?
Solved

Cisco ACS mixed versions

Posted on 2016-10-10
8
Medium Priority
?
115 Views
Last Modified: 2016-10-12
Is there any problem having a Cisco ACS cluster where the primary is at version 5.4 and the new secondaries are at software version 5.8? Thank you.
0
Comment
Question by:amigan_99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
8 Comments
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 1000 total points
ID: 41838304
Don't do it!  Databases are slightly different and there's functionality in 5.8 that's not in 5.4.
0
 
LVL 64

Accepted Solution

by:
btan earned 1000 total points
ID: 41838582
To add it is also evident that such mixed of 5.4 and 5.8 may have issues as ACS 5.8 does support upgrade from three releases back; At best 5.5 and above and even then in 5.5 it need to go through an upgrade preferably to 5.6 or 5.7 before into 5.8. But even than for older version to work as primary and secondary having newer version it needs the primary to be able to hold info from the new version which in this case can be incompatible and upgrading may even be an issue and not to talk about working in mixed environment. Just some thoughts on this, if it helps.

Also note
Usually, in a deployment scenario where multiple ACS instances are involved, the primary ACS instance functions as a master database for the configuration data, and one of the secondary ACS instances stores the Monitoring and Report data. You can also use the primary instance to store the Monitoring and Report data.

Initially, you need to upgrade the log collector server to ACS 5.8 and use this server as a common log collector between the ACS 5.7 and 5.8 deployments, until the 5.8 upgrade for all servers is complete.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41838629
Thank you. Sounds like a downgrade for the new gear is in order as a change window to get to 5.8 corporate-wide would not happen any time soon. Should the procedure here for 5.4 installation be sufficient to get the newer 3415s to 5.4? http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_ins_acs_in_ucs.html
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 
LVL 64

Expert Comment

by:btan
ID: 41839312
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41839342
Do a fresh install of 5.4 on the secondary then upgrade ALL boxes to 5.8 later. Be careful though, 5.8 uses certificates to authenticate each node so you need to turn that off first, after each box is upgraded, on each node if you haven't deployed certs to each ACS.

You can upgrade straight to 5.8.
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41839474
Each node in the cluster has a *.acme.com cert for management. Should that do the trick?
0
 
LVL 64

Expert Comment

by:btan
ID: 41839481
It should represent your FQDN name and not using wildcard. Unfortunately Wildcard certificates are not supported with ACS. You need the certificate to be specific on the dedicated host name or use of single UCC cert (with a list of SAN).

https://supportforums.cisco.com/discussion/10955841/acs-wildcard-certificate-install-peap
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41840696
Thank you.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question