Cisco AAA/Identity/Nac :: ACS Migration From 4.0 To 5.3 With High Availability?
Oct 1, 2012
One of my customer wants to upgrade their Cisco ACS version from 4.0 to 5.3. The client has existing ACS version 4.0 windows on VM with two instance and need to upgrade to 5.3 Linux.As per my understanding following version are supporter to upgrade ACS to version 5.3 ACS 4.1.1.24ACS 4.1.4ACS 4.2.0.124ACS 4.2.1 but unfortunatlly there is running 4.0.I suggested to my client the upgradation for ACS and proposed this Upgrade lisence L-CSACS-53VMUP-K9 and CON-SAS-CSACS3V? how I can do the smooth deployment / Migration from 4.0 to 5.3 with (A/P)high availability.
View 1 Replies
ADVERTISEMENT
Sep 1, 2011
I just want to know if i need to support High Availability in Cisco Secure ACS 5.1 appliance, will the base license suffice or do i need to buy Security Group Access System License/ Large deployment License. Again, do we require license for each appliance or just one is enough?
I Suppose the licensing rules are same for the Vmware version also.
View 2 Replies
View Related
Jun 10, 2011
I have two cisco wlc 5508. I wan to install them in two differents site. One WLC in the site A and the another WLC in the site B.
Site B is the WAN of the site A. The site A is the headquarter.
But i need to configure them in High Availability. For example if the Cisco WLC in site A goes down, the ap's have to registered in the WLC of the site B.
Then the traffic LWAPP have to pass over the WAN between site A to site B.
I have to configure two cisco wlc in HA over a WAN . Is ok configure the roamming L3 intercontroller?
View 5 Replies
View Related
Oct 28, 2012
Current environment is Cisco 2125 WLC managing ~12 3502E AP's for a single location. Client is looking to provide HA for the single 2125 WLC. With the 2125 now EO-Sale is it possible to go with one additional 2504 WLC and leverage the existing 2125 or would it require going with just (2) 2504's?
View 1 Replies
View Related
Jan 19, 2012
I have 2 WLC (5508), i configured the option for enable the high availability, but when the 2 WLC is working the mesh network is unstable, when only wlc is working the mesh is fine.
View 3 Replies
View Related
May 7, 2012
We want to make High Availability between two Cisco 3560G switches. Can you tell how we should proceed?Is there any HA module available for Cisco 3560G?
View 1 Replies
View Related
Sep 18, 2011
I am upgrading the Wireless Infrastructure with two 5508 WLC.I am setting up High Availability, but I think is not quite working.
Primary Controller = WLC1
Secondary Controller = WLC2
LAP = LAP1
LAP1 has WLC2 as the primary controller for HA
LAP1 has WLC1 as the secondary controller for HA
While connected to LAP1, I shutdown WLC2. After ~ 20 seconds, LAP1 move to WLC1.I lost connection from LAP1 Don't LAP1 should move with all its clients to WLC1?Am I missing something in my configuration?
View 7 Replies
View Related
Jul 7, 2011
I have to install and configure two 2901 routers at different location with high availability. These 2 routers would be connected through WAN, now I would like to configure high availability bwtween two routers.
I have attached a small diagram of the placement of 2 routers.
how do I configure high availability between these 2 links or routers.
View 3 Replies
View Related
Dec 20, 2011
Yesterday I discovered the primary and secondary CAS were both in active state and reporting their fellow peer as dead (I did this using ./fostate.sh), causing authentication errors on the network. I had to stop the perfigo process on the primary one to restore service.
After closer investigation I have discovered that when I put my laptop on the same subnet as their eth2 interfaces (eth0, eth1 and serial are not used for heartbeat only eth2), I can ping the eth2 ip address for the primary device, but can't ping that of the secondary device. See configs and outputs below. I am also wondering why the secondary CAS shows its eth0 and eth1 interfaces as fake0 and fake1.
[root@CAS-SEC ~]# ifconfig eth2
eth2 Link encap:Ethernet HWaddr 00:1F:29:5D:1C:6C
inet addr:172.29.254.10 Bcast:172.29.254.11 Mask:255.255.255.252
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:11205 errors:0 dropped:0 overruns:0 frame:0
[code].....
View 2 Replies
View Related
Mar 20, 2011
A customer is currently running a 5520 ASA pair in active/standby HA mode. The devices also have an IPS module, one of them using a temporary (60-day) license. So, right now, licensing is identical on both ASAs and HA is operational.
The question is what exactly will happen after 60 days, once the temporary license expires? Does HA shutdown completely once it's determined that the licensing isn't a 100% match any longer, or does it just cripple one feature (such as the IPS module)?
The customer is balking at purchasing SMARTnet for the 2nd ASA, so I need to explain exactly what is going to happen (if anything) once the license on the 2nd ASA drops off...
View 4 Replies
View Related
Mar 20, 2011
One of my remote sites acquires Internet connectivity via a cable modem service. This goes down intermittently, of course. I would like to purchase DSL service from the local telco and configure the edge ASA (currently a 5505) to use the cable modem path normally ... and fall back to the DSL path if necessary.
These seems hard to do. The edge box would need to evaluate the viability of a WAN path using some set of tests ... perhaps pings to a handful of major Internet sites. If all those pings start failing, it would stall for a minute, to give the WAN service provider time to recover ... then cut over to the second path. Cutting to the second path might mean pushing new DNS server addresses to clients (or perhaps the edge box would hand out both sets of DNS servers all the time and rely on the clients to try them all.) Once the cable modem provider restored service, the edge box would stall for a while (ten minutes? an hour?) and then cut back.
I'm willing to replace the edge box with something fancier (a bigger ASA or something sold as a router or whatever), although I'd like to stay under 10K (list) for such a replacement.
View 3 Replies
View Related
Feb 18, 2013
I will install next week at a customers side a new Pair of 5508 Controller. They have at the moment one old 4404 with about 70 APs.So the bought the new 5508 with HA Pair.For the HA i will need 7.3 i read in the High Availability (AP SSO) Deployment Guide.There are now two 7.3 Versions, or i can choose the new 7.4 Version.
AIR-CT5500-K9-7-3-101-0.aes
AIR-CT5500-K9-7-3-112-0.aes
AIR-CT5500-K9-7-4-100-0.aes
So what software version will be the best at the moment?I will install also a Cisco Prime Infrastructure on a ESX host.For the 7.3 in can use the 1.2 , but for the 7.4 i must take the 1.3.
View 4 Replies
View Related
Nov 1, 2011
I am new to Cisco firewalls. We are moving from a different vendor to Cisco ASA 5520s.I have two ASA 5520s running ASA 8.2(5). I am managing them with ASDM 6.4(5).I am trying to setup Active/Standby using the High Availability Wizard. I have interfaces on each device setup with just an IP address and subnet mask. Primary is 10.1.70.1/24 and secondary is 10.1.70.2/24. The interfaces are connected to a switch and these interfaces are the only nodes on this switch. When I run the Wizard on the primary, configure for Active/Standby, enter the peer IP of 10.1.70.2 and I get an error message saying that the peer test failed, followed by an error saying ASDM is temporarily unable to connect to the firewall.
View 5 Replies
View Related
Apr 10, 2011
I would like to know how to implement high availability on a S160 ironport device.i have two S160 device but the user guide is not useful.
View 1 Replies
View Related
Aug 1, 2011
Is possible connect and configuring two cisco wlc in high availability to 3 switches in stack 3750 in difference ports?For example
WLC A (Primary) - SWITCH MASTER
WLC B (Secondary) - SWITCH SLAVE
How can i connect the wlc's in HA to get a redundancy in the stack?
View 8 Replies
View Related
Jun 26, 2012
I have set up a zone-based policy firewall with HA on two 2911 routers as per the Cisco security configuration guide, for an active/passive LAN-LAN cluster. All works as expected, but there is one problem I find: when the control link between the two devices fails, they go into an active/active state as each member assumes it's the last surviving member. The ARP entries for the Virtual IPs on the neighboring devices point to the device that last claimed the active role (usually the standby device). This works in a way, just sessions don't get synched anymore (control link is the same as data link). Now when the link comes back up, the preemtion works and the active, former standby device goes back to standby. But the ARP entries on the neighboring devices still point to the standby device and nothing goes (also sessions established during the active/active state are lost due to resync with the now active member).
This is a single point of failure and what I need is a way to mitigate that. Under:
redundancy
application redundancy
group 1
control <interface> protocol 1
only one control interface is allowed. Other manufacturers with similar functionality provide for the possibilty of a backup control link, for example the internal LAN interface or a dedicated backup link.
How would I go about that? Maybe use a port-channel for the control/data link (but I'm out of interfaces)?
View 1 Replies
View Related
Mar 24, 2012
What consequences could i have if i install a WiSM-2 module into a pair of 6500 configured in VSS and another WiSM-2 module into other pair of 6500 configured in VSS for serving a 300 APs??...in this case, do i need to configure mobility groups for guarantee a high availability and also redundancy of controllers?Under the best practices, is much better having the two WiSM-2 modules into a single pair of 6500 configured in VSS??
View 4 Replies
View Related
May 28, 2012
We have two 4400 WLC's. We have around 20 access points in our network.If we assign controller1 as primary for half of the access points and controller 2 as primary for the other half, does this mean the association of the ap's indicate load balancing by the controllers. Does this mean wlc does load balancing as different ap's associate on different controllers. or does it only server as active-standby wlc.
View 2 Replies
View Related
May 19, 2013
I have an ACS 5.2 deployment and i want to upgrade it to 5.4 version.I have 2 server in my deplyement:
1/ Primary Server as Authentication server & log collector
2/ Secondary server as Authentication server.
What is the best way to do the migration? Normaly, i can proceed as follows:
1/ Deregidter each server from the deployement ==> Make both the servers standaone
2/ Upgrade the Secondary server.
3/ Upgrade the Primary server (without migrate the log server).
4/ Join Servers to the deployement.
View 11 Replies
View Related
Mar 22, 2011
what is the key point to note for migrating data from ACS 4.0 to ACS 5.0? how can I use Migration utility to migrate data from old version to new version??
I have ACS setup running with 1000 devices and more than 2000 users and 60 groups dont want to build new acs from scratch want to import data from old version?
View 2 Replies
View Related
Jan 14, 2012
I need to upgrade my ACS for windows 4.1.1.23 to 5.2 as we have come across the windows 2008R2 AD problem. Now reading the migration document it says I need to go to at least 4.1.1.24 first which will not be a problem, then I need a migation server, so that means I need another ACS server as the migration server. As I already have 2 ACS servers could I use one of them as the Migration server, ie take it out of production?
View 1 Replies
View Related
Jun 11, 2012
If we need to migrate ACS 4.2 installed on appliance 1113 to ACS 5.3 what all the prerequisites...?
whether any hardware dependencies and the same configurations on 4.2 could be operated on 5.2 even after appliance changes...?
View 1 Replies
View Related
Jun 12, 2013
I need to Migrate from ACC 4.1(1) to ACS 5.4, Have configured Network Access Restrictions and Networks Access profiles in ACS 4.1(1), can i go for staright away migration and is the same supported in ACS 5.4
View 5 Replies
View Related
Jul 1, 2012
We have to ACS cisco Box running software as 4.2 & 5.2. We want to upload all the data present in 4.2 ACS to 5.2 ACS.
View 6 Replies
View Related
Jun 13, 2011
I'm planning migration from ACS 3.3 to a new machine, so I'm thinking about new Cisco ISE.I have the following question: ACS 3.3 acts as AAA RADIUS with LDAP repositoriy for wireless deployment, using PEAP-GTC. Is possible, with ISE, to use a different EAP method, such as PEAP-MsCHAPv2 or EAP-TTLS?
In ACS 5.X I think it's only supported PEAP-GTC and EAP-TLS when identity repository is LDAP. Is the same in Cisco ISE?
View 2 Replies
View Related
May 9, 2011
we currently have 4x ACS 4.1 (1) build 23 windows based and we are going to migrate to ACS 5.2 appliance 11211.the first pair we are using simply local authentication for multiple vendor firewall and routers, with one custom radius vendor-specific attributes, with now she exec.the second pair we are using for wireless clients authentication through AD, with dynamic mapping.
in order to migrate what would be the most suitable migration, whether to use Migration utility or export those ACS objects and import them into the new ACS 5.2.
View 1 Replies
View Related
Jul 18, 2012
I'm using Cisco Secure ACS 4.2 for Windows to configure and authenticate VPNs external groups and users on VPN 3K concentrator.Now I'm migrating to AC System 5.3.I'm trying to configure the new system to do the same work.
I have configured a new access profile with all RADIUS attributes, than an access policy.IPSec Phase 1 completed successfully but VPN client doesn't procede with XAUTH.ACS View reports the correct rule and access service.
View 7 Replies
View Related
Mar 7, 2012
Is there a simple way to migrate shared dACL to group/user mappings from ACS 4 to ACS 5? After migration using the Migration tool provided by Cisco I get shared dACLs and also I get all my users/groups transfered but these shared dACLs are not mapped to groups or users as previously. I understand that in new ACS we do not apply authorization directly to users/groups, but then if I had in ACS 4.x a hundreds of groups and each of these groups had a dedicated dACL (shared) applied as authorization attribute now after migration to ACS 5 I have to create separate authorization profile for each of these groups which is a lot of manual work. So I'm asking for an easy automated way to migrate authorozation rules to new ACS version.
View 1 Replies
View Related
Nov 30, 2011
I cannot access WLSE, after migration from ACS 4.2 to ACS 5.2. WLSE was configured with tacacs+ management. In ACS 5.2 I've configured the optional custom attributes: groups = "System Admin"
View 2 Replies
View Related
Jun 7, 2011
I'm with problems to migrate the ACS 5.1 hardware to ACS 5.1 vmware. In my infraestructure I have a appliance with ACS 5.1 and I need to migrate to vmware to do HA. I installed vmware as the Cisco ACS recommendations. I made a backup of the ACS hardware and copied the local disk vmware ACS.
When I start the restore process after a few minutes an error occurs:
UMA/admin# dir
Directory of disk:/
33293306 Jun 08 2011 16:51:38 bkp-production-110608-1433.tar.gpg
5862 Nov 07 2009 01:06:32 favicon.ico.1
16384 Jun 06 2011 17:54:34 lost+found/
[Code]....
View 4 Replies
View Related
Dec 21, 2010
I am working through the migration from ACS 4.1.4 on Windows Server 2003 to ACS 5.2 on the appliance. I have created the 4.1.4 migration server, installed the software and imported the data from our production ACS 4.1.4 box. I downloaded the migration utility from the 5.2 ACS server and am attempting to run on the 4.1.4 migration server. The question that fails is:
Enter ACS 4.x Server ID:
I do not know what this means and do not see anything on the 4.1.4 server that identifies the Server ID. I try localhost and it does not work and the 4.1.4 server is not registered in DNS or I would try that (and . are not valid characters in the ID so the IP does not work).
How have other people handled this question? Is there something that can identify the local server ID?
View 9 Replies
View Related
Jul 26, 2012
I am trying to migrate an ACS 4.1.1(24) using the migraton tool to ACS 5.2. The tool is working OK. It migrates the users, groups, NDG, etc. and the reports are showing no errors.
The problem is with the Enable password of the users. The users in the ACS 4 have the TACACS+ Enable Password configured, but after the migration it appears empty in the ACS 5.
View 3 Replies
View Related
Oct 13, 2011
Today I've received reports of slow internet access/activity and have noticed myself that it seems a bit slow today. On the dashboard of our asa 5510 the "outside interface" traffic usage is running constantly high. It's at the top of the graph. How can I tell what is causing the spike in utilization. It usually runs at about 1500-2000 Kbps, and now it's up over 10,000.
View 6 Replies
View Related
