BRKSEC-2044_PATEL-5
-
Upload
beleznay-peter -
Category
Documents
-
view
11 -
download
3
description
Transcript of BRKSEC-2044_PATEL-5
-
BRKSEC-2044
Next-Generation Network Access Policy with Cisco Secure Access Control System (ACS)
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 2
Abstract
The recently released ACS 5 provides a flexible, all new, policy-based model. This is an intermediate session and topics include:
Benefits of the new rules-based policy model
Guidelines and considerations when migrating from ACS 3.x/4.x to the new model
Policy examples of ACS core scenarios such as 802.1X, remote access, device administration
This session is targeted at technical decision makers, network architects and operations staff of enterprises, who are involved in designing or supporting network access policy using ACS. Familiarity with ACS 3.x/4.x is recommended.
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 3
Abstract (Continued)
Related sessions include:
BRKSEC-2005 Deploying Wired 802.1X
BRKSEC-2046 Cisco Trusted Security (CTS) & Security Group Tagging
BRKSEC-2073 Introduction to PKI
BRKSEC-3005 Advanced IEEE 802.1x Design and Troubleshooting
TECSEC-2010 Migrating Your LAN to IEEE 802.1X
PNLSEC-1040 Panel: Access Control
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 4
Agenda
Rules-based Policy
ACS Building Blocks
Network Resource Configuration
User and Identity Store Configuration
Policy Element Configuration
Access Policy Configuration
Deployment and Migration Overview
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 5
ACS 5: Rules-based Policy
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 6
Any Person
Any Place
Any Device
Any Resource
A Next Generation Architecture to Deliver the New Workspace Experience
BORDERLESS NETWORKS
The Transformation: The World Is Our New Workspace
Right Person
Right Device
Right Place
Right Resource
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 7
Other Conditions
+
Identity
Information
Identity:
Network
Administrator
Identity:
Full-Time
Employee
Identity:
Guest
ACS 5 Flexible Rule-Based Policies
Authorization
Profiles
Engineering
Human Resources
Finance
Home Access
Deny Access
Guest
Other
Conditions
Time and Date
Access Type
Location
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 8
ACS View Increased Visibility
CustomizableDashboard
ComprehensiveReporting
Alarms and Notifications
Standard Reports Templates Customized Reports
Custom Triggers Alerts via Email and Syslog
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 9
ACS View Improved Troubleshooting
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 10
Access Service
Overall AAA Request Flow
Service Selection Identity Policy
Authorization Policy
Auth RequestAuth Response
Service Selection policy directs requests
to the correct Access Service
Identity Policy selects the
identity stores for AA
Authorization Policy
determines the authorization for
the user
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 11
ACS Service Selection Policy
AAA RequestService
Selection
Access Service 1AAA
Response
Access Service 2
Access Service 3ACS Service Selection
Criteria
AAA protocol
Network device group
ACS server
Request attributes
Date and time
AAA client
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 12
Access Service
First Match Rule Tables For Policy
Service Selection Identity Policy
Authorization Policy
Conditions Result
First
Match
Auth RequestAuth Response
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 13
Access Service
What Are The Policy Results?
Service Selection Identity Policy
Authorization Policy
Access
Service
Identity
Store(s)
For AA
Authorization
Profiles
Auth RequestAuth Response
AAA RequestService
Selection
Access Service 1
AAA Response
Access Service 2
Access Service 3
ACL
VLAN
Priv
Lvl
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 14
Access Service
What Are The Policy Conditions?
Service Selection Identity Policy
Authorization Policy
Request
AttributesDevice
Information
PAP
CHAP
PEAP
TLS
Auth TypeCertificate
AttributesUser Groups
and Attributes
Attr1 Attr2 Attr3
Auth RequestAuth Response
More conditions become
available at each step
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 15
Available Policy Conditions
Service Selection Identity Authorization
ACS Host Name [Previous column] [Both previous columns]
Device Filter Authentication Method Authentication Status
Device IP Address [Certificate attributes] Identity Group
Device Port Filter EAP Authentication
Method
[Internal user attributes]
End Station Filter EAP Tunnel Building
Method
[Directory groups]
NDGs [Directory attributes]
Protocol System:UserName
Time And Date Was Machine
Authenticated
Use Case
[RADIUS and TACACS+
attributes]
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 16
Example - Service Selection Policy
Protocol NDG:DeviceType
Access Service
TACACS+ -ANY- Device Admin
RADIUS VPNConcentrators
Remote Access
RADIUS -ANY- LAN Access
Service Selection
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 17
Example - Identity Policy
Policy to select identity stores that are used to authenticate and retrieve attributes/group info
Authentication Method Identity Store
X509 Certificate Certificate Profile
MSCHAPv2 CORP_AD
If no match Deny Access
Identity Policy
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 18
Example - Authorization Policy
ID Group Location Access Type
Time & Date
Compliance Azn Profile
ENGR - - - Compliant ENG
ENGR - - - Not Compliant
PUB, ENG
CONT CAMPUS WIRED DAY Compliant CONT
CONT CAMPUS WIRELESS DAY Compliant CONT_WLAN
PRINTERS CAMPUS WIRED - - PTR
DEFAULT (If no match found) QUAR
First match (permissions cannot be merged)
Discrete columns per condition element
Authorization profiles may be combined in Rule results
Default rule (If no match found)
Authorization Policy
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 19
ACS 5 GUI Navigation Overview
Access Service
building blocks
Service Selection
policy and Access
Service definition
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 20
ACS 5: Network Resource Configuration
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 21
Network Resources
ACS 4 ACS 5
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 22
ACS 4.x Network Device Grouping
Africa-Southern-SouthAfrica-Firewalls
Africa-Southern-SouthAfrica-Switches
Africa-Southern-SouthAfrica-Routers
Africa-Southern-Namibia-Firewalls
Africa-Southern-Namibia-Switches
Africa-Southern-Namibia-Routers
Africa-Southern-Botswana-Firewalls
Africa-Southern-Botswana-Switches
Africa-Southern-Botswana-Routers
Flat ACS 4 device grouping
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 23
Powerful ACS 5 Device Grouping
All Devices
Routers:
Router1
Router2
Switches:
Switch1
Switch2
Device Type Hierarchy
All Devices
Africa Devices
SouthAfricaDevices:
Router2
Switch2
Location Hierarchy
Asia Devices
SouthernDevices
ACS 5 multiple device
hierarchies
Single attribute to reference all
Southern African devices
Combinenodes in policy to
reference device
intersection
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 24
Network Devices With Multiple Group Assignment
Adding devices to device groups
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 25
Default Network Device
ACS will use the Default Network Device for AAA
clients that havent been defined in ACS
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 26
Using Hierarchical NDGs
NDG:Device Type Access Service
VPN Conc Remote Access
Wireless Wireless Access
Switch Wired Access
NDG:Device Type Identity Store
VPN Conc OTP
Wireless AD
NDG:DeviceType
NDG: Location
NDG: Vendor
Authorization Profile
VPN Conc West Cisco:IOS IOS privs
VPN Conc East Cisco:XR XR privs
Service Selection
Identity Policy
Authorization Policy
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 27
Network Resources
ACS 5 supports a single device definition for the same RADIUS and TACACS+ client
Change from flat, exclusive, device grouping, to overlapping, multiple, hierarchical grouping
ACS 5.1 supports a Default Network Device
Key Changes
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 28
ACS 5: User and Identity Store Configuration
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 29
Users and Identity Stores
ACS 4 ACS 5
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 30
Identity Policy Result Options
Identity Policy
Identity
Store(s)
For AA
Identity Policy Result
Options
ACS Internal Users/Hosts
Active Directory
LDAP Directories
SecurID/OTP Servers
Certificate Profiles
Identity Store Sequences
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 31
Identity Store Sequences Enable Different Identity Stores For AA
This Identity Store
Sequence allows
authentication to an
OTP server, while
an LDAP directory
is queried for
authorization
information
NDG:DeviceType
Identity Store
VPN Conc OTP+LDAP
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 32
Hierarchical User Grouping
Hierarchical grouping for ACS internal users -also available in policy
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 33
Extensible ACS User Schema
ID Group Location Authorization Profile
IT Networking Campus 1 VLAN=User:VLAN
Custom schema attributes are available as
policy attributes
Yes,
multiple
groups!
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 34
External Groups - Mapping Not Required
Group selection is available for LDAPand AD directories
Directory groups selected here
can be used directly in policy
conditions without having to
map them to an ACS group first
LDAP Groups Authorization Profile
iPhoneUsers && Execs
iPhone-Exec ACLs
Yes,
multiple
groups!
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 35
Using Directory Attributes
Directory attributes
specified here become
available as conditions
and result values in
access policy
Department Nationality Authorization Profile
Research Namibia VLAN=LDAP:VLAN
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 36
Users and Identity Stores
ACS internal users and user-groups are no longer containersof permissions and no longer define access policy
All access policy is rules-based and attribute-driven
ACS no longer requires a user to be assigned to a user-group
External user-groups are attributes that can be used directly in access policy group mapping is no longer required
ACS 5.x internal users provide extensible schema to define user-level attributes that can be used in access policy rules
ACS 5 internal groups are described in a hierarchical tree where each node is a group attribute that can be assigned to an internal user, and therefore be referenced in access policy
Identity Store Sequences are used to combine different identity stores for use in a single authentication/authorization request
Key Changes
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 37
ACS 5: Policy Element Configuration
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 38
Policy Elements
ACS 4 ACS 5
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 39
Date & Time Condition Elements
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 40
RADIUS Attributes In Authorization Profiles
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 41
Dynamic Authorization ValuesUsing Directory Attributes in Authorization Profiles
The users directory attribute, VLAN, will
be queried for the
VLAN Id to be used
Common Tasks
automatically create
the corresponding
RADIUS attributes
in the authorization
profile
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 42
Policy Elements - Conditions and Authorization Profiles
Policy conditions and authorization permissions no longer part of users and user-groups
The ACS 5 model extends the ACS 4 Shared Profile Components concept
All conditions and permissions are defined as reusable components
These reusable components are referenced in the rules-based policy
Key Changes
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 43
ACS 5: Access Policy Configuration
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 44
Device Administration Scenario
FULL ACCESS
PARTIAL
READ ONLY
SERVER ACCESS
SERVER ACCESS
ACS
replication
Secure auth
mechanisms
Network
Administrators
Backbone
Security
Perimeter
West-APs
East
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 45
A Device Admin Access Service
Identity PolicyAuthorization Policy
Access Service
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 46
Developing Device Administration Authorization Policy
User Group
Conditions
Multiple Device
Group ConditionsShell and Cmd Set
Authorization Results
Identity PolicyAuthorization Policy
ID Group NDG:Loc NDG:Dev
Type
Shell Profile Cmd Sets
IT:Net Admins:
SA:Super Users
Africa:Southern Any Priv Lvl 15 Full
IT:NetAdmins:SA:
Wireless
Africa:Southern Wireless Priv Lvl 15 Full
IT:NetAdmins:SA:
Auditors
Africa:Southern Any Priv Lvl 15 Read-Only
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 47
Device Admin Shell Profiles
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 48
Directing Enable Authentications
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 49
Other Conditions
Identity Information
+Group:Contractor
Group:
Full-TimeEmployee
Group:
Guest
Network Access Scenario
Time and Date
Access Type
Location
Authorization (Controlling Access)
Full Access
Limited Access
Guest/Internet
Deny Access
Quarantine
Track Activity for Compliance
Device Type
802.1x/Infrastructure
Vicky Sanchez
Employee, Marketing
Wireline
3 p.m.
Frank Lee
Guest
Wireless
9 a.m.
Security Camera G/W
Agentless Asset
MAC: F5 AB 8B 65 00 D4
Francois Didier
Consultant
HQStrategyRemote Access
6 p.m.
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 50
Creating An Access Service Allowed Protocols
The supported
authentication
protocols are defined
in the access service
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 51
Creating An Access Service - Identity Policy
Identity PolicyAuthorization Policy
This authorization policy limits
wireless access to engineering
and manager groups.
Users directory VLAN attribute is used to assign the VLAN
Identity policy to authenticate both cert and
password-based auths
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 52
Implementing Rules-based Service Selection
A Simple, Protocol-based Service Selection Policy Example
Service Selection
Service selection based on AAA protocol
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 53
Cisco Alpha Network Service Selection Policy
RADIUS attributecondition
Condition using the system UseCase
condition for MAB requests
Service Selection
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 54
Permission Based On EAP Type
Identity PolicyAuthorization Policy
Marketing users get different permissions
based on whether they are using certificates or
passwords for authentication
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 55
Identity Store Selection Based On ACS Server
Identity PolicyAuthorization Policy
These rules select the LDAP directory based
on the ACS server receiving the request
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 56
ACS 5: Deployment and Migration Overview
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 57
ACS 5.1 Platform Options
1120/1121 Hardware Appliance
One rack-unit (1RU) Linux-based appliance
VMware Appliance
Complete appliance image for installation on VMware ESX 3.5 or 4.0
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 58
ACS 3/4 to 5 Component Mapping3.x/4.x Component 5.1 Option Notes
ACS for Windows VM in VMware ESX or
1120/1121 appliance
There is no ACS 5
Windows option. ACS
5 is an application/OS
bundle that can run in
a VM or supported
appliance.
ACS Solution Engine
(1111, 1112, 1113)
VM in VMware ESX or
1120/1121 appliance
1111/2/3 platforms do
not support ACS 5.x.
4.2 can run on the
1120.
ACS Remote Agent N/A The Remote Agent is
no longer required in
ACS 5.
ACS View 4.0 VM in VMware ESX or
1120/1121 appliance
View functionality is
built-in to ACS 5
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 59
Primary
ACS 5.x Configuration Replication Model
Secondaries
Incremental replication Fully synchronization no subset options Automatically triggered on change Flat 2 model no cascading replication Config updates on primary only, except for AAA password updates
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 60
ACS Distributed Deployment
Consists of multiple ACSs that are managed together
One Primary and multiple Secondary servers
All ACS instances are identical (run full ACS software version)
Each ACS can play a specific role in the deployment
Incremental replication model
Primary ACS is single point of configuration & to monitor secondary servers
Automatic incremental replication to Secondary servers
ACS
Secondary
ACS
Master
ACS
Secondary
ACS
Secondary
Database
downloadIncremental
Replication
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 61
Promoting a Secondary to be a Master
ACS
Secondary
ACS
Master
ACS
Secondary
ACS
Secondary
DB Download
Incremental
Replication
Each secondary could take the role of the master
Secondary promotion to be a master is manual
The master (if not failed) is stopped
Replication is allowed to complete
The promoted secondary notifies all ACS instances
On promotion the secondary interrogates all instances for their replication status
X
Promoted Master
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 62
ACS Logging Options
ACS 3.x/4.x ACS 5.1
ACS to ACS
ODBC
RDBMS
Syslog
ACS View 4.0
Syslog
Integrated
View
One ACS 5 server can be designated as a View
log collector
ACS 5.1 View logging db can synchronize with
an external db
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 63
ACS 5.1 Identity Stores
Internal users
Active Directory
LDAP directories
One-Time Password (OTP) Servers
RSA SecurID
Others (using RADIUS interface)
RADIUS proxy servers
No ODBC support
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 64
ACS Configuration Provisioning
Web-based GUI
CSV file-based updates
GUI and CLI triggered
Web services programmatic interface for password update applications
Use instead of User Changeable Passwords (UCP) in ACS 3.x/4.x
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 65
Licensing
License Description
Base Server One per ACS instance
Large Deployment One per ACS deployment when
the network device count (based
on IP address) in ACS exceeds
500. (Configuring the Default
Network Device does contribute to
the device count).
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 66
Low-end of ACS 5.1 Performance (Authentications/second)
Auth Types Identity StoresInternal AD LDAP
PAP 500 100 800CHAP 500 500 N/ATACACS+ 400 160 1200MSCHAP 500 300 N/APEAP-MSCHAP 200 100 N/APEAP-GTC 200 100 300EAP-TLS 200 180 270LEAP 330 280 N/AFAST-MSCHAP 120 120 N/AFAST-GTC 130 110 190MAC-Auth Bypass 750 N/A 2000
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 67
Performance Notes
Expect up to a 50% performance drop on the log collector ACS
Expect a 10-50% higher authentication performance on the 1121 appliance
Assumes session resume and fast reconnect is enabled where applicable for EAP protocols
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 68
Minimum ACS Deployment
Consists of 2 servers
Primary server provides all the configuration, authentication and policy requirements for the network.
Second server used as a backup server.
Replication from primary ACS to secondary ACS to keep the secondary server in synchronization.
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 69
Medium Growing ACS Deployment
As the AAA traffic grows, add additional Cisco Secure ACS servers
Consider splitting server functions - the primary server for configuration and log collection only, using the secondary servers for AAA functions.
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 70
Larger ACS Deployment
In a large, centralized network consider the use of a load balancer
Dedicated primary and log collector ACS servers
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 71
Server Migration Strategy
Establish a primary ACS 5 configuration for testing and then phased production roll out
Maintain existing ACS deployment as a fall-back contingency
In most cases, a one-for-one server replacement is appropriate
Understand the peak authentications rates
Use ACS View System Health alarms to monitor server utilization
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 72
Configuration Migration Methods Summary
Approach Notes
Manual
configuration
Necessary for areas such as initial setup tasks and config
areas that dont translate easily from 3.x/4.x. A usefulapproach for learning ACS 5 and for migrating smaller
configurations.
Import tools Good option for migrating large configuration areas that
are available in a CSV file. Easy to manipulate data
Migration
tool
Can analyze 4.1.4/4.2 configs, analyze, report on, and
migrate many configuration areas. Provides config
analysis and transfers config directly to ACS 5. Requires
ACS 4.x Windows lab machine to run the tool.
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 73
ACS 5: Configuration Migration Techniques
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 74
Configuration Migration Approach
Understand the new ACS 5 configuration and policy model
To create ACS 5 primary server configuration, use a combination of:
Manual configuration
Import tool
Migration tool
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 75
Configuration Migration Methods
Required for all migrations
ACS 5 has a new configuration model that doesnt translate directly from previous versions.
Migration and import tools will help to transfer some configuration areas, but other areas will require manual re-configuration
Good option for:
Small configurations
Configurations that dont use internal users
Manual Configuration
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 76
Configuration Migration Methods
ACS 5.1 provides csv file-based configuration update for some configuration areas
Supported config areas
Users, hosts, network devices, identity groups, NDGs, downloadable ACLs, command sets
Good option for:
Config areas that can be created in text files
Pre-4.x configs that cant be upgraded easily
Imports Tools
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 77
Configuration Migration Methods
A utility that analyzes a 4.x configuration, provides an analysis report, and can convert and push configuration to an ACS 5 server
Supported config areasUsers/user groups, devices/device groups, command sets, T+ shell exec attrs, RACs, FAST master key & auth ID
PrerequisitesSource configuration on ACS 4.x
ACS 4.x (Windows) lab machine (to run tool)
Good option:For 4.x migrations with large internal user or device configs
Migration Tool
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 78
References and Resources
ACS home page
http://cisco.com/go/acs
Migration Guide
http://cisco.com/go/acs -> Install and Upgrade
Partner forum
https://www.myciscocommunity.com/community/partner/security?view=overview
Customer forum
https://supportforums.cisco.com -> AAA
-
2010 Cisco and/or its affiliates. All rights reserved. Cisco PublicPresentation_ID 79
Complete Your Online Session Evaluation
Give us your feedback and you could win fabulous prizes. Winners announced daily.
Receive 20 Cisco Preferred Access points for each session evaluation you complete.
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual
account for access to all session
materials, communities, and on-demand
and live activities throughout the year.
Activate your account at any internet
station or visit www.ciscolivevirtual.com.