Cisco ACS 5.2 Features Cisco ACS Migration Notes and Security Solutions Services

 

Table of Contents


 

1.1.       Introduction to Cisco ACS migration procedures
1.2.       Cisco ACS Important Migration Notes
1.3.       Summary Steps to perform when migrating Cisco ACS 3.3 to ACS 4.2:
1.4.       Migrating from ACS 4.2 to ACS 5.2.
1.5.       Items supported in the migration to Cisco ACS 5.2 system
1.6.       ACS 4.x Elements Not Supported in the Migration Process to ACS 5.2
1.7.       Cisco ACS 5.2 Features and Benefits
1.8.       Functionality Mapping from ACS 4.x to ACS 5.2
1.9.       Credits

 

Introduction to Cisco ACS migration procedures


 

The Bellow Sections explain a few caveats notes and different migration options available when migrating Cisco ACS software or Appliances ranging from version 3.3 to 5.2

 

Cisco ACS Important Migration Notes


 

The migration process is quite straight forward as the majority of the ACS deployment is running on compatible operating systems namely windows platform and compatible database system. The more complicated migration procedure would be where you are migrating from Cisco ACS 3.3 or ACS 4.2 to ACS 5.2 as there is an underlying change of platform and database.

To see a detailed explanation on the migration procedure of Cisco ACS 3.3 software version to Cisco ACS 4.2 please click here

 

Summary Steps to perform when migrating Cisco ACS 3.3 to ACS 4.2:


 

Summary Steps to perform when migrating the ACS solution :

  1. Backup the current database off your production server.
  2. Ideally export that database into an offline system for example a virtual machine running the same windows version as the production machine.
  3. On that virtual machine install the same ACS version as your production software .
  4. If you are running version ACS 3.1 or ACS 3.2 make sure you have the software version of Cisco ACS 3.3 as that's the latest of that series that supports upgrading .
  5. Import the database into the VM and thus you have a replicated copy of your production environment (at this point i usually like to verify that the replicated system can take over your existing production by shutting down your production server and bringing up the replicated one with the same ip address as your production server )
  6. After a successful test of the replicated server continue with the upgrade process by Installing the ACS 3.3 on top of your existing version and when installing choose the option upgrade the current database .
  7. Make a backup of that database and rename it to something meaningful so that you can refer to it in the next upgrade step to version ACS 4.1
  8. Migrating to Cisco 4.1 and Cisco 4.2 is performed by repeating steps 1-7 above

 

Note: In retrospect the most difficult part of the migration process is actually having access to all the correct cisco acs software versions that's required for a successful migration.Cisco no longer keeps copy of those as they are considered end of life and end of support .Security Solutions has a copy of these software releases that are used strictly for migration purposes only and they never get distributed due to copy right laws .

To see a detailed explination on the migration procedure of Cisco ACS 3.3 software version to Cisco ACS 4.2 please click here

 

Migrating from ACS 4.2 to ACS 5.2.


 

 

The migration process involves using a migration utility program .The migration utility migrates the following ACS 4.x data entities listed below and nothing else. The reason why Cisco decided to cut off certain elements and mark them as non migratable items (see the bellow section )is to achieve a proper system redundancy and stability .Needless to Say due to the redesign of the Cisco ACS 5.2 system its recommended to migrate only large ACS deployments .For smaller deployments running simple acs configurations its recommended to start from scratch and re-create the devices and user accounts.

 

Recommended Reading for the above mentioned procedures are as follows


  1. Detailed migration procedure of Cisco ACS 3.3 software version to Cisco ACS 4.2
  2. Detailed migration procedure of Cisco ACS 4.2 software version to Cisco Appliance ACS 5.2
  3. Detailed Cisco ACS 5.2 installation and configuration example with print screens
  4. Cisco-ACS-5.2-802.1.x-Authentication-And-Multi-Domain-Authentication-Configuration-Example
  5. Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example
  6. Cisco ACS 5.2-Virtual-Machine-VMware-Workstation-Installation-Guide

 

 

Items supported in the migration sequence to Cisco ACS 5.2 system


 


• Network Device Groups (NDGs)
• AAA Clients and Network Devices
• Internal Users
• User-Defined Fields (from the Interface Configuration section)
• User Groups
• Shared Shell Command Authorization Sets
• User TACACS+ Shell Exec Attributes (migrated to user attributes)
• Group TACACS+ Shell Exec Attributes (migrated to shell profiles)
• User TACACS+ Command Authorization Sets
• Group TACACS+ Command Authorization Sets
• Shared, Downloadable ACLs
• EAP-FAST Master Keys
• Shared RADIUS Authorization Components (RACs)
• RADIUS VSAs

Items not supported in the migration sequence to Cisco ACS 5.2 system


 

The Migration Utility does not support:
•Groups’ DACLs
•Groups’ RADIUS Attributes
•Active Directory (AD) Configuration
•AD Group Mapping 
•Admin Accounts
•Admin Users
•Authority Certificates
•Certificate Trust List (CTL)
•Certificate Revocation List (CRL)
•Date and Time
•External Database Configuration
•Generic Lightweight Directory Access Protocol (LDAP) Configuration
•Groups’ Shell Custom Attribute
•Groups’ Private Internet Exchange, Adaptive Security Appliance (ASA), and Shell Command Authorization Sets
•Groups’ Network Access Restrictions (NARs)
•Internal ID Password Enforcement—Sarbanes-Oxley (SOX)
•LDAP Group Mapping
•Logging Configuration
•Machine Access Restrictions (MARs)
•Network Access Profiles (NAPs)
•Protocol Settings (system and global authentication)
•Proxy RADIUS and T+ (migrates only external access control servers’ credentials)
•TACACS+ Dictionary
•RADIUS One-Time Password (OTP)
•RSA OTP
•Shared NARs
•Server Certificate
•Shared Network Access Filtering (NAF)
•Shared PIX and ASA Command Authorization Sets
•Time-of-Day Access Settings
•Users’ PIX/ASA Shell Command Authorization
•Users’ DACLs
•Users’ NARs
•Users’ RADIUS Attributes
•IP Pools
•Max User Session
•Dial in Support

 

 

Cisco ACS 5.2 Features and Benefits


 

 


Cisco Secure ACS 5.2 is the third release of this next-generation network identity and access solution. This release establishes Cisco Secure ACS as a Policy Administration Point (PAP) and Policy Decision Point (PDP) for policy-based access control. Release 5.2 offers additional capabilities, including:


• A powerful, attribute-driven rules-based policy model that addresses complex policy needs in a flexible manner
• A lightweight, web-based graphical user interface (GUI) with intuitive navigation and workflow
• Industry unique, flexible and granular device administration with full auditing and reporting capabilities as required for standards compliance
• Integrated advanced monitoring, reporting, and troubleshooting capabilities for maximum control and visibility
• Improved integration with external identity and policy databases, including Windows Active Directory and Lightweight Directory Access Protocol (LDAP)-accessible databases, simplifying policy configuration and maintenance
• A distributed deployment model that enables large-scale deployments and provides a highly available solution


The Cisco Secure ACS 5.2 rules-based policy model supports the application of different authorization rules under different conditions, and thus policy is contextual and not limited to authorization determined by a single group membership. New integration capabilities allow information in external databases to be directly referenced in access policy rules, and attributes can be used both in policy conditions and authorization rules.
Cisco Secure ACS 5.2 features centralized collection and reporting for activity and system health information for full manageability of distributed deployments. It supports proactive operations such as monitoring and diagnostics, and reactive operations such as reporting and troubleshooting. Advanced features include a deployment wide session monitor, threshold-based notifications, entitlement reports, and diagnostic tools.

Table 1 lists the key features and benefits of Cisco Secure ACS 5.2.Table 1. Key Features and Benefits of Cisco Secure ACS 5.2

Feature

 

Benefit

Complete Access Control and Confidentiality Solution

Can be deployed with other Cisco TrustSec components - including policy components, infrastructure enforcement components, endpoint components, and professional services - for a comprehensive access control and confidentiality solution.

AAA protocols

Cisco Secure ACS 5.2 supports two distinct protocols for authentication, authorization, and accounting (AAA). Cisco Secure ACS 5.2 supports RADIUS for network access control and TACACS+ for network device access control. Cisco Secure ACS is a single system for enforcing access policy across the network as well as network device configuration and change management as required for standards compliance such as PCI compliance.

Database options

Cisco Secure ACS 5.2 supports an integrated user repository in addition to supporting integration with existing external identity repositories such as Windows Active Directory and LDAP. Multiple databases can be used concurrently for maximum flexibility in enforcing access policy.

Authentication protocols

Cisco Secure ACS 5.2 supports a wide range of authentication protocols including PAP, MS-CHAP, Extensible Authentication Protocol (EAP)-MD5, Protected EAP (PEAP), EAP-Flexible Authentication via Secure Tunneling (FAST), and EAP-Transport Layer Security (TLS) to support your authentication requirements.

Access policies

Cisco Secure ACS 5.2 supports a rules-based, attribute-driven policy model that provides greatly increased power and flexibility for access control policies that may include authentication protocol requirements, device restrictions, time of day restrictions, posture validation, and other access requirements. Cisco Secure ACS may apply downloadable access control lists (dACLs), VLAN assignments, and other authorization parameters.

Centralized management

Cisco Secure ACS 5.2 supports a completely redesigned lightweight, web-based GUI that is easy to use. An efficient, incremental replication scheme quickly propagates changes from primary to secondary systems providing centralized control over distributed deployments. Software upgrades are also managed through the GUI and can be distributed by the primary system to secondary instances.

Monitoring and troubleshooting

Cisco Secure ACS 5.2 includes an integrated monitoring, reporting, and troubleshooting component that is accessible through the web-based GUI. This tool provides maximum visibility into configured policies and authentication and authorization activities across the network. Logs are viewable and exportable for use in other systems as well.

