ACS to Server upgrade

Hi all

Can I upgrade my to ACS servers without applying the patch?

Thank you.


Hey Pratik,

It is always advisable to upgrade to the latest patch before moving on to the next version.

Therefore, it would be advisable to install the patch 4 and then go to 5.7.

Kind regards


Please evaluate the useful messages.

Tags: Cisco Security

Similar Questions

  • ACS database does not not after having changed the secondary ip of acs.

    Hello.. Im having 2 ACS 3.1 server. ACS01 (primary) & ACS02 (secondary). We recently moved ACS02 to another site and has changed its ip address.

    When we of database replication from ACS01, we received the error message saying ACS02 has refused the request of replication.

    Any idea what can be the problem?

    Consider these elements when you implement the database replication feature Cisco Secure:

    (1) ACS supports only supported replication of database to other ACS servers. All ACS servers participating in the Cisco Secure database replication must run the same version and patch to FAC level.

    (2) the principal server copy compressed and encrypted the database on the secondary server components. This transmission is done via a connection TCP, Port 2000. The TCP session is authenticated and using an encrypted protocol, Cisco-owners.

    (3) only hosts properly configured, valid ACS can be secondary servers. To add a secondary server, configure it in the AAA servers table in the section of this document Network Configuration. When a server is added to the AAA servers table, the server is displayed for selection as a secondary server in the list of AAA servers as replication partners, on the Cisco Secure database replication page.

    (4) the principal server must be configured as an AAA server and must have a key. The secondary server must have a primary server configured as an AAA server and its key for the primary server must match the key primary servers.

    (5) secondary servers replication takes place sequentially in the order listed in the replication list under replication partners, on the Cisco Secure database replication page. (6) the secondary server that receives the replicated components must be configured to accept replication of database from the primary server. To configure a secondary server for database replication, refer to configuring a secondary Cisco Secure ACS Server of this document section.

    (7) ACS does not support two-way replication of database. The secondary server, which receives the replicated components, check that the primary server is not on its list of replication. If this is not the case, the secondary server accepts replicated components. If so, it rejects the components.

    (8) to replicate the seller of RADIUS defined by the user and the configurations of the specific attribute (VSA) provider successfully, definitions have to be replicated must be identical on the primary and secondary servers. This includes seller RADIUS slots occupy sellers RADIUS defined by the user. For more information on the sellers of the RADIUS and the VSA attributes defined by the user, see section User-Defined RADIUS vendors and VSA sets the document Cisco Secure ACS database command-line Utility.

  • Migration of the existing database of victory ACS 3.3 to device ACS 4.2.15

    Hi all

    Can anyone suggest me how to migrate the db for windows 3.3 acs acs 4.2.15 device.

    We replace the 3.3 victory device 4.2.15 as part of end of life. So we have the eap-tls/peap authentication.

    It has huge files. So suggest me the steps to migrate the db to win 3.3 appl 4.2.15.

    We need to upgrade to win 3.3 to win 4.0 for win 4.2 & then migrate to appl 4.2?

    Or any other way to do it?


    You can take a backup copy of the database of the ACS unit. You can install ACS 3.3 in windows. Restore the backup.

    Then you can proceed to 3.3.4 on Windows ACS. make a backup and save it to a different location.

    Upgrade the windows of the CSA at take a backup. Save it to a different location.

    Then the windows of the CSA resume a backup and save it to a different location.

    Now re-images of the device of the ACS for ACS Restore the backup of Windows ACS ACS ACS unit now running.

    Now you can upgrade the ACS unit to

    I hope this helps.

    Kind regards


    P.S.: Please mark this thread as answered if you feel that your query is resolved. Note the useful messages.

  • Error of org.xml ACS 5.3 Exception when executing reports


    5.3 GBA running on a device of 1121

    When you run a report's RADIUS authentication, accounting, etc. is all report, I get the error attached image (org.xml.sax.SAXParseException...). I have not yet found a solution. I'm running another ACS 5.2 device that does not have this error

    If the upgrade to a newer version will solve this problem, the license (5.3) will suffice.

    Any help is appreciated

    Kind regards

    MOE Shea

    Hello Mo,

    I have this error either a browser problem, I recommend you watch the ACS 5.3 release notes and confirm if you are currently using a supported browser:

    A restart of services can take care of it as well in case you are using a supported browser.

    Note: Please mark as answer as appropriate

  • Cisco ACS 5.4 and VPN 3000


    I'm trying to use CIsco ACS 5.4 for RADIUS authentication for VPN by using VPN concentrator 3000 users.

    I added the VPN 3000 on ACS and added GBA on VPN group with a shared secret authentication server. When I do a test on the authentication server using the local account that I created on ACS it happens as no response was received from the server so that I can see the RAIDUS AAuth in green.

    Any help would be much appreciated.




    What is the report on GBA?

    "RAIDUS AAuth in green"

    If so, a pcap help between the two.



  • ACS 4.1 compatible with WLC


    I have to upgrade our WLC4404s from version to so that our new 1142N APs are supported. Is someone can you please tell me if I am required to upgrade to Cisco Secure ACS version 4.1 and 4.2 to stay compatible (Windows) Please?

    The WLC notes publication to State "this product has been tested with CiscoSecure ACS 4.2 and later and works with any RFC-compliant RADIUS server."

    Thank you


    An upgrade is not required for the current features continue to work. You only need to upgrade to 4.2 improvements. 4.1 conforms to the RFC.

  • I can't use the same IP for three NDG ACS. !

    Hello. Install ACS 4.2 Build Patch 124 13, I created three NDG, my server has the IP, adding the same three NDG me Server gives this error:

    Overlapping IP range conflicts were detected with entry ACS.

    In addition, if you add a server with an IP address which does not exist and then remove it, get no option to remove.

    suggestions on this?

    Any changes in the IP address of this server. For example let's say that IP is, just what he likes change

    example submit and restart.

    Go to control panel, administrative tools, services... restart csadmin.

    Now you should see aption to remove the aaa server.

    Kind regards

    ~ JG

  • Replication of ACS and integration with the Active directory database

    Hi all

    I have to configure two ACS SE with the internal database replication. I have also a server active directory that must integrate with ACS. My doubt is that I need to configure the IP address of the ACS during installation of the remote agent on active directory or only the primary ACS

    No need to give the IP of two ACS. Give the primary IP of ACS.

    Kind regards

    ~ JG

    Note the useful messages

  • Upgrade process ACS

    Hello friends, I want to spend an ACS 5.0 to 5.1 and 5.2 version but in the upgrade instructions, there is a command line that I don't understand, is:

    Install patch ACS patch-name. tar.GPG repository repository-name

    I Don t know what is the name of this repository and if it's a repository that I need to create. I can download the files for installation (patch and the ADE upgrade) but I don't know how to place them in the GBA unit (if this is the case).

    Thanks in advance.

    Atte. Jonah Diaz

    Hi Jonas,.


    t conf

    -repository JonasRepo

    -url ftp://x.y.z.a/

    -regular user password

    You can then install the patch and use "JonasRepo" as the name of the repository. If you do not have to download patches for GBA but simply configure ACS to know where they are. You are not obliged to do FTP, you can use the question mark after "url" to see the different possibilities.

    Hope this helps,



    Remember responses of the rate that you find useful

  • Search ACS 4.2 order unknown user from database


    I have several user databases in the search order for the unknown user policy. Ignoring the manual (, which States that, after the failure of authentication from the first database (Windows) the ACS does not continue to look for the second database, a RADIUS server. I see that, with the failure in the first user, database stops the ACS research and fails to the user authentication with an authentication failure code "external DB password invalid.

    Documentation not going or is this a bug in the ACS v4.2.1? How can I make the ACS to continue to seek the second database user?

    Hello Roberto,.

    If the external database returns an invalid username/password, then it is intended for ACS is not to check the following data in the sequence and the failure of authentication:

    "For authentication requests, ACS applies the unknown unknown user policy to users. ACS does not backup to the known or discovered users authentication failure unknown when user authentication support. »

    If you want that ACS to verify the following database, even if a response from the invalid username/password has been received, you will need to explicitly set this on the external Windows database configuration page, in the section entitled 'Strategy for the unknown user' (but on the database configuration page specific Windows, not covered by the unknown user policy) :

    In addition, on the previous screenshots, I could see that you have configured both as a result of database:

    Windows database

    RADIUS Server token

    So we may be running into a situation where the authentication method used is not supported by the tokens, Radius servers, and therefore impossible to check the second database in the list:

    Kind regards



    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Cannot save an ACS secondary for replication of ACS primary 5.2.


    I hope someone can help me.  Currently, I have two devices Cisco ACS and both are classified in the PRIMARY.  The first ACS is running version while the second ACS is running version

    My original thought was to install the first ACS and do serve primary and have it replicate its data on the ACS SECONDARY.  Somehow, after installation, the ACS are now listed as PRIMARY.  When I go into secondary ACS under Deployment Options to try to save it in elementary school, I get the following error message:

    "This failure has occurred.  Failed to authenticate with node.  Your changes have not been saved. »

    Even if I try this GBA primary to save it for the secondary ACS, I get the same error message.  I tried all passwords including the credentials of the admin super user, my credentials for the administrator and the credentials provided to SSH in ' GBA and nothing is helping.

    Reading online, I read there was a way to remove an ACS secondary, but I don't have the ability to add this server in the primary for "bump it down" to a secondary antibody hoping to save it for the primary ACS.

    If anyone can give me some pointers, I would greatly appreciate.

    Thank you, and all have a wonderful day.



    If the identifier is the same then definitely replication does not work, you will not be able to enroll in primary school if the license is the same. The good side is that you have the other license, you only need to install.

    However I have more bad news, the only way to re - install a license file in ACS 5.x uses the CLI command 'acs reset-config', but it will also delete all of the configuration that you have on this server, except the network configuration (IP, gateway, DNS, etc.)

    After entering this command if you are trying to access the GUI, you should not use the name of user and password acsadmin/default, then you will be asked to locate the license file.

    Here is a document with this information where you need it:

  • Cisco ACS 4.2: The most important to back up files?

    Dear Sir

    Can you tell me what are the most important files to back up in the Cisco ACS directory?

    Currently, I am only backup (with Symantec Backup Exec):

    C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups

    * But, I would like to know if my server crash, can I restore the entire configuration with the files listed in the directory below? (Users, groups, groups of devices, AD, mapping, users, groups,...)

    * The Cisco ACS there change in the Windows registry?

    * Is it necessary to reinstall the Cisco ACS, if I need to put in an emergency on a new server? I guess Yes, because the installation creates services, etc.

    I ask this question because it takes time to install the patches...

    * Or, can I save all the Cisco ACS directory... On a new server, install the Cisco ACS and restore the backup?

    Thank you very much for giving me your experience about it.

    Kind regards

    You should back up the files that come from ACS backups, i.e.

    System configuration > backup GBA, the location that is specified in this section.

    And the default location is the one that already save for example "C:\Program Files\CiscoSecure ACS v4.2\CSAuth\System backups"

    In case you are required to host ACS on a new server, you would be required to re - install the complete application of the CSA and then simply take the last backup and restore in the newly installed ACS. It will be to restore everything users, group etc. to etc. of the external database mappings.

    When you install ACS on a new server, then make sure that if you run them Services ACS with a service account (this is required for the authentication of the window according to your requirement), you would be required to run new services with this account too, and which may require that go you through the following documentation.

    Kind regards


    Please rate if this can help!

  • ACS issues update 4.2 to 4.2.1

    I have been instructed to upgrade our four ACS servers of to the latest version.  ACS servers are

    the applianced basis.  I went through the software download page

    from and we found this file:

    cumulative (ACS SE app/


    Can anyone confirm if it is the download of the file more later/better

    the latest version 4.2 of material according to Cisco Secure ACS?

    For those who have upgraded to the latest version, you can

    Comment on your experience with the process of upgrading or

    ACS performance after upgrade?  Any questions/warnings on the

    process or performance after upgrade?

    Thanks in advance for any useful information that you can

    predict this?


    I don't see installation step by step of the fix documented somewhere because the same by applying the upgrade and simple too. Here are the steps you need to perform.

    1. download the zip file patch for any PC which we will call the server upgrade or the distribution server.

    2 unzip the patch

    3. run autorun.bat (you will see a window ACS appliance update and it remains in the background.

    You will also see an another IE window lauch which you gives a place to put the host name or IP address of the device)

    4. Enter the name of host or IP address of the device and click on install.

    5. This will bring to the opening window of session for the ACS unit.

    6 log in to the TAS

    7. click on System Configuration

    8. click on upgrade the device status

    9. click on download

    10 enter the upgrade server IP address, then click on connect

    11. you will see the patch you are trying to install.  Click Download now

    12. click on download it again.

    13. click on apply the update

    14. click on the upgrade again.

    15. click on Yes

    16. click on Yes.

    17 click done.

    18. on the upgrade server, click 'stop the Distribution Server '.

    In order to stop csagent, go to system configuration > configuration of the device (I think)

    P.S. Please open a TAC case if you are not comfortable in the application of the hotfix.

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Join the ACS 5.4 AD strange question


    We have two ACS boxes with the same version of software (, we have been able to join the domain a that only ACS and other ACS are given the error attached.

    When we checked "main-acs-01 / admin # acs troubleshooting adcheck , he gave the same error for the two candidate countries, however an ACS successfully joined the domain and still others we failed."

    principal-acs-01 / admin # acs troubleshooting adcheck<>

    This command is only for advanced troubleshooting and could suffer a lot of network traffic

    Do you want to continue?  (yes/no) Yes

    OSCHK: Check that it is operating system: pass

    PATCH: Patch Linux check: pass

    PERL: Check that perl is present and is a good version: pass

    SAMBA: Inspection of the installation of Samba: pass

    SPACECHK: Check if there is enough space in/var/usr/tmp: pass

    HOSTNAME: Check the hostname parameter: pass

    NSHOSTS: Check the hosts line in /etc/nsswitch.conf: pass

    DNSPROBE: Probe Server DNS pass

    DNSPROBE: Probe Server DNS pass

    DNSCHECK: Analyze the health of DNS servers database: pass

    WHATSSH: Is it a SSH DirectControl works perfectly with: pass

    SSH: SSHD version and configuration: Note

    : You are running OpenSSH_5.3p1, CiscoSSL 0.9.8r.1.3.

    DOMNAME: Check that the domain name is reasonable: pass

    ADDC: Search for domain controllers in the DNS: pass

    ADDNS: Search DNS DC xxxx.                      : Pass

    ADPORT: Scan of Port DC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    ADPORT: Scan of Port DC xxxx.                      : Pass

    ADDNS: Search DNS DC xxxx.                      : Failed

    : Could not resolve the IP address of

    ADDNS: Search DNS DC xxxx.                      : Pass

    ADPORT: Scan of Port DC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                   : Pass

    ADPORT: Scan of Port DC xxxx.                    : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    ADPORT: Scan of Port DC xxxx.                      : Warning

    : One or several ports did not respond correctly. Either:

    (: a) the domain controller is offline

    (: b) a firewall prevents access to a port

    : The following is a list of ports has failed:

    : ldap 389/udp - timeout

    : 445/tcp smb - denied

    : ldap 389/tcp - denied

    ADDNS: Search DNS DC xxxx.                        : Pass

    ADPORT: Scan of Port DC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                        : Pass

    ADPORT: Scan of Port DC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                           : Pass

    ADPORT: Scan of Port DC xxxx.                            : Pass

    ADDNS: Search DNS DC xxxx.                    : Pass

    ADPORT: Scan of Port DC xxxx.                     : Pass

    ADDNS: Search DNS DC xxxx.                      : Pass

    GCPORT: Port scan of GC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    GCPORT: Port scan of GC xxxx.                      : Pass

    ADDNS: Search DNS DC xxxx.                      : Failed

    : Could not resolve the IP address of airportdc1. .

