

4. Enter in the IP address or host name of the appliance and click Install.

5. This will bring to the logon window for ACS appliance.

6. Log into ACS

7. Click on System Configuration

8. Click on Appliance Upgrade Status

9. Click on Download

10. Enter in the IP address Upgrade Server and click connect

11. You will see the patch that you are trying to install. Click Download Now

12. Click Download again.

13. Click Apply Upgrade

14. Click upgrade again.

15. Click Yes

16. Click Yes again.

17. Click Done.

18. On the Upgrade server click "Stop Distribution Server".

In order to stop csagent, go to system configuration > appliance configuration ( I think so)

P.S. Please open a TAC case if you're not comfortable in applying patch.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Jatin Katyal · ‎10-03-2013

In addition to that, I'd suggest to read all warning messages before proceed.

Post your question back if you need some more clarification.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

adil.nasser3 · ‎10-03-2013

This information is very helpful. Now I feel I am ready to proceed with patching our ACS appliance. Thank you very much.

Abha Jha · ‎09-26-2013

4.2.1.15 is the latest software for ACS for 4.2.

Upgrade process:-

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.

2/installation/guide/windows/install.html

Once upgraded from 4.2 to 4.2.1.15 , download the following files to upgrade to 4.2.1.15:

Upgrade Package for ACS SE v4.2.1.15 (Appliance Management package)

Upgrade Package for ACS SE v4.2.1.15 (ACS Software package)

Remote Agent for Windows for ACS SE v4.2.1.15

ACS SE 4.2.1.15.11 cumulative patch

Remote Agent 4.2.1.15.11 cumulative patch

http://software.cisco.com/download/release.html?mdfid=281458154&flowid=34566&softwareid=28

0805678&release=4.2.1.15&relind=AVAILABLE&rellifecycle=&reltype=latest

Muhammad Munir · ‎09-26-2013

Hi Adil

ACS provides a migration utility to transfer data from migration-supported versions of ACS 4.x to any ACS 4.x machine. The ACS migration process requires, in some cases, administrative intervention to manually resolve data before you import it to ACS.

The Migration utility completes the data migration process in two phases:

•Analysis and Export

•Import

In the Analysis and Export phase, you identify the objects that you want to export into 4.x. The Migration utility analyses the objects, consolidates the data, and exports it.

After the Analysis and Export phase is complete, the Migration utility generates a report that lists any data compatibility errors, which you can manually resolve to successfully import these objects into new ACS.

The Analysis and Export phase is an iterative process that you can rerun many times to ensure that there are no errors in the data to be imported. After you complete the Analysis and Export phase, you can run the import phase to import data into ACS.

For complete step by step configuration, please go through this link:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/common_scenarios.html

Jatin Katyal · ‎09-26-2013

Muhammad Munir

What you're suggesting here is called migration from acs 4.x to 5.2. That's NOT a question.

He wanted to apply the latest patch of ACS 4.2.1.15 ....patch 11 and that is what Adil concerned about.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin