[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

Cisco ACS mixed versions

Posted on 2016-10-10
8
Medium Priority
?
123 Views
Last Modified: 2016-10-12
Is there any problem having a Cisco ACS cluster where the primary is at version 5.4 and the new secondaries are at software version 5.8? Thank you.
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 47

Assisted Solution

by:Craig Beck
Craig Beck earned 1000 total points
ID: 41838304
Don't do it!  Databases are slightly different and there's functionality in 5.8 that's not in 5.4.
0
 
LVL 65

Accepted Solution

by:
btan earned 1000 total points
ID: 41838582
To add it is also evident that such mixed of 5.4 and 5.8 may have issues as ACS 5.8 does support upgrade from three releases back; At best 5.5 and above and even then in 5.5 it need to go through an upgrade preferably to 5.6 or 5.7 before into 5.8. But even than for older version to work as primary and secondary having newer version it needs the primary to be able to hold info from the new version which in this case can be incompatible and upgrading may even be an issue and not to talk about working in mixed environment. Just some thoughts on this, if it helps.

Also note
Usually, in a deployment scenario where multiple ACS instances are involved, the primary ACS instance functions as a master database for the configuration data, and one of the secondary ACS instances stores the Monitoring and Report data. You can also use the primary instance to store the Monitoring and Report data.

Initially, you need to upgrade the log collector server to ACS 5.8 and use this server as a common log collector between the ACS 5.7 and 5.8 deployments, until the 5.8 upgrade for all servers is complete.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41838629
Thank you. Sounds like a downgrade for the new gear is in order as a change window to get to 5.8 corporate-wide would not happen any time soon. Should the procedure here for 5.4 installation be sufficient to get the newer 3415s to 5.4? http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_ins_acs_in_ucs.html
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
LVL 65

Expert Comment

by:btan
ID: 41839312
0
 
LVL 47

Expert Comment

by:Craig Beck
ID: 41839342
Do a fresh install of 5.4 on the secondary then upgrade ALL boxes to 5.8 later. Be careful though, 5.8 uses certificates to authenticate each node so you need to turn that off first, after each box is upgraded, on each node if you haven't deployed certs to each ACS.

You can upgrade straight to 5.8.
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41839474
Each node in the cluster has a *.acme.com cert for management. Should that do the trick?
0
 
LVL 65

Expert Comment

by:btan
ID: 41839481
It should represent your FQDN name and not using wildcard. Unfortunately Wildcard certificates are not supported with ACS. You need the certificate to be specific on the dedicated host name or use of single UCC cert (with a list of SAN).

https://supportforums.cisco.com/discussion/10955841/acs-wildcard-certificate-install-peap
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41840696
Thank you.
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question