Cisco AAA/Identity/Nac :: ACS5.2 Backup And Restore On A Different Software Version?
Oct 3, 2011
We are trying to make a restore from the backup done on ACS version 5.1 to a new appliance running ACS5.2 Before doing it I found this note in Cisco ACS user guide:
Note: You cannot back up data from an earlier version of ACS and restore it to a later version. Backup and restore must be performed on the same version of ACS. If you need the data on a different version of the ACS, you can perform an upgrade after you restore the data. Refer to the Installation and Setup Guide for Cisco Secure Access Control System 5.1 for more information on upgrading ACS to later versions.
How should I understand it? This note has conflicting statements. We can't restore to a later version but if you need data on a different version of ACS you can perform an upgrade AFTER YOU RESTORE the data. Doesn't it mean that the restore will still work? How would I do the upgrade to version 5.2 or even version 5.3 that was announced to be released very soon? I didn't find anything on the software upgrade in ACS5.1 guide.
I've been setting up building and testing our new ACS 5.x boxes and I've been running into a spot of bother with the backup restore feature. This most likely due to my unfamiliarity with the tool.
As part of my testing for Backup/Restore, I first backup the data using the Removal and backup tool in Secure ACS View (found under data management. I then confirm that the new FULL backup has been populated my test repository and is available in the restore feature. (also under Data Management) My next step is to create a few test Network Device Groups, Identity groups, and users Then I go back to the restore feature select the Back up file I just created, I also check the box Skip View Database backup before Restore and hit the restore button.
The box goes through the expected steps including a reload. When it comes back up I would expect the test users, groups etc I created after the last backup to be gone as they did not exist at that time. Although I find the opposite is true. Any settings I made after the last backup are still present. I do not have incremental backups enabled.
I essentially want to test a backup of the database of users and groups/rules etc make changes and then restore that database to the previous backed up configuration.
We have an issue with View db (Monitoring & Reports) backup on ACS, version 5.2.0.26. We have scheduled incremental backup daily and full backup monthly. Everything has been working well, but since yesterday following errors have appeared, and full and incremental backup stopped working:
Alarm Name System Alarm [Incremental Backup] Cause/Trigger On-demand Full Backup failed Alarm Details CARS_BR_BACKUP_CREATE : -405 : Internal error: couldn't create backup file Alarm Name
[code]....
We use same repository as always. Backup to the same repository works from CLI.
I have an ACS 5.3 cluster, that is configured to use AD. There are a few wireless devices, and monitoring tools that do not have AD accounts. I would like to configure ACS to first check AD for the user authentication, and if that fails to roll over to the local (Internal Users) identity source where I can define these user accounts.
It seems that when the authentication hits the initial Identity Policy rule, it never moves onto the next one if the first fails.
Attached are screen shots that show how i'm configured for the test, i have a local user defined and I'm trying to log into the firewalls.
- Identity Definition : Screen shot of the main ACS definition for the rule i'm testing that's not working - Identity Rule 1 : The configuration of rule 1 that if it fails i need it to move onto rule 2. - Log Output : Screen shot for one of the failed attempts from the ACS View Log server.
Reason I need to configure it this way is:
- Wireless users authenticate to wireless using AD user accounts. Some hand held scanners do not support that and will need to authenticate using the MAC address. - Authentication to Network devices for managment uses AD accounts. We have some monitoring tools that do not have AD accounts, and will need to be able to log into Network devices to issue some commands (Examples: Cisco Prime LMS and NCS, Infoblox NetMRI).
We have cisco works LMS 3.1 and the server have very problems, we need format the server and reinstall the Cisco Works, when I doin backup and restore of data LMS We lost the licenses? or when we restore the data in the server we have the same licenses? or get the new licenses to cisco?
I am facing a failed issue when restoring the WCS Database. Below is the error i get, does any one out there facing it before?
####################################### [root@egwgwcs WCS7.0.220.0]# ./Restore Please enter the full path of the backup file name: /opt/WCS7.0.220.0/Backup_File/WCS_Aug2012.nmsbackup Untaring the backup file... Failed to untar backup file. Exception: invalid stored block lengths Restore database failed. #######################################
We want to take the current configuration backup of the LMS 4.0 (Installed on Win 2003 Enterprise) and restore the same to a new windows machine (Win2003 standard edition).
I have a Cisco ASA 5505 as a BOVPN endpoint using certificates. The config is complete and I now need to back it up and restore to a cold standby Cisco ASA 5505 that will sit on the shelf until something goes wrong.
Problem is I cannot restore my certifcates to the standby.
I have tried the backup and restore wizard in ASDM and to be honest it didn't work.
I recently tested the process for a customer of defaulting a Cisco WLC to factory configuration and then restoring the configuration from Cisco NCS. It was not seamless to say the least and I wonder if I have just gone about it the wrong way.
Have have set the NCS platform to configuration sync with the 5508 controllers at 04:00 every day and prior to the controller defaulting I ensured that NCS also reported that the config was in sync. I have also set NCS to complete a tftp backup of the controller every night 23:00 - interestingly though I have no idea where this is stored on the NCS platform ( a VM appliance ) or what it's file name is.
Anyway my experiences where as follows:- 1. defaulted WLC and via serial CLI ended up at the configuration wizard. 2. Set the correct LAG, management IP, host name that NCS knew this controller by. 3. To test things just created a dummy WLAN ( SSID ) as I assumed this would be overwritten ( big mistake ! ).
At this point I connected the controller to the network and tried to restore the configuration from the config sync version.
First problem - you have to remember to set up the SNMP community string you were using as it is needed by the configuration sync process. After adding this to the controller I could push the configuration to the controller.
Second problem - failed to add the first WLAN from the backup as I have added the temporary dummy W LAN via the wizard and NCS reported a conflict. So had to delete WLAN ID 1 from the WLC GUI directly and then the config push no longer reported this error.
Third problem - for some reason did not add the TACACS server details - reported the error that it could not added them. I manually added these via a template via NCS and all was well.
Fourth problem - all but the first WLAN was in the disabled state - had to re-enable all of the WLANs.
Fifth problem - any default items I had disabled or removed have not been saved - therefore I have removed the public and private SNMP communities - but these were still on the WLC after the restore. I have disabled unused ports not in the LAG as they show an error in NCS - these where not disabled after the restore.
So all in all not a very satisfactory restore process from NCS to an defaulted WLC ( meant to simulate to the customer what would be needed if they had to replace a controller due to hardware failure ).
I have a WAG160N and its seems to have reset to factory defaults, no idea why, but when trying to restore the Configuration Backup all I get is "Restore Failure <Unmatched pid>"
I'm replacing an older (& failing) RVS4000 v1 with a new V2. I need to minimize downtime. Will a config backup from the old v1 restore properly to a new v2 (all have newest firmware)? There are a lot of tweaks including several VPNs and to do it all manually is not desirable.
I need to backup my ASA 5505 configuration and restore it to default, then I'll configure manually the new config, but if something doesn't work I want to restore the backup made before.
I tried the "copy run tftp" command, and it always answers the same: Result of the command: "copy run tftp" [code] I read everywhere its supossed to prompt asking me tftp server address and file name.
I'm trying to move from a faulty SRP527 to SRP 547 - I tried a Restore from Backup, but it doesn't work.So start from fresh, and I'm having an issue trying to add a 2nd SSID to a VLAN...
I keep getting the error:
"FAILED! SSID 2 has joined another VLAN"
Except it hasn't... its not assigned to any VLAN...
McAffee scan of acs 1113 appliance running the 4.2 build 124 patch 12 version reports that a medium vulnerability exists because the system has SSH version 1. Any way to specify only version 2 or turn off SSH?
How can we restore ACS config from an existing backup file, in an ACS cluster deployment? is it through CLI? with"restore"or"acs restore" command? and should I restore only the ACS config or both ACS and ADE-OS config?
have some problems with setting up jobs for the backup running config on my switches. Have RW and RO contact with everyone and can change the config in editor, but do not get config.txt
I managed to connect acs5.1 to the AD , user's will be able to get authenticated against the AD when the state is shown "CONNECTED'. This will work ok for a day or so and goes into a 'DISCONNECTED' state , users will no more be able to authenticate . Is this a known error , or is this an error from the microsoft ws2k3 server side ?
I know ACS 5 lacks the IP Pools of earlier ACS versions. I'm looking at a 4 to 5 migration and was thinking of just configuring the IP Pools on the router ("ip pool local" etc) and sending back a RADIUS Cisco Attribute pair with the name of the pool. (Seemed like a neat fix, needs no extra kit, etc.)
I could have sworn that attribute pair existed... but I can't find it in ACS5! What's it's name?! Where is it!? Or have I gone mad!? (And, if I have gone mad, how would you go about fixing it?)
so we have been using our current ASA5505 for a long time. Since it only support up to 10 VPN licenses, so we buy a new ASA5505-SEC-BUN-K9(support up to 25 users).
the old ASA are running: 8.0.3 and ASDM 6.0.3 the new ASA are running: 8.2.5 and ASDM 6.4.5
I thought it would be simple as export and import the config file, but when i tried to restore, the new one is looking for a zip file but the old one doesn;t backup file in ZIP. It looks like i need to update the ASA version or/and ASDM?
I am pretty new to this and never upgrade any of these versions since I am aware of the upgrade may mess things up. So do I need to upgrade both the ASA version and the ASDM in order to restore my config? any effect if i do the upgrade? I also read some articles, we need to upgrade on the version one by one, like 8.0 to 8.1 then 8.2?
I want to export the ACS local user's records.Then import to other ACS5.3 server.But the export file not the user's password record.I cannot import it well....
we are moving network devices (200+) authentication/authorization/accounting to new ACS5.2, is there any easy way to copy/sync all those AAA clients configuration to another ACS5.2 server? I don't need other configuration to be synced/copied to another ACS5.2 server
I'm trying to dynamically assign IP address for VPN users from AD (without IAS service). I know that there is a restriction that "Dial-in users are not supported by AD in ACS (note in "acsuserguide51") but Im not exacly sure what can and can't do with it. In "Authorization Profiles" in RADIUS Attributes tab I try to mannually add specific Attribute (Framed-IP-Address).
I have no problem (everything works just fine) with static address assignment in a way as below:
AD is already integrated with ACS and I've managed to download Directory attributes especially msRADIUSFramedIPAddress
When I change "Attribute Value" from static to dynamic type I see the option to select AD (but "Select" which should list all available attributes is empty)
I know that I can do it directly (ASA <-> AD attribute mapping) but I want ACS to do it
I am trying to secure changes to switches using ACS 5.3 and allowing our technicians to only change the vlan for user ports on the switches. How can I use regular expressions to filter out the 1/1/# ports so that those ports cannot be accessed in config mode? If I allow the following, it allows access to all interfaces with 'gi' in them.
I have everything working on a new 5.2 ACS but:I can only make a command set that permits things and denies all.I thought with the check box. Permit any command that is not in the table below" one could allow all and specifically deny commands.and that would allow the user to do all commands except for conf and set. But it doesn't seem to adminstratively block it, it allows them to still "conf" for instance.
Then it works as expected, it allows the commands that are permitted and denying all unspecified commands.I know I am in the right command set because the changes I make are reflected immediately.Can someone test the "Permit any command that is not in the table below' and tell me if it works? I can make it work with the unchecked box, sure, but it would be nice to get it to work.
I'm having trouble getting things working on a pair of ASA5510's using Cisco Secure ACS v5.1. We were previously using a much older version of ACS to these (and a lot of other) devices which worked OK for remote access for read/write use. Am in the process of migrating to the new ACS software and have got it working OK to everything (many Cisco switches and other IOS devices) except these ASA5510s.
I can get TACACS authenticating fine and am able to log on and go into enable mode. Any subsequent commands are then met with 'command authorization failure', including 'show run', 'conf t' and even 'exit'!
My ASA5510 config has not changed, other than to define the new AAA server, which leads me to think its something to do with how I have the ACS user profile set up. I have configured the ACS5.1 device administration Shell Profile to have the maximum privilege level (15) and the command set I'm using has the box checked 'permit any command that is not in the table below'.
I am using ACS5.2 I want user to access the device with all necessary command like show run/ver/int/log… I try to set user privilege using Shell from 1 to 10 but show run doesn't work.
I configured an ip pool on VPN 3000 concetnrator. i wanted to an attribute to use on the nework access profile on the acs 5.3. i was advised to use pool name. However, we don't have pool name attribute on VPN concentrator. only, IP range and subnet mask. how do i refer an IP pool on VPN concentrator in ACS5.3? is there another attribute I can use on ACS5.3 to invoke a pool on CVPN3000, like ip range...?
