Solved

Cisco ACS mixed versions

Posted on 2016-10-10
8
91 Views
Last Modified: 2016-10-12
Is there any problem having a Cisco ACS cluster where the primary is at version 5.4 and the new secondaries are at software version 5.8? Thank you.
0
Comment
Question by:amigan_99
  • 3
  • 3
  • 2
8 Comments
 
LVL 46

Assisted Solution

by:Craig Beck
Craig Beck earned 250 total points
ID: 41838304
Don't do it!  Databases are slightly different and there's functionality in 5.8 that's not in 5.4.
0
 
LVL 63

Accepted Solution

by:
btan earned 250 total points
ID: 41838582
To add it is also evident that such mixed of 5.4 and 5.8 may have issues as ACS 5.8 does support upgrade from three releases back; At best 5.5 and above and even then in 5.5 it need to go through an upgrade preferably to 5.6 or 5.7 before into 5.8. But even than for older version to work as primary and secondary having newer version it needs the primary to be able to hold info from the new version which in this case can be incompatible and upgrading may even be an issue and not to talk about working in mixed environment. Just some thoughts on this, if it helps.

Also note
Usually, in a deployment scenario where multiple ACS instances are involved, the primary ACS instance functions as a master database for the configuration data, and one of the secondary ACS instances stores the Monitoring and Report data. You can also use the primary instance to store the Monitoring and Report data.

Initially, you need to upgrade the log collector server to ACS 5.8 and use this server as a common log collector between the ACS 5.7 and 5.8 deployments, until the 5.8 upgrade for all servers is complete.
0
 
LVL 1

Author Closing Comment

by:amigan_99
ID: 41838629
Thank you. Sounds like a downgrade for the new gear is in order as a change window to get to 5.8 corporate-wide would not happen any time soon. Should the procedure here for 5.4 installation be sufficient to get the newer 3415s to 5.4? http://www.cisco.com/c/en/us/td/docs/net_mgmt/cisco_secure_access_control_system/5-4/installation/guide/csacs_book/csacs_ins_acs_in_ucs.html
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 63

Expert Comment

by:btan
ID: 41839312
0
 
LVL 46

Expert Comment

by:Craig Beck
ID: 41839342
Do a fresh install of 5.4 on the secondary then upgrade ALL boxes to 5.8 later. Be careful though, 5.8 uses certificates to authenticate each node so you need to turn that off first, after each box is upgraded, on each node if you haven't deployed certs to each ACS.

You can upgrade straight to 5.8.
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41839474
Each node in the cluster has a *.acme.com cert for management. Should that do the trick?
0
 
LVL 63

Expert Comment

by:btan
ID: 41839481
It should represent your FQDN name and not using wildcard. Unfortunately Wildcard certificates are not supported with ACS. You need the certificate to be specific on the dedicated host name or use of single UCC cert (with a list of SAN).

https://supportforums.cisco.com/discussion/10955841/acs-wildcard-certificate-install-peap
1
 
LVL 1

Author Comment

by:amigan_99
ID: 41840696
Thank you.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Ransomware continues to grow in reach and sophistication, putting data everywhere at risk. Learn how to avoid being caught in its sinister clutches with these 11 key tips.
When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question