Another concern about upgrading the ACS sofftware.
Currently all (10) of the controllers have both ACS VM ip addresses configured on them. The plan is to upgrade the secondary ACS but to do that we need to keep it on the network. However, we do not want clients trying to authenticate to it. Can I remove the Secondary ACS from the Controller configuration without having to reboot the controller or causing any type of outage for that controller?
You can just remove the radius server on the WLC if you want. Just remember the best way to setup the radius is to not have the network or management check boxes checked on the radius server configuration tab. Then on the WLAN AAA security tab, you just define the one ACS server and set the second to none. When you check the network on the radius configuration section, that makes the radius server a fallback per say and the WLAN will use any radius that is checked if it fails each in defined in the WLAN.