    ADDNS: Search DNS DC xxxx.                      : Pass

    GCPORT: Port scan of GC xxxx.                       : Pass

    ADDNS: Search DNS DC xxxx.                   : Pass

    GCPORT: Port scan of GC xxxx.                    : Pass

    ADDNS: Search DNS DC xxxx.                     : Pass

    GCPORT: Port scan of GC xxxx. : WARNING

    : One or several ports did not respond correctly. Either:

    (: a) the GC is offline now

    (: b) a firewall prevents access to a port

    : The following is a list of ports has failed:

    : gc 3268/tcp - denied

    ADDNS: Search DNS DC xxxx.                        : Pass

    GCPORT: Port scan of GC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                        : Pass

    GCPORT: Port scan of GC xxxx.                         : Pass

    ADDNS: Search DNS DC xxxx.                           : Pass

    GCPORT: Scan of Port GC xxxx : pass

    ADDNS: Search DNS DC xxxx.                    : Pass

    GCPORT: Port scan of GC xxxx.                     : Pass

    ADGC: Check Global catalog servers: spend

    DCUP: Search for operational controllers : pass

    SITEUP: Check DCs for in our site: go

    DNSSYM: Check the symmetry of DNS server: pass

    ADSITE: Verify that the subnet of this machine is in a site known as AD: pass

    GSITE: See if we think it is the correct site: pass

    TIME: Synchronization of clocks Check: pass

    2 serious issues have been encountered during the audit. These must be fixed before proceeding

    2 warnings were encountered during the audit. We recommend that you check these before proceeding

    principal-acs-01 / admin #.

    The one facing this problem before and grateful if someone can tell how to solve this problem.

    It is a known issue with ACS 5.3 However, we had this problem in ACS 5.3 patch 7 and 5.4 of the ACS

    Since you're under 5.4 ACS, it should not trigger.

    CSCtx53223    After update 5.3 ACS fail to join the domain AD - lack of license Centrify


    After the upgrade from 5.2 to 5.3, ACS is unable to join the domain. AD connection worked for several days, until the services have been restarted. After this, ACS is unable to join AD with the following in ACSADAgent.log error message:

    Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin Join to area is permitted only with a licensed copy of DirectControl. Obtain a license or learn more about Centrify following

    Jan 20 02:36:32 CBR1BACS01 Bordes [6814]: DEBUGGING cli.adjoin without a permit, you can connect to a domain via Auto Zone by specifying Bordes w Test.Test


    Move from 5.2 to 5.3. Restart the services thereafter.

    Workaround solution:

    Save the ACS db and recreate the picture on the box to 5.3

    How upgrade to 5.4 ACS

    1.] updated to 5.3 to 5.4 using the upgrade package.

    2.] reianged with ACS 5.4 ISO and restored the database ACS 5.3.

    I suggest you to prosecute on this TAC. [Most likely you must reimage the server and restore the database if you had crossed with option 1.]

    ~ BR
    Jatin kone

    * Does the rate of useful messages *.

  • Unstable ACS and AD connectivity when client that connects wireless


    I have GBA 5.3 related to Active Directory to Windows 2008 R2. I have no problem combining the two services, but when the client attempts to connect to the wireless network, the ACS with flapped AD connectivity when I tried to ping the AD server when you connect on the wireless. Keep it just ask for credentials to connect to the radio but without success. Based on the ACS logs, Active Directory is inaccessible. I did the test of GBA connectivity, it says test connection succeeded. Connectivity issues only occurs when users try to connect again Setup wireless network. We have another set up with the same configuration but using ACS 5.1, which is currently on the network of production with no problem.

    Anyone encountered this problem? Help, please.

    Kind regards

    Yes, there are a few bugs that are mentioned in the release notes-

    However, I recommend that you upgrade to the latest patch, release notes will take steps on how to install the patch as well.

    Thank you

    Tarik Admani
    * Please note the useful messages *.

Maybe you are looking for