I have a Cisco ACS server (lets call it server A) running on Windows 2000 server. It has several hundred AAA clients and several hundred user accounts.
Now I have a new Cisco ACS server (we'll call it Server B) which now uses an exteral database to authenticate users but I want to move all the AAA clients from server A to this new server B.
I looked up the CSUtil.exe and I see I can dump the database.. but I want to import only the devices into the new server. Not the users, not the administrators, or any other info. Just the AAA clients.
If the versions of ACS match the easiest thing is to replicate just the network config db from one to the other.
Pre v4.0 and you can copy the network config registry between servers (non appliance)
Excellent - just the information I was looking for. I didn't realize everything was stored in the registry.
This should be a fairly straightforward process of exporting reistry branches and exporting them back in on the destination system.
Nope - I just tried it and it won't work.
I tried copying one individual host (key) from one registry to the other -- it didn't work and the ACS "freaked out". Once I deleted the host out of the registry everything went back to normal.
I'm not sure if it's because one server is Windows 2000 and the other is 2003 or if it's simply a matter of certain checksums in the key portion that are system specific.
Either way, importing registry entries won't work and isn't an option.
Maybe I can just do a database dump, import the whole thing into the new server, then just delete the parts I don't want after the fact. Still considering all my options.
OK, I forgot the master encryption key is per install. Sorry.
Ok not perfect but on the trial download page of extraxi.com there is a script called "getacsdb" which does just that for v3.x
It will create a cab inside which are exported CSVs of the nas's and ndgs. You could extract this and munge it into a csutil nas import file (see online docs for csutil).
If you're using NDGs these would have to manually created first.
Could try this... create a nas with a known secret on the new server.
Dump the reg, copy and paste the secret from the new reg into that exported from the old ACS server. Paste the key into every NAS record.
You'll get a config that works... but all with the same shared secret. Again not perfect but most of the heavy lifting is done.
I tried something like what you're saying. I too thought that the "key" was just the shared secret and could be pasted from an existing device on the new server.. but it didn't work.
The "key" part of an aaa host in the registry appears to be a hash derrived from combining the host name, group, authentication type, shared secret, etc.
So doing something as simple as changing one letter in the host name or moving it to a different group completely changed the resultant "key".
Like you said -- since the master encryption is system specific, the checksum doesn't match up to all the rest of the settings and it just won't work.
I figured out how (quite a while back) how to export and import all the devices from one ACS server to another. It's actually quite low tech.
Go into the Network portion of the ACS server and do a "search" using all wildcards. That will dump out a list of all network devices, their IP address, and group.
Then, click download and save it as a .csv file. From there it's just a matter of inserting a key for each host, putting it into the proper text format and importing the entire thing into the new ACS using the CSUtil.exe.
Oh, just be sure to create the network groups on the new ACS server before importing or the devices will go to the "unknown" group.
Could you please be more specific about how exactly to import the NAS list from the old ACS server?
I was never able to successfully copy the data from one server's registry to another. It doesn't work because parts of the data are stored using encryption. What I ended up doing was to create a text file of the NAS list (do a seach for all devices in ACS, then do a download of the result into a spreadsheet) which I was then able to modify into the specific format and save as a text file. I then imported the text file into the new system's database using the CSUTIL command.
The format of the text file needs to be exactly as follows (note - the first line should be the word offline or online). Also, you might be using RADIUS in the place of TACACS+. See http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a008007d0c9.html
ADD_NAS:ROUTERH01:IP:10.10.36.5:KEY:Super$ecretKey99:VENDOR:"TACACS+ (Cisco IOS)":NDG:"Houston"
ADD_NAS:ROUTERH02:IP:10.10.36.6:KEY:Super$ecretKey99:VENDOR:"TACACS+ (Cisco IOS)":NDG:"Houston"
ADD_NAS:ROUTERS01:IP:10.10.72.5:KEY:Super$ecretKey99:VENDOR:"TACACS+ (Cisco IOS)":NDG:"Springfield"
ADD_NAS:ROUTERS02:IP:10.10.72.6:KEY:Super$ecretKey99:VENDOR:"TACACS+ (Cisco IOS)":NDG:"Springfield"
ADD_NAS:ROUTERD01:IP:10.10.84.5:KEY:Super$ecretKey99:VENDOR:"TACACS+ (Cisco IOS)":NDG:"Dallas"
ADD_NAS:ROUTERD02:IP:10.10.84.6:KEY:Super$ecretKey99:VENDOR:"TACACS+ (Cisco IOS)":NDG:"Dallas"
Hint: you will need to create each of the network device groups before you import the text file.
I would always keep the import file as your master repository.
That way if you need to move to another ACS you already have the data.
You can do it copying registry. but you'd have to edit each NAS in turn to reset the shared key.. which doesnt scale.