Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Upgrading an ACS Server from 5.0 to 5.1

I'wont to upgade my ACS server 5.0.0.21 to 5.1 . I wont to use Active Directory .  it's seem that  in my curent version AD is not supported !

I try to do it by CLI

what CLi command I use and what patch ?

Thanks !

1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Re: Upgrading an ACS Server from 5.0 to 5.1

Which shell profile is being assigned to the request?

The shell profile contains a field "Maximum Privilege" which defines the maximum privelege for the session that can be setwith an enable request

You need to create a shell profile with this field set to your desired maximum value and then select as result of the authorization profile in the policy you are using. For example if this was the "Default device Admin" service this would be set at tthe following location:

"Access Policies > Access Services > Default Device Admin > Authorization"

12 REPLIES
Gold

Re: Upgrading an ACS Server from 5.0 to 5.1

there are a couple patches that need to be installed before upgrading to 5.1

1) ACS 5.0 patch 9. On CCO: 5-0-0-21-9.tar.gpg

2) ADE-OS version 1.2    /// upgrades operating system version. On CCO: ACS_5.0.0.21_ADE_OS_1.2_upgrade.tar.gpg

Both these steps use the following command "acs patch install patch-name.tar.gpg repository repository-name "

Then can perform the upgrade to 5.1 using following command:

application upgrade application-bundle remote-repository-name

All the patches/upgrade bundles can be downloaded from CCO. 5.1 package is called "ACS_5.1.0.44.tar.gz"

More detailed documentation is at:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/installation/guide/csacs_upg.html#wp1167547

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

Thank you very much !


The Application upgrade successful. Now I have :

sh version

Cisco Application Deployment Engine OS Release: 1.2
ADE-OS Build Version: 1.2.0.146
ADE-OS System Architecture: i386

Copyright (c) 2005-2009 by Cisco Systems, Inc.
All rights reserved.

There is another problem, I see the Active directory and the users of active directory can be authentified but not access to the privilege mode :

example :

I creat a user in the active directory in admin group

username : admin.ad

password: cisco123


telnet 192.168.1.1

username admin.ad

password cisco123

Router>en

password cisco123

error in aurhentification

This is my problem

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

in the monitoring and report I have this

AAA Protocol > TACACS+ Authentication

Authentication Status :
Pass or Fail
Date :
December 09, 2009

Dec 9,09 11:52:20.200 AM
13029 Requested privilege level too highadmin.adswitch
Device Type:All Device Types, Location:All Locations
Default Device Admin
AD1

Thanks !

Gold

Re: Upgrading an ACS Server from 5.0 to 5.1

Looks like you have made good progress!

Within each shell profile there are two fields: Default Privelege and Maximum Privelege. You need to check the value for the Maximum Privelege in the shell profile that was selected - can see this in the details for the monitoring report - and see it allows the level you requested.

While, I am here I realize there is one additional step for upgrade that I didn't highlight in the mail although it appears in the instructions that could be accessed from the link.

Configuration data gets upgraded automatically when upgrade to 5.1. However, monitoring and troubleshooting data gets upgraded in the background while the system is running and operational. The following steps relate to the monitoring and troubleshooting data upgrade process:

Step 5 To monitor the status of the data upgrade, from the Monitoring and Report Viewer, choose Monitoring Configuration > System Operations > Data Upgrade Status.

The Data Upgrade Status page appears with the following information:

Progress—Indicates the progress of the Monitoring and Report Viewer data upgrade.

Status—Indicates whether the Monitoring and Report Viewer data upgrade is complete or not. ACS displays the following message when the upgrade is complete:

The View database conversion is complete.

Step 6 After the data upgrade status is complete, click Switch Database.

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

Thanks !

I see it when I did the migration and I complete this step

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

I creat a group and giving the maximun privilege 15 . The user is store in Active Directory . I can authentified but not access to privilege level

exemple :

telnet 192.168.1.1

username testAD

password cisco 123

Router> en

password cisco123

Access denied

can you help me !!!

Gold

Re: Upgrading an ACS Server from 5.0 to 5.1

Which shell profile is being assigned to the request?

The shell profile contains a field "Maximum Privilege" which defines the maximum privelege for the session that can be setwith an enable request

You need to create a shell profile with this field set to your desired maximum value and then select as result of the authorization profile in the policy you are using. For example if this was the "Default device Admin" service this would be set at tthe following location:

"Access Policies > Access Services > Default Device Admin > Authorization"

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

I creat a shell profile called FULL ACCESS and the privilege level is 15 (maximun privilege level ) .And I creat a group called Active_Directory .

I creat  a RULE 1 :

Access Policies--------Access Service-------------Default Device Admin--------------Autorization

Rule 1  in allgroup:Active_Directory  ------ ANY ---------ANY-------------ANY------------FULL ACCESS

telnet 192.168.1.1

username: test.ad  (it's the user of the admin of the domain)

password : cisco123

Router>en

password cisco123


Access  denied

If it's the  internal user there is no problem authentification is succefull !!

I'm very confuse I don't know what to do .  In the ACS version 3 the user of active directory can authentified succefull. There is an option in this version to say that the authentification can be done with wibdows data base .

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

Thank you for your support !!! Eveythinks is ok!I Now the users of active directory can be authentified and the inrenal users depending of the access level I give .

Now I have just a question : is it possible to authentified the users of VPN  by the ACS? if yes the authenfication can be done by the active directory?

Thanks you !

Gold

Re: Upgrading an ACS Server from 5.0 to 5.1

Yes. This is supported. May be best to lookupfollowing topic in online help for more details: 'VPN Remote Network Access"

Community Member

Re: Upgrading an ACS Server from 5.0 to 5.1

I read in the document :

Supported Authentication Protocols
ACS 5.1 supports the following protocols for inner authentication inside the VPN tunnel:
•RADIUS/PAP
•RADIUS/CHAP
•RADIUS/MS-CHAPv1
•RADIUS/MS-CHAPv2
With the use of MS-CHAPv1 or MS-CHAPv2 protocols, ACS can generate MPPE keys that is used for encryption of the tunnel that is created.

But me I use Tacas + protocol in all the configuration ! do I change the configuration in the ACS  if I wont to configure VPN authentification by  Active Directory?

Upgrading an ACS Server from 5.0 to 5.1

Hello,

Great job on this discussion Jonny

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
1467
Views
10
Helpful
12
Replies
CreatePlease to create content