Solved: Migrate from ACS 3.3.2 SE to 4.2.1 for Windows

tmpoff · ‎07-12-2013

Hi all,

Disclaimer

I know both of these platforms/versions are dinosaurs and we should be upgraded to something newer such as ACS 5.x. However, I am a consultant and not part of the decision to do this migration. I have just been tasked with executing it. The client is going to move to ISE and has purchased it in one of their regions. However, this particular pair of ACS servers are providing TACACS+ services so they will be around for quite some time.

Problem

I am contemplating how to go about the migration. There are ~30 local users and over 2000 devices. There is AD integration via a pair of remote agents. We would like to input a fresh/new configuration as opposed to a full backup and restore so some clean-up can occur on the current 8-10 year old devices. So, best case scenario is that I configure the new (v4.2.1) devices by hand and import the users and network devices.

If I wanted to do it, how would I go about only exporting the devices and users only from the 3.3.2 solution engine?

I thought about replicating the current 3.3.2 install on to a v3.3.2 for windows install then upgrading the temp windows install to 4.2.1 and the replicating just those users and groups to the new 4.2.1 platform but I don't have access to the old media.

Any ideas would be appreciated. Thanks.

fb_webuser · ‎07-12-2013

Your best bet would be to install v3.3.2, replicate the configuration and upgrade it to 4.2.1.15 by following upgrade path/procedure since you don't have access to OLD media. You can import the devices/users with the help of RDBMS feature.

In order to export network devices from ACS 3.3.2 solution engine. Go to Network Configuration > Search > Keeps the search setting to default i.e. to search all. Then press search. There will be a "Download" option that will appear in the left corner of the search result. Click on it save that list.

This list will contain,

- Name

- IP Address

- Type

- NDG name (if any)

NOTE: This will not contain the Shared Secret keys that AAA Client have

Once devices are exported, you can import that file to ACS for windows.

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_tech_note09186a00801ddba8.shtml

You may not be able to export users from ACS SE. You may need to create them manually with new passwords.

Regards,

Jatin

---

Posted by WebUser Jatin Katyal from Cisco Support Community App

View solution in original post

fb_webuser · ‎07-12-2013

Your best bet would be to install v3.3.2, replicate the configuration and upgrade it to 4.2.1.15 by following upgrade path/procedure since you don't have access to OLD media. You can import the devices/users with the help of RDBMS feature.

In order to export network devices from ACS 3.3.2 solution engine. Go to Network Configuration > Search > Keeps the search setting to default i.e. to search all. Then press search. There will be a "Download" option that will appear in the left corner of the search result. Click on it save that list.

This list will contain,

- Name

- IP Address

- Type

- NDG name (if any)

NOTE: This will not contain the Shared Secret keys that AAA Client have

Once devices are exported, you can import that file to ACS for windows.

http://www.cisco.com/en/US/products/sw/secursw/ps5338/products_tech_note09186a00801ddba8.shtml

You may not be able to export users from ACS SE. You may need to create them manually with new passwords.

Regards,

Jatin

---

Posted by WebUser Jatin Katyal from Cisco Support Community App

tmpoff · ‎07-12-2013

Thank you Jatin,

I do not have the ACS v3.3.2 for Windows media so I can perform the steps you outlined above as the best bet. I wish I could and I have put out an e-mail to my peers to see if they have a eval copy of that version which is unlikely.

I may have my client put in a TAC case requesting all the software needed to facilitate this work. However, I am then looking at a long time before I can proceed.

It would be nice to get 3.3.2 stood up on a Windows server and then replicate the SE over to it. Upgrade to 4.2.1 would be even more icing on the cake because I could then use some combination of replication, backup/restore, and/or CSUtil to get the users imported WITH their same passwords and the devices imported quickly.

However, this is now the questions...

1 - Is there a way to export the users only from 3.3.2 and somehow modify that file so it can be imported into v4.2.1 with the passwords intact. The answer is probably no and not worth the time and effort to find out.

I can re-create 25 or so accounts and set a default password with mandatory change on first login. Then communicate this to the users and confirm via logs that they logged in and done so. This is probably easier than other efforts.

There are a couple of services accounts for CiscoWorks for which I have the login credentials and it would be a good time I changed them anyway.

There are only 5-10 groups which need re-created and that exercise will provide for some clean-up as well.

Thank you for the information above in how to get a list of the network devices. This was going to be a major problem because we have over 2000 devices. By getting that list I can now run it by others to insure accuracy and import them using the API. It takes more work but also allows for clean-up.

I will mark you as the correct answer but if any others have input I would appreciate it. Thanks.

Jatin Katyal · ‎07-13-2013

The user database can only be exported using csutil utility but that only works for ACS windows software. Or you may take the backup of user database from one version and restore it to the same vesrion with password intact. I don't see any other option to perform the same task.

Even if you open TAC case, I'm unsure if they can publish the OLD media 3.3.2 howeve, if your cpntract is valid for ACS they may do a favor any upgrade the database on yor behalf and send it to you so that you can import the upgraded database directly on a fresh installed ACS 4.2.0.124 and then you can upgrade it to 4.2.1.15 ( it's an .exe file should not be that hard). Again, upgrading the database in the lab is not an option for all time. It depends situation to situation.

Quick way is to contact your cisco accounts team (system engineer, accounts manager, Network consulting engineer) becuase they can get you this software.

You may also broswe online and see if someone uplodaed/attach this media anywhere.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin