I have recently been thrust into a project involving a Windows AD server running "Cisco Secure ACS for Windows (v3.1)", and a need to upgrade it to v3.3. A Cisco 3000 series VPN Concentrator is currently configured to use the above Windows host.
The customer has already obtained a copy of "Cisco Secure ACS for Windows (v3.3)" and has installed it on another Windows AD server, although for the time being, it is not considered as operational.
Now that you have a picture of the layout, I am wondering if you can help on the following questions:
1) Is there a defined process that one would go through to ensure that the settings specific to the Cisco Secure ACS for Windows v3.1 host are replicated or equal to those on the other host running Cisco Secure ACS for Windows v3.3?
(NOTE: The v3.1 host may be departing the domain as the server hardware is a little old. There is some speculation that once a new server is purchased and made into a Windows AD server, "Cisco Secure ACS for Windows v3.3" will be installed.)
2) If the customer will be completely removing the v3.1 host, what changes need to be made on the Cisco VPN Concentrator to ensure that the v3.3 host is refered to in the future?
3) If after the v3.1 to v3.3 upgrade there ends up being two hosts running Cisco Secure ACS for Windows v3.3, can and how should the Cisco VPN Concentrator be configured to refer to both hosts as part of either a load balancing or redundancy (availability) scheme.
As I am new to these products (but not the functional concepts involved), please try to be specific in terms of where settings are defined (if refering to admininstrative menu items).
Im not a VPN expert, but on the ACS side the officially supported method is to manually re-create your static config onto another 3.1 server, replicate the dynamic config over to it and then upgrade it to 3.3. Alternatively start from scratch on a new 3.3 server.
Painful I know :(
You could do this... and a big warning THIS IS NOT OFFICICALLY SUPPORTED.
Create a backup of the 3.1 server.
Create a 2nd 3.1 server and restore the backup from the first.
Updrade the new 3.1 server to 3.3 with an in-place upgrade.
Thats the only way I know to ensure you get all the settings from 3.1 into 3.3
The only problem is, an ACS server knows its own ip address. If your new server's ipaddress is different from the old one (likely) you'll have to edit the registry to "re-ip" the acs config.
If you look in HKLM/SW/Cisco/CiscoAAAv3.3/Hosts you'll see an entry with the name of your server. To double check there will be a value called "protocol" that will be 99 and type 1.
Change the ip address to the actual ip of that new machine.
Then re-start all the services from the control panel - including CSAdmin.
Again, this is not officially supported and you shouldnt try it on a production server.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :