cisco identity services engine, release 2.0 migration tool ... · cisco identity services engine,...
Post on 01-Aug-2020
2 Views
Preview:
TRANSCRIPT
Cisco Identity Services Engine, Release 2.0 Migration Tool GuideFirst Published: 2015-05-07
Last Modified: 2015-10-15
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883
© 2015 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
C H A P T E R 1 Cisco Secure ACS to Cisco ISE Data Migration 1
Migration Overview 1
Data Migration from Cisco Secure ACS 2
Supported Data Migration Paths 2
Supported Cisco Secure ACS Releases for Data Migration 3
Enabling the Migration Interfaces 3
Enabling Trusted Certificates in the Migration Tool 4
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE 4
Migrating from Cisco Secure ACS, Release 3.x 5
Migrating from Cisco Secure ACS, Release 4.x 5
Migrating from Cisco Secure ACS, Release 5.x 6
Policy Models 6
Cisco Secure ACS Service Selection Policy and Cisco ISE Policy Set 6
Cisco Secure ACS Policy Access Service and Cisco ISE Policy Set 7
Cisco Secure ACS Distributed Deployment Model 7
Cisco ISE Distributed Deployment Model 7
Migration Features 8
Data Export 8
Resume a Failed Data Migration 8
Migration of TACACS+ Features to Cisco ISE 9
Migration of External Proxy Servers 9
Migration of External Proxy Server Sequences 10
Migration Tool Reports 10
Export Report 11
Policy Gap Analysis Report 11
Import Report 12
UTF-8 Support 12
Network Access User Configuration 12
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide iii
RSA 13
RADIUS Token 13
Policies 13
FIPS Support for ISE 802.1X Services 13
Cisco Secure ACS/Cisco ISE Version Validation 14
C H A P T E R 2 Cisco Secure ACS to Cisco ISE Migration Tool 15
Data Migration from Cisco Secure ACS to Cisco ISE 15
Data Migration Time Estimate 15
Cisco Secure ACS to Cisco ISE Migration Tool 16
Minimum Data Configuration Required to Start Migration 16
Migration Tool Monitors Progress of Data Migration 17
Checkpoints to Continue Migration in the Migration Tool 17
Export Configuration Data from Cisco Secure ACS 17
Analyze Configuration Data 17
Data Persistence 17
Import Configuration Data into Cisco ISE 17
Software Requirements 18
C H A P T E R 3 Data Migration Principles 19
Data Migration and Deployment Scenarios 19
Migrating Data from a Single Cisco Secure ACS Appliance 19
Migrating Data from a Distributed Environment 20
Preparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6 21
Policy Services Migration Guidelines 21
Per Policy Service Migration Guidelines 22
Cisco Secure ACS Policy Rules Migration Guidelines 23
Unsupported Rule Elements 23
C H A P T E R 4 Migration Tool Installation 27
Migration Tool Installation Guidelines 27
System Requirements 28
Security Considerations 28
Downloading Migration Tool Files from Cisco ISE Admin Portal 28
Initializing the Cisco Secure ACS to Cisco ISE Migration Tool 29
Cisco Identity Services Engine, Release 2.0 Migration Tool Guideiv
Contents
C H A P T E R 5 Persistent Data Transfer Procedure 31
Exporting Data from Cisco Secure ACS 31
Analyzing Policy Gap between Cisco ISE and Cisco Secure ACS 32
Importing Data in to Cisco ISE 34
Migrated Data Verification in Cisco ISE 34
A P P E N D I X A Data Structure Mapping 35
Data Structure Mapping 35
Migrated Data Objects 35
Data Objects Not Migrated 37
Partially Migrated Data Objects 38
Supported Attributes and Data Types 38
User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE 2.0 38
User Attribute: Association to the User 38
Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release
2.0 39
Host Attribute: Association to the Host 39
RADIUSAttributesMigrated fromCisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release
2.0 40
RADIUS Attribute: Association to RADIUS Server 40
Data Information Mapping 40
Network Device Mapping 41
Active Directory Mapping 41
External RADIUS Server Mapping 42
Hosts (Endpoints) Mapping 42
Identity Dictionary Mapping 43
Identity Group Mapping 44
LDAP Mapping 44
NDG Types Mapping 45
NDG Hierarchy Mapping 45
RADIUS Dictionary (Vendors) Mapping 46
RADIUS Dictionary (Attributes) Mapping 46
User Mapping 47
Certificate Authentication Profile Mapping 47
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide v
Contents
Authorization Profile Mapping 48
Downloadable ACL Mapping 48
External RADIUS Server Mapping 48
External TACACS+ Server Mapping 49
Command Sets Attributes Mapping 49
Shell Profile Attributes Mapping 50
Identity Attributes Dictionary Mapping 50
RADIUS Token Mapping 51
RSA Mapping 52
RSA Prompts Mapping 53
Identity Store Sequences Mapping 53
Default Network Devices Mapping 54
A P P E N D I X B Troubleshooting the Cisco Secure ACS to Cisco ISE Migration Tool 55
Unable to Start the Migration Tool 55
Troubleshooting Connection Issues in the Migration Tool 55
Error Messages Displayed in Logs 56
Connection Error 56
I/O Exception Error 57
Out of Memory Error 57
Default Folders, Files, and Reports are Not Created 57
Migration Export Phase is Very Slow 57
Reporting Issues to Cisco TAC 58
Cisco Identity Services Engine, Release 2.0 Migration Tool Guidevi
Contents
C H A P T E R 1Cisco Secure ACS to Cisco ISE Data Migration
This chapter describes information related to data migration from Cisco Secure Access Control System(ACS), Release 5.5 or 5.6 , to Cisco Identity Services Engine (ISE), Release 2.0.
• Migration Overview, page 1
• Data Migration from Cisco Secure ACS , page 2
• Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, page 4
• Policy Models, page 6
• Cisco Secure ACS Distributed Deployment Model, page 7
• Cisco ISE Distributed Deployment Model, page 7
• Migration Features, page 8
• Migration Tool Reports, page 10
• UTF-8 Support, page 12
• FIPS Support for ISE 802.1X Services, page 13
• Cisco Secure ACS/Cisco ISE Version Validation, page 14
Migration OverviewThe differences in Cisco Secure ACS 5.x and Cisco ISE platforms, operating systems, databases, andinformation models, mandate a migration application that reads data from Cisco Secure ACS and creates thecorresponding data in Cisco ISE. You can run the migration application after installing Cisco ISE.Themigrationapplication is a utility that Cisco provides to extract the configuration from Cisco Secure ACS and import itto Cisco ISE. The migration administrator can view the current progress as well as the detailed logs relatedto the ACS configuration during the entire migration process for troubleshooting purposes.Warning messagesare displayed for objects, attributes, and policies that are not migrated. After migration, we strongly recommendthat you verify that the migrated configurations (especially the policy sets) are appropriate.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 1
Data Migration from Cisco Secure ACSBefore you migrate the existing Cisco Secure ACS, Release 5.5 or 5.6 data to a Cisco ISE, Release 2.0, VMor appliance, ensure that you have read and understood all setup, backup, and installation instructions.
We recommend that you fully understand the related data structure and schema differences between CiscoSecure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 systems before you attempt to migrate existingCisco Secure ACS, Release 5.5 or 5.6 data.
When you migrate from Cisco Secure ACS, Release 5.5 or 5.6 database to Cisco ISE, Release 2.0, datamigration supports the following:
• Provides support for the features of Cisco Secure ACS, Release 5.5 or 5.6 in Cisco ISE, Release 2.0.
Cisco ISE 2.0 does not support migration from Cisco Secure ACS version 5.7 or later.Note
• Provides support for new features in Cisco ISE, Release 2.0 when data is migrated from Cisco SecureACS, Release 5.5 or 5.6 .
Not all Cisco Secure ACS data can be migrated into Cisco ISE due to the functional gap that is dynamicallychanging with each Cisco Secure ACS or Cisco ISE release. Migrating data from Cisco Secure ACS,Release 5.5 or 5.6 to Cisco ISE, Release 2.0 minimizes the configuration gap, which means it supportsCisco Secure ACS features that were not supported before in Cisco ISE.
Note
Due to the differences in the Cisco ISE and Cisco Secure ACS data related to the naming convention,policy hierarchy, pre-defined objects, and so on, the migration tool may not support all objects. However,it displays warnings and errors for objects that are not migrated to facilitate corrective measures.
Note
Related Topics
Supported Data Migration Paths, on page 2Enabling the Migration Interfaces, on page 3Supported Cisco Secure ACS Releases for Data Migration, on page 3Enabling Trusted Certificates in the Migration Tool , on page 4
Supported Data Migration PathsYou cannot migrate data from Cisco Secure ACS, Releases 3.x, 4.x, and 5.x to Cisco ISE, Release 1.0, butprevious data migration is supported only from Cisco Secure ACS, Release 5.1 to Cisco ISE, Release 1.0;Cisco Secure ACS, Release 5.1/5.2 to Cisco ISE, Release 1.1; or Cisco Secure ACS, Release 5.3 to CiscoISE, Release 1.2.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide2
Cisco Secure ACS to Cisco ISE Data MigrationData Migration from Cisco Secure ACS
Data migration from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0 is now supported usingthe Cisco Secure ACS to Cisco ISE Migration Tool. You can also upgrade Cisco Secure ACS, Release 3.xto Cisco Secure ACS, Release 4.x, and then to Cisco Secure ACS, Release 5.5 or 5.6 .
Cisco Secure ACS 3.x, 4.x, 5.0, 5.1, 5.2, 5.3 are not supported. Cisco ISE 1.3, 1.4, and 2.0 support ACS 5.5and 5.6.
Related Topics
Data Migration from Cisco Secure ACS , on page 2
Supported Cisco Secure ACS Releases for Data MigrationYou can migrate data from earlier releases of Cisco Secure ACS software to a point where you can migrateit to Cisco ISE, Release 2.0.
Depending upon the starting release stage of the Cisco Secure ACS data that you want to migrate to a CiscoISE, Release 2.0, appliance, there may be several migration stages required before you can use the migrationtool.
Related Topics
Data Migration from Cisco Secure ACS , on page 2
Enabling the Migration InterfacesBefore you can begin the migration process, you must enable the interfaces used for the data migration onthe Cisco Secure ACS and Cisco ISE servers. It is recommended to disable the migration interfaces on boththe servers after the migration process is completed.
Step 1 Enable the migration interface on the Cisco Secure ACSmachine by entering the following command in the Cisco SecureACS CLI:acs config-web-interface migration enable
Step 2 Enable the migration interface on the Cisco ISE server by performing the following tasks:a) In the Cisco ISE CLI, enter application configure ise.b) Enter 11 to enable/disable ACS Migration.c) Enter Y.
Disable the migration interface on the Cisco Secure ACS machine using the following command: acsconfig-web-interface migration disable, after the migration process is completed.
Note
Disable the migration interface on the Cisco ISE server after the migration process is completed.Note
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 3
Cisco Secure ACS to Cisco ISE Data MigrationSupported Cisco Secure ACS Releases for Data Migration
Related Topics
Data Migration from Cisco Secure ACS , on page 2
Enabling Trusted Certificates in the Migration Tool
Before You Begin
Download the migration tool from Cisco ISE to a client machine. To enable the export of data from the CiscoSecure ACS server to the migration tool (on the client machine), you can either trust the Cