09-26-2013 12:49 PM - edited 03-10-2019 08:56 PM
I have been tasked to upgrade our four ACS servers from
4.2.1.15 to the latest version. The ACS servers are
applianced based. I have browsed the download software page
of cisco.com and have found this file:
app/Acs_4.2.1.15.11.zip (ACS SE 4.2.1.15.11 cumulative
patch).
Can someone confirm if this is the latest/best file to download
the latest 4.2 release of hardware based Cisco Secure ACS?
For those who have upgraded to this latest release, can you
comment on your experience regarding the upgrade process or
ACS performance post-upgrade? Any issues/caveats about the
process or performance post-upgrade?
Thanks in advance for any helpful information you can
provide for this?
Adil
Solved! Go to Solution.
10-01-2013 08:13 AM
I don't see patch installation step-by-step documented somewhere because its same as applying upgrade and simple too. Here are the steps you need to perform.
1. Download patch zip file to any PC which we will call the Upgrade Server or distribution server.
2. Unzip the patch
3. Execute autorun.bat (you will see an ACS Appliance Update window appear and it remains in the back ground.
You will also see another IE window lauch that give you a place to put in the IP address or host name of the appliance)
4. Enter in the IP address or host name of the appliance and click Install.
5. This will bring to the logon window for ACS appliance.
6. Log into ACS
7. Click on System Configuration
8. Click on Appliance Upgrade Status
9. Click on Download
10. Enter in the IP address Upgrade Server and click connect
11. You will see the patch that you are trying to install. Click Download Now
12. Click Download again.
13. Click Apply Upgrade
14. Click upgrade again.
15. Click Yes
16. Click Yes again.
17. Click Done.
18. On the Upgrade server click "Stop Distribution Server".
In order to stop csagent, go to system configuration > appliance configuration ( I think so)
P.S. Please open a TAC case if you're not comfortable in applying patch.
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 12:59 PM
Hello Adil,
First thing I would like to clear that 4.2.1.15.11 is Just a patch and not an upgrade.
We introduced this patch for users who are using eap-fast and affeceted due to this vulnerability.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130828-acs
However, with patch 9, 10 and 11 Csutil feature will break and for that we've already filed a defect
CSCuj39621 CSUtil crashes when no arguments are provided from ACS 4.2.1 patch 9
So you only need to apply patch 11 if
you have radius/acs server configured for eap-fast and you're not running csutil for your internal requirement.
~BR
Jatin Katyal
**Do rate helpful posts**
09-26-2013 01:42 PM
Ok, I understand now that this is only a patch but can you please advise as to what the step-by-step procedure would be for applying the 11 patch. Would I use the same procedure as doing an upgrade? IE. Use the distribution server to transfer file to ACS appliance, log on to ACS and use System Configuration to verify the download, etc., etc.
I've never performed this procedure so any helpful details you can provide would be greatly appreciated.
Thanks,
Adil
09-26-2013 02:01 PM
so yes the steps will remain same, make sure you stop csagent before you start and start csagent once you are done. You need to apply the same code patch on server running remote agent
Remote Agent 4.2.1.15.11 cumulative patch
Acs-4.2.1.15.11-RA.zip
http://tools.cisco.com/squish/127b7
I've attached the steps to install patch for your reference.
~BR
Jatin Katyal
**Do rate helpful posts**
09-30-2013 03:00 AM
Were you able to install the latest patch 11 with the help of readme file attached and suggestions provided in my last post?
~BR
Jatin Katyal
**Do rate helpful posts**
09-30-2013 07:52 AM
Hello Jatin,
I haven't performed the patching yet. This is still in planning stage but I do have another question:
Is there a particular sequence for installing the RA patch and ACS SE patches or doesn't it matter? Also, will the patched ACS SE work with an unpatched Remote Agent until I have a chance to do it? In other words, is there a dependency between the two patching activities?
Adil
09-30-2013 08:01 AM
The same patch should be applied on both the sides (ACS SE and Remote agent). It won't work until you patch both the devices with same code. The ACS can only communicate with AD only if they're running on the same code and patch. There is no such sequence, you can start from any of those 2 devices. We generally patch ACS SE first and then remote agent server.
~BR
Jatin Katyal
**Do rate helpful posts**
10-01-2013 07:42 AM
Hello Jatin,
The step by step procedure for performing the patching of ACS SE involves some steps at the CLI. Can you point me to a step by step procedure for performing all of the steps using the web interface (including the stopping and starting of services)?
Adil
10-01-2013 08:13 AM
I don't see patch installation step-by-step documented somewhere because its same as applying upgrade and simple too. Here are the steps you need to perform.
1. Download patch zip file to any PC which we will call the Upgrade Server or distribution server.
2. Unzip the patch
3. Execute autorun.bat (you will see an ACS Appliance Update window appear and it remains in the back ground.
You will also see another IE window lauch that give you a place to put in the IP address or host name of the appliance)
4. Enter in the IP address or host name of the appliance and click Install.
5. This will bring to the logon window for ACS appliance.
6. Log into ACS
7. Click on System Configuration
8. Click on Appliance Upgrade Status
9. Click on Download
10. Enter in the IP address Upgrade Server and click connect
11. You will see the patch that you are trying to install. Click Download Now
12. Click Download again.
13. Click Apply Upgrade
14. Click upgrade again.
15. Click Yes
16. Click Yes again.
17. Click Done.
18. On the Upgrade server click "Stop Distribution Server".
In order to stop csagent, go to system configuration > appliance configuration ( I think so)
P.S. Please open a TAC case if you're not comfortable in applying patch.
~BR
Jatin Katyal
**Do rate helpful posts**
10-03-2013 10:34 AM
In addition to that, I'd suggest to read all warning messages before proceed.
Post your question back if you need some more clarification.
~BR
Jatin Katyal
**Do rate helpful posts**
10-03-2013 10:31 AM
This information is very helpful. Now I feel I am ready to proceed with patching our ACS appliance. Thank you very much.
09-26-2013 04:23 PM
4.2.1.15 is the latest software for ACS for 4.2.
Upgrade process:-
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.
2/installation/guide/windows/install.html
Once upgraded from 4.2 to 4.2.1.15 , download the following files to upgrade to 4.2.1.15:
Upgrade Package for ACS SE v4.2.1.15 (Appliance Management package)
Upgrade Package for ACS SE v4.2.1.15 (ACS Software package)
Remote Agent for Windows for ACS SE v4.2.1.15
ACS SE 4.2.1.15.11 cumulative patch
Remote Agent 4.2.1.15.11 cumulative patch
http://software.cisco.com/download/release.html?mdfid=281458154&flowid=34566&softwareid=28
0805678&release=4.2.1.15&relind=AVAILABLE&rellifecycle=&reltype=latest
09-26-2013 08:49 PM
Hi Adil
ACS provides a migration utility to transfer data from migration-supported versions of ACS 4.x to any ACS 4.x machine. The ACS migration process requires, in some cases, administrative intervention to manually resolve data before you import it to ACS.
The Migration utility completes the data migration process in two phases:
•Analysis and Export
•Import
In the Analysis and Export phase, you identify the objects that you want to export into 4.x. The Migration utility analyses the objects, consolidates the data, and exports it.
After the Analysis and Export phase is complete, the Migration utility generates a report that lists any data compatibility errors, which you can manually resolve to successfully import these objects into new ACS.
The Analysis and Export phase is an iterative process that you can rerun many times to ensure that there are no errors in the data to be imported. After you complete the Analysis and Export phase, you can run the import phase to import data into ACS.
For complete step by step configuration, please go through this link:
09-26-2013 09:05 PM
What you're suggesting here is called migration from acs 4.x to 5.2. That's NOT a question.
He wanted to apply the latest patch of ACS 4.2.1.15 ....patch 11 and that is what Adil concerned about.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide