Cisco ACS mixed versions

Is there any problem having a Cisco ACS cluster where the primary is at version 5.4 and the new secondaries are at software version 5.8? Thank you.
LVL 1
amigan_99Network EngineerAsked:
Who is Participating?
 
btanConnect With a Mentor Exec ConsultantCommented:
To add it is also evident that such mixed of 5.4 and 5.8 may have issues as ACS 5.8 does support upgrade from three releases back; At best 5.5 and above and even then in 5.5 it need to go through an upgrade preferably to 5.6 or 5.7 before into 5.8. But even than for older version to work as primary and secondary having newer version it needs the primary to be able to hold info from the new version which in this case can be incompatible and upgrading may even be an issue and not to talk about working in mixed environment. Just some thoughts on this, if it helps.

Also note
Usually, in a deployment scenario where multiple ACS instances are involved, the primary ACS instance functions as a master database for the configuration data, and one of the secondary ACS instances stores the Monitoring and Report data. You can also use the primary instance to store the Monitoring and Report data.

Initially, you need to upgrade the log collector server to ACS 5.8 and use this server as a common log collector between the ACS 5.7 and 5.8 deployments, until the 5.8 upgrade for all servers is complete.
0
 
Craig BeckConnect With a Mentor Commented:
Don't do it!  Databases are slightly different and there's functionality in 5.8 that's not in 5.4.
0
 
amigan_99Network EngineerAuthor Commented:
Thank you. Sounds like a downgrade for the new gear is in order as a change window to get to 5.8 corporate-wide would not happen any time soon. Should the procedure here for 5.4 installation be sufficient to get the newer 3415s to 5.4? http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_ins_acs_in_ucs.html
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

 
btanExec ConsultantCommented:
0
 
Craig BeckCommented:
Do a fresh install of 5.4 on the secondary then upgrade ALL boxes to 5.8 later. Be careful though, 5.8 uses certificates to authenticate each node so you need to turn that off first, after each box is upgraded, on each node if you haven't deployed certs to each ACS.

You can upgrade straight to 5.8.
1
 
amigan_99Network EngineerAuthor Commented:
Each node in the cluster has a *.acme.com cert for management. Should that do the trick?
0
 
btanExec ConsultantCommented:
It should represent your FQDN name and not using wildcard. Unfortunately Wildcard certificates are not supported with ACS. You need the certificate to be specific on the dedicated host name or use of single UCC cert (with a list of SAN).

https://supportforums.cisco.com/discussion/10955841/acs-wildcard-certificate-install-peap
1
 
amigan_99Network EngineerAuthor Commented:
Thank you.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.