Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
406
Views
0
Helpful
1
Replies

ACS Upgrade & Dual ACS for Concentrator

derekfairley
Level 1
Level 1

‎11-02-2005 05:03 AM - edited ‎03-10-2019 02:21 PM

Hi There;

I have recently been thrust into a project involving a Windows AD server running "Cisco Secure ACS for Windows (v3.1)", and a need to upgrade it to v3.3. A Cisco 3000 series VPN Concentrator is currently configured to use the above Windows host.

The customer has already obtained a copy of "Cisco Secure ACS for Windows (v3.3)" and has installed it on another Windows AD server, although for the time being, it is not considered as operational.

Now that you have a picture of the layout, I am wondering if you can help on the following questions:

1) Is there a defined process that one would go through to ensure that the settings specific to the Cisco Secure ACS for Windows v3.1 host are replicated or equal to those on the other host running Cisco Secure ACS for Windows v3.3?

(NOTE: The v3.1 host may be departing the domain as the server hardware is a little old. There is some speculation that once a new server is purchased and made into a Windows AD server, "Cisco Secure ACS for Windows v3.3" will be installed.)

2) If the customer will be completely removing the v3.1 host, what changes need to be made on the Cisco VPN Concentrator to ensure that the v3.3 host is refered to in the future?

3) If after the v3.1 to v3.3 upgrade there ends up being two hosts running Cisco Secure ACS for Windows v3.3, can and how should the Cisco VPN Concentrator be configured to refer to both hosts as part of either a load balancing or redundancy (availability) scheme.

As I am new to these products (but not the functional concepts involved), please try to be specific in terms of where settings are defined (if refering to admininstrative menu items).

Cheers!

Derek Fairley

Labels:
0 Helpful
1 Reply 1

darpotter
Level 5
Level 5

‎11-03-2005 03:56 AM

Hi

Im not a VPN expert, but on the ACS side the officially supported method is to manually re-create your static config onto another 3.1 server, replicate the dynamic config over to it and then upgrade it to 3.3. Alternatively start from scratch on a new 3.3 server.

Painful I know :(

You could do this... and a big warning THIS IS NOT OFFICICALLY SUPPORTED.

Create a backup of the 3.1 server.

Create a 2nd 3.1 server and restore the backup from the first.

Updrade the new 3.1 server to 3.3 with an in-place upgrade.

Thats the only way I know to ensure you get all the settings from 3.1 into 3.3

The only problem is, an ACS server knows its own ip address. If your new server's ipaddress is different from the old one (likely) you'll have to edit the registry to "re-ip" the acs config.

If you look in HKLM/SW/Cisco/CiscoAAAv3.3/Hosts you'll see an entry with the name of your server. To double check there will be a value called "protocol" that will be 99 and type 1.

Change the ip address to the actual ip of that new machine.

Then re-start all the services from the control panel - including CSAdmin.

Again, this is not officially supported and you shouldnt try it on a production server.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents