Cisco Acs 5x User Guide
Have a look at the manual Cisco Acs 5x User Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 53 Cisco manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
1-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported by ACS For information about using the CLI, see the Command Line Interface Reference Guide for Cisco Secure Access Control System 5.3. Related Topic ACS Web-based Interface, page 1-4 ACS Programmatic Interfaces ACS 5.3 provides web services and command-line interface (CLI) commands that allow software developers and system integrators to programmatically access some ACS features and functions. ACS 5.3 also provides you access to the Monitoring & Report Viewer database that you can use to create custom applications to monitor and troubleshoot ACS. The UCP web service allows users, defined in the ACS internal database, to first authenticate and then change their own password. ACS exposes the UCP web service to allow you to create custom web-based applications that you can deploy in your enterprise. The Monitoring & Report Viewer web services allow you to create custom applications to track and troubleshoot events in ACS. You can develop shell scripts using the CLI commands that ACS offers to perform create, read, update, and delete (CRUD) operations on ACS objects. You can also create an automated shell script to perform bulk operations. The REST PI (Representational State Transfer Programming Interface) allows you to manage your entities such as users, devices and policies on your own management applications and move these entities into ACS. This way you can define these entities and then use them on your own systems and on ACS. For more information on how to access these web services and their functionalities, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ acs_sdk.html. Hardware Models Supported by ACS Ta b l e 1 - 2 shows the details of the CAM hardware models supported by ACS 5.3. Table 1-2 CAM Hardware Models Supported by ACS 5.3 Config HDD RAM NIC IBM 1121 2 x 250GB 4GB 4X10,100,1000 RJ-45 CAM25-1-2-4. 2 x 250GB 4 x 1GB 2 x 1GE VMWare ESX 3.5, 4.0, 4.1, i4.1, or 5.0500GB 4GB 2 NICs VMWare Server 2.0 60GB 4GB 1 or 2 virtual NICs
1-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 1 Introducing ACS 5.3 Hardware Models Supported by ACS
CH A P T E R 2-1 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 2 Migrating from ACS 4.x to ACS 5.3 ACS 4.x stores policy and authentication information, such as TACACS+ command sets, in the user and user group records. In ACS 5.3, policy and authentication information are independent shared components that you use as building blocks when you configure policies. The most efficient way to make optimal use of the new policy model is to rebuild policies by using the building blocks, or policy elements, of the new policy model. This method entails creating appropriate identity groups, network device groups (NDGs), conditions, authorization profiles, and rules. ACS 5.3 provides a migration utility to transfer data from migration-supported versions of ACS 4.x to an ACS 5.3 machine. The ACS 5.3 migration process requires, in some cases, administrative intervention to manually resolve data before you import it to ACS 5.3. This process is different from the process of upgrading from versions of ACS 3.x to ACS 4.x, where the ACS 4.x system works the same way as ACS 3.x and no administrative intervention is required. The migration utility in ACS 5.3 supports multiple-instance migration that migrates all ACS 4.x servers in your deployment to ACS 5.3. For more information on multiple-instance migration, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/migration/ guide/migration_guide.html. Upgrade refers to the process of transferring data from ACS 5.2 servers to ACS 5.3. For information on the upgrade process, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/installation/ guide/csacs_upg.html. This chapter contains the following sections: Overview of the Migration Process, page 2-2 Before You Begin, page 2-3 Downloading Migration Files, page 2-3 Migrating from ACS 4.x to ACS 5.3, page 2-3 Functionality Mapping from ACS 4.x to ACS 5.3, page 2-5 Common Scenarios in Migration, page 2-7
2-2 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Overview of the Migration Process Overview of the Migration Process The Migration utility completes the data migration process in two phases: Analysis and Export Import In the Analysis and Export phase, you identify the objects that you want to export into 5.3. The Migration utility analyses the objects, consolidates the data, and exports it. After the Analysis and Export phase is complete, the Migration utility generates a report that lists any data compatibility errors, which you can manually resolve to successfully import these objects into 5.3. The Analysis and Export phase is an iterative process that you can rerun many times to ensure that there are no errors in the data to be imported. After you complete the Analysis and Export phase, you can run the import phase to import data into ACS 5.3. This section contains the following topics: Migration Requirements, page 2-2 Supported Migration Versions, page 2-2 Migration Requirements To run the Migration utility, you must deploy the following machines: The source ACS 4.x machine—This machine can either be an ACS 4.x solution engine or a ACS for Windows 4.x machine. The source machine must be running a migration-supported version of ACS. See Supported Migration Versions, page 2-2 for more information. The migration machine—This machine must be a Windows platform that runs the same version of ACS (including the patch) as the source machine. The migration machine cannot be an ACS production machine or an ACS appliance machine. It has to be a Windows server running ACS for Windows. The migration machine requires 2 GB RAM. The target ACS 5.3 machine—Back up your ACS 5.3 configuration data and ensure that the migration interface is enabled on ACS 5.3 before you begin the import process. We recommend that you import data into a fresh ACS 5.3 database. To enable the migration interface, from the ACS CLI, enter: acs config-web-interface migration enable Supported Migration Versions ACS 5.3 supports migration from the following ACS 4.x versions: ACS 4.1.1.24 ACS 4.1.4 ACS 4.2.0.124 ACS 4.2.1
2-3 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Before You Begin NoteYou must install the latest patch for the supported migration versions listed here. Also, if you have any other version of ACS 4.x installed, you must upgrade to one of the supported versions and install the latest patch for that version before you can migrate to ACS 5.3. Before You Begin Before you migrate data from ACS 4.x to ACS 5.3, ensure that you: Check for database corruption issues in the ACS 4.x source machine. Have the same ACS versions on the source and migration machines (including the patch). Have configured a single IP address on the migration machine. Take a backup of the source ACS 4.x data. Have full network connectivity between the migration machine and the ACS 5.3 server. Have enabled the migration interface on the ACS 5.3 server. Use only the default superadmin account for ACS 5.3, acsadmin while running the Migration utility. You cannot use the remote desktop to connect to the migration machine to run the Migration Utility. You must run the Migration Utility on the migration machine; or, use VNC to connect to the migration machine. NoteACS 5.3 migration utility is not supported on Windows 2008 64 bit. Downloading Migration Files To download migration application files and the migration guide for ACS 5.3: Step 1Select System Administration > Downloads > Migration Utility. The Migration from 4.x page appears. Step 2Click Migration application files, to download the application file you want to use to run the migration utility. Step 3Click Migration Guide, to download Migration Guide for the Cisco Secure Access Control System 5.3. Migrating from ACS 4.x to ACS 5.3 You can migrate data from any of the migration-supported versions of ACS 4.x to ACS 5.3. The migration utility migrates the following ACS 4.x data entities: Network Device Groups (NDGs) AAA Clients and Network Devices Internal Users
2-4 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Migrating from ACS 4.x to ACS 5.3 User-Defined Fields (from the Interface Configuration section) User Groups Shared Shell Command Authorization Sets User TACACS+ Shell Exec Attributes (migrated to user attributes) Group TACACS+ Shell Exec Attributes (migrated to shell profiles) User TACACS+ Command Authorization Sets Group TACACS+ Command Authorization Sets Shared, Downloadable ACLs EAP-FAST Master Keys Shared RADIUS Authorization Components (RACs) RADIUS VSAs NoteThe Migration utility does not migrate public key infrastructure (PKI) configuration data and does not support certificate migration. To migrate data from ACS 4.x to ACS 5.3: Step 1Upgrade the ACS 4.x version to a migration-supported version if your ACS 4.x server currently does not run one of the migration-supported versions. For a list of migration-supported ACS versions, see Supported Migration Versions, page 2-2. Step 2Install the same migration-supported version of ACS on the migration machine, which is a Windows server. Step 3Back up the ACS 4.x data and restore it on the migration machine. Step 4Place the Migration utility on the migration machine. You can get the Migration utility from the Installation and Recovery DVD. Step 5Run the Analyze and Export phase of the Migration utility on the migration machine. Step 6Resolve any issues in the Analyze and Export phase. Step 7Run the Import phase of the Migration utility on the migration machine. The import phase imports data into the 5.3 server. NoteIf you have a large internal database, then we recommend that you import the data into a standalone 5.x primary server and not to a server that is connected to several secondary servers. After data migration is complete, you can register the secondary servers to the standalone 5.x primary server. For detailed information about using the migration utility, refer to http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/migration/ guide/migration_guide.html. After you migrate the data, you can reconstruct your policies with the migrated objects.
2-5 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 In ACS 5.3, you define authorizations, shell profiles, attributes, and other policy elements as independent, reusable objects, and not as part of the user or group definition. Ta b l e 2 - 1 describes where you configure identities, network resources, and policy elements in ACS 5.3. Use this table to view and modify your migrated data identities. See Chapter 3, “ACS 5.x Policy Model” for an overview of the ACS 5.3 policy model. Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.3 To configure... In ACS 4.x, choose... In ACS 5.3, choose... Additional information for 5.3 Network device groups Network Configuration pageNetwork Resources > Network Device Groups See Creating, Duplicating, and Editing Network Device Groups, page 7-2.You can use NDGs as conditions in policy rules. ACS 5.3 does not support NDG shared password. After migration, member devices contain the NDG shared password information. Network devices and AAA clientsNetwork Configuration pageNetwork Resources > Network Devices and AAA Clients See Network Devices and AAA Clients, page 7-5.RADIUS KeyWrap keys (KEK and MACK) are migrated from ACS 4.x to ACS 5.3. User groups Group Setup page Users and Identity Stores > Identity Groups See Managing Identity Attributes, page 8-7.You can use identity groups as conditions in policy rules. Internal users User Setup page Users and Identity Stores > Internal Identity Stores > Users See Managing Internal Identity Stores, page 8-4.ACS 5.3 authenticates internal users against the internal identity store only. Migrated users that used an external database for authentication have a default authentication password that they must change on first access. Internal hosts Network Access Profiles > AuthenticationUsers and Identity Stores > Internal Identity Stores > Hosts See Creating Hosts in Identity Stores, page 8-16.You can use the internal hosts in identity policies for Host Lookup. Identity attributes (user-defined fields)Interface Configuration > User Data ConfigurationSystem Administration > Configuration > Dictionaries > Identity > Internal Users See Managing Dictionaries, page 18-5.Defined identity attribute fields appear in the User Properties page. You can use them as conditions in access service policies.
2-6 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Functionality Mapping from ACS 4.x to ACS 5.3 Command sets (command authorization sets)One of the following: Shared Profile Components > Command Authorization Set User Setup page Group Setup pagePolicy Elements > Authorization and Permissions > Device Administration > Command Set See Creating, Duplicating, and Editing Command Sets for Device Administration, page 9-28.You can add command sets as results in authorization policy rules in a device administration access service. Shell exec parameters User Setup page System Administration > Dictionaries > Identity > Internal Users See Managing Dictionaries, page 18-5.Defined identity attribute fields appear in the User Properties page. You can use them as conditions in access service policies. Shell profiles (shell exec parameters or shell command authorization sets)Group Setup page Policy Elements > Authorization and Permissions > Device Administration > Shell Profile See Creating, Duplicating, and Editing a Shell Profile for Device Administration, page 9-23.You can add shell profiles as results in authorization policy rules in a device administration access service. Date and time condition (Time of Day Access) You cannot migrate the date and time conditions. You have to recreate them in ACS 5.3.Group Setup page Policy Elements > Session Conditions > Date and Time See Creating, Duplicating, and Editing a Date and Time Condition, page 9-3.You can add date and time conditions to a policy rule in the Service Selection policy or in an authorization policy in an access service. RADIUS Attributes One of the following: Shared Profile Components > RADIUS Authorization Component User Setup page Group Setup page You cannot migrate the RADIUS attributes from user and group setups. You have to recreate them in ACS 5.3.Policy Elements > Authorization and Permissions > Network Access > Authorization Profile > Common Tasks tab or Policy Elements > Authorization and Permissions > Network Access > Authorization Profile > RADIUS Attributes tab See Creating, Duplicating, and Editing Authorization Profiles for Network Access, page 9-18.You configure RADIUS attributes as part of a network access authorization profile. You can add authorization profiles as results in an authorization policy in a network access service. Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.3 (continued) To configure... In ACS 4.x, choose... In ACS 5.3, choose... Additional information for 5.3
2-7 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Common Scenarios in Migration The following are some of the common scenarios that you encounter while migrating to ACS 5.3: Migrating from ACS 4.2 on CSACS 1120 to ACS 5.3, page 2-7 Migrating from ACS 3.x to ACS 5.3, page 2-8 Migrating Data from Other AAA Servers to ACS 5.3, page 2-8 Migrating from ACS 4.2 on CSACS 1120 to ACS 5.3 In your deployment, if you have ACS 4.2 on CSACS 1120 and you would like to migrate to ACS 5.3, you must do the following: Step 1Install Cisco Secure Access Control Server 4.2 for Windows on the migration machine. Step 2Back up the ACS 4.2 data on CSACS 1120. Step 3Restore the data in the migration machine. Step 4Run the Analysis and Export phase of the Migration utility on the migration machine. Step 5Install ACS 5.3 on CSACS 1120. Step 6Import the data from the migration machine to the CSACS 1120 that has ACS 5.3 installed. See http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/migration/ guide/migration_guide.html for a detailed description of each of these steps. Downloadable ACLs Shared Profile ComponentsPolicy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs See Creating, Duplicating, and Editing Downloadable ACLs, page 9-31.You can add downloadable ACLs (DACLs) to a network access authorization profile. After you create the authorization profile, you can add it as a result in an authorization policy in a network access service. RADIUS VSA Interface ConfigurationSystem Administration > Configuration > Dictionaries > Protocols > RADIUS > RADIUS VSA. See Creating, Duplicating, and Editing RADIUS Vendor-Specific Attributes, page 18-6.You configure RADIUS VSA attributes as part of a network access authorization profile. You can add authorization profiles as results in an authorization policy in a network access service. Table 2-1 Functionality Mapping from ACS 4.x to ACS 5.3 (continued) To configure... In ACS 4.x, choose... In ACS 5.3, choose... Additional information for 5.3
2-8 User Guide for Cisco Secure Access Control System 5.3 OL-24201-01 Chapter 2 Migrating from ACS 4.x to ACS 5.3 Common Scenarios in Migration Migrating from ACS 3.x to ACS 5.3 If you have ACS 3.x deployed in your environment, you cannot directly migrate to ACS 5.3. You must do the following: Step 1Upgrade to a migration-supported version of ACS 4.x. See Supported Migration Versions, page 2-2 for a list of supported migration versions. Step 2Check the upgrade paths for ACS 3.x: For the ACS Solution Engine, see: http://www.cisco.com/en/US/docs/net_mgmt/ cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/ upgap.html#wp1120037 For ACS for Windows, see: http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/ 4.2/installation/guide/windows/install.html#wp1102849 Step 3Upgrade your ACS 3.x server to a migration-supported version of ACS 4.x. After the upgrade, follow the steps that describe migrating from ACS 4.x to ACS 5.3. Refer to the Migration Guide for the Cisco Secure Access Control System 5.3 for more information. Migrating Data from Other AAA Servers to ACS 5.3 ACS 5.3 allows you to perform bulk import of various ACS objects through the ACS web interface and the CLI. You can import the following ACS objects: Users Hosts Network Devices Identity Groups NDGs Downloadable ACLs Command Sets ACS allows you to perform bulk import of data with the use of a comma-separated values (.csv) file. You must input data in the .csv file in the format that ACS requires. ACS provides a .csv template for the various objects that you can import to ACS 5.3. You can download this template from the web interface. To migrate data from other AAA servers to ACS 5.3: Step 1Input data into .csv files. For more information on understanding .csv templates, see http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/ cli_imp_exp.html#wp1064565. Step 2Set up your ACS 5.3 appliance.