Cisco ACS 4.2 to 5.2 Migration Procedure and Caveats


Migratable Items


• Network Device Groups (NDGs)
• AAA Clients and Network Devices
• Internal Users
• User-Defined Fields (from the Interface Configuration section)
• User Groups
• Shared Shell Command Authorization Sets
• User TACACS+ Shell Exec Attributes (migrated to user attributes)
• Group TACACS+ Shell Exec Attributes (migrated to shell profiles)
• User TACACS+ Command Authorization Sets
• Group TACACS+ Command Authorization Sets
• Shared, Downloadable ACLs
• EAP-FAST Master Keys
• Shared RADIUS Authorization Components (RACs)


ACS 4.x Elements Not Supported in the Migration Process to ACS 5.2


The Migration Utility does not support:
•Groups’ DACLs
•Groups’ RADIUS Attributes
•Active Directory (AD) Configuration
•AD Group Mapping 
•Admin Accounts
•Admin Users
•Authority Certificates
•Certificate Trust List (CTL)
•Certificate Revocation List (CRL)
•Date and Time
•External Database Configuration
•Generic Lightweight Directory Access Protocol (LDAP) Configuration
•Groups’ Shell Custom Attribute
•Groups’ Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command Authorization Sets
•Groups’ Network Access Restrictions (NARs)
•Internal ID Password Enforcement—Sarbanes-Oxley (SOX)
•LDAP Group Mapping
•Logging Configuration
•Machine Access Restrictions (MARs)
•Network Access Profiles (NAPs)
•Protocol Settings (system and global authentication)
•Proxy RADIUS and T+ (migrates only external access control servers’ credentials)
•TACACS+ Dictionary
•RADIUS One-Time Password (OTP)
•Shared NARs
•Server Certificate
•Shared Network Access Filtering (NAF)
•Shared PIX and ASA Command Authorization Sets
•Time-of-Day Access Settings
•Users’ PIX/ASA Shell Command Authorization
•Users’ DACLs
•Users’ NARs
•Users’ RADIUS Attributes
•IP Pools
•Max User Session
•Dial in Support


Migration Squence Prerequisites


1. Cisco ACS migration utility software that can be found for download under the Cisco ACS 5.2 menu

System Administration > Downloads > Migration Utility.

2. Installed Cisco ACS 4.2 software version (preferably running on windows 2003 sever SP2)
3. Single ip address assigned on the machine where the migration is performed
4. Valid cisco ACS 4.2 Database on the windows 2003 server
5. Presence of the migration utility on the system where the database import is to be performed
6.Connect to the Cisco ACS server 5.2 via ssh and issue the following command

Acs config-web-interface migration enable in order  to be able to do the migration.

7.Note the migration utility only works when using Cisco ACS appliance and not the software VM version .


The bellow print screen ilustrates the a system screen after running the migration.bat command.




The bellow print screen prompts for some inputs required from the system namely hostname ip address administrator passwords etc



The bellow print screen prompts for the kind of migration that will be performed




Recommended Reading


  1. Cisco ACS Best Practices document
  2. Cisco ASA Best Practices and Security Hardening Document.
  3. Cisco-vpn-ipsec-configuration-examples
  4. Cisco-ids-ips-aip-idsm-configuration-examples
  5. Detailed Cisco ACS 5.2 installation and configuration example with print screens

Share The Link And Enjoy Thanks !


For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here

33 1.79 00:02:01 84.85% 60.61% 21.