Solved: ACS 5.4 with 4.x deployment

alexandr.safronov · ‎08-21-2013

Hi guys.

Need to solve the further task:

I have a large deployment of independent ACS 4.x servers (every server has his own zone of responsibility). And there is a need to deploy two central ACS servers with the whole database from every independent ACS 4.x ().

I want to deploy two latest ACS 5.4 as central cluster (replicate everything from ACS 4.x to ACS 5.4 using Cisco Migration Tool; secondary unit in a cluster as a backup and a log collector), and all of 4.x severs as secondary servers.

So I have a couple of questions:

1) Will this deployment work like it should with Medium ACS Deployment from Cisco guide for ACS 5.4:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_deploy.html

The point is: can I manage the whole ACS network from the central 5.4 cluster and will the database be replicated partially to ACS 4.x servers?

2) If the answer to the first question is "no", can I use 4.x as relay servers or it's totally meaningless and I just should point all clients to a central cluster?

Thanks for reading this, I hope you can help me.

Amjad Abdullah · ‎08-21-2013

Hello Alex:

1-) no. if you use 5.4 the config is not replicated to the 4.x version.

2-) you can use both 5.4 and 4.x as radius server for your clients. the point is you have to configure the policies on both of them independently. for example, internal users - if any - must be created independently on both server. so, you need to maintain the consistency between both versions (i.e. make sure that the auth requests will be processed -almost-the same on both servers. You don't of course need one server to accept an auth while the other server (different versoin) reject it).

3-) The logs of both 5.4 servers are maintained on the log collector. However, if you use the 4.x on the AAA servers list on your clients besides the 5.4 servers then the logs on the 4.x version will not be logged to the log collector of the 5.4 servers. They are stored on the 4.x only (locally or also remotely if you configured remote logging). So, if you need to search for an auth attempt you need to check both versions logs (5.4 and 4.x logs).

I want to mention also that the migration tool does not migrate everything from the 4.x server. there are things that the migration tool can not migrate. The full list of unsupported elements in the migration process are listed here:

http://tiny.cc/61v51w

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

View solution in original post

Amjad Abdullah · ‎08-21-2013

Hello Alex:

1-) no. if you use 5.4 the config is not replicated to the 4.x version.

2-) you can use both 5.4 and 4.x as radius server for your clients. the point is you have to configure the policies on both of them independently. for example, internal users - if any - must be created independently on both server. so, you need to maintain the consistency between both versions (i.e. make sure that the auth requests will be processed -almost-the same on both servers. You don't of course need one server to accept an auth while the other server (different versoin) reject it).

3-) The logs of both 5.4 servers are maintained on the log collector. However, if you use the 4.x on the AAA servers list on your clients besides the 5.4 servers then the logs on the 4.x version will not be logged to the log collector of the 5.4 servers. They are stored on the 4.x only (locally or also remotely if you configured remote logging). So, if you need to search for an auth attempt you need to check both versions logs (5.4 and 4.x logs).

I want to mention also that the migration tool does not migrate everything from the 4.x server. there are things that the migration tool can not migrate. The full list of unsupported elements in the migration process are listed here:

http://tiny.cc/61v51w

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

alexandr.safronov · ‎08-21-2013

Hi Amjad,

Thanks for the answer.

Can you please answer one more question:

Can I deploy three ACS 5.4 like this:

a) 1 - primary

2 - backup + log collector

3 - backup + log collector.

or

b) 1- primary

2 - backup + log collector

3 - backup

I need replication from primary to both backup servers and, if it's possible, "split deployment" between primary and backup-log_collector. Also it's not clear to me which one of backup servers will be primary if the primary server goes down (can i determine it or it will happens in a random manner).

Amjad Abdullah · ‎08-21-2013

Hi Alex.

sure. I can happily answer whatever you ask (if I know the answer of course).

There can only be one log collector in a deployment. so option B is the correct one.

You cannot make any configuration changes on the secondary servers when the primary server ACS1 is down. If all other secondary ACS servers are active, we can make any secondary server as a primary server.

you may see this:

http://tiny.cc/4z351w

Regards,

Amjad

Rating useful replies is more useful than saying "Thank you"

alexandr.safronov · ‎08-21-2013

Thanks a lot, Amjad!

Amjad Abdullah · ‎08-22-2013

Most welcome.

Rating useful replies is more useful than saying "Thank you"