Platform options

Cisco Secure ACS 5.2 is available as a closed and hardened Linux-based appliance or as a software operating system image for VMware ESX.

FIPS 140-2 certified

Meets deployment requirements for federal customers and agencies.

 

 

Functionality Mapping from ACS 4.x to ACS 5.2


 

 

To configure...

In ACS 4.x, choose...

In ACS 5.2, choose...

Additional information for 5.2

Network device groups

Network Configuration page

Network Resources > Network Device Groups
.

You can use NDGs as conditions in policy rules. (ACS 5.2 does not support NDG shared password. After migration, member devices contain the NDG shared password information.)

Network devices and AAA clients

Network Configuration page

Network Resources > Network Devices and AAA Clients

RADIUS KeyWrap keys (KEK and MACK) are migrated from ACS 4.x to ACS 5.2.

User groups

Group Setup page

Users and Identity Stores > Identity Groups

You can use identity groups as conditions in policy rules.

Internal users

User Setup page

Users and Identity Stores > Internal Identity Stores > Users

ACS 5.2 authenticates internal users against the internal identity store only.
Migrated users that used an external database for authentication have a default authentication password that they must change on first access.

Internal hosts

Network Access Profiles > Authentication

Users and Identity Stores > Internal Identity Stores > Hosts

You can use the internal hosts in identity policies for Host Lookup.

Identity attributes (user-defined fields)

Interface Configuration > User Data Configuration

System Administration > Configuration > Dictionaries > Identity > Internal Users

Defined identity attribute fields appear in the User Properties page. You can use them as conditions in access service policies.

Command sets (command authorization sets)

One of the following:
http://www.cisco.com/en/US/i/templates/blank.gifShared Profile Components > Command Authorization Set
http://www.cisco.com/en/US/i/templates/blank.gifUser Setup page
http://www.cisco.com/en/US/i/templates/blank.gifGroup Setup page

Policy Elements > Authorization and Permissions > Device Administration > Command Set

You can add command sets as results in authorization policy rules in a device administration access service.

Shell exec parameters

User Setup page

System Administration > Dictionaries > Identity > Internal Users

Defined identity attribute fields appear in the User Properties page.
You can use them as conditions in access service policies.

Shell profiles (shell exec parameters or shell command authorization sets)

Group Setup page

Policy Elements > Authorization and Permissions > Device Administration > Shell Profile
.

You can add shell profiles as results in authorization policy rules in a device administration access service.

Date and time condition (Time of Day Access)
Note http://www.cisco.com/en/US/i/templates/blank.gifYou cannot migrate the date and time conditions. You have to recreate them in ACS 5.2.

Group Setup page

Policy Elements > Session Conditions > Date and Time .

You can add date and time conditions to a policy rule in the Service Selection policy or in an authorization policy in an access service.

RADIUS Attributes

One of the following:
http://www.cisco.com/en/US/i/templates/blank.gifShared Profile Components > RADIUS Authorization Component
http://www.cisco.com/en/US/i/templates/blank.gifUser Setup page
http://www.cisco.com/en/US/i/templates/blank.gifGroup Setup page
You cannot migrate the RADIUS attributes from user and group setups. You have to recreate them in ACS 5.2.

Policy Elements > Authorization and Permissions > Network Access > Authorization Profile > Common Tasks tab
or
Policy Elements > Authorization and Permissions > Network Access > Authorization Profile > RADIUS Attributes tab
.

You configure RADIUS attributes as part of a network access authorization profile. You can add authorization profiles as results in an authorization policy in a network access service.

Downloadable ACLs

Shared Profile Components

Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs

You can add downloadable ACLs (DACLs) to a network access authorization profile.
After you create the authorization profile, you can add it as a result in an authorization policy in a network access service.

RADIUS VSA

Interface Configuration

System Administration > Configuration > Dictionaries > Protocols > RADIUS
.

You configure RADIUS VSA attributes as part of a network access authorization profile.
You can add authorization profiles as results in an authorization policy in a network access service

 

 

Credits

Documents from www.cisco.com were used to compile this document


 

 

 

 

 

 

Similar Documents For Configuring Different Parameters of the ACS 5.2 Appliance can be found bellow.


 

  1. Cisco ACS 5.2-Virtual-Machine-VMware-Workstation-Installation-Guide
  2. Cisco-ACS-5.2-Role-Based-Authentication-Authorization-For-Different-Privilege-Levels-Configuration-Example
  3. Cisco-ACS-5.2-Intresting-Configurations
  4. Cisco-ACS-5.2-802.1.x-Authentication-And-Multi-Domain-Authentication-Configuration-Example
  5. Cisco TACACS+ switch template configuration example.
  6. Cisco TACACS + firewall template configuration example.

 

Share The Link And Enjoy Thanks !

For a free assessment and recommendations on how to optimize your current Cisco ACS solution contact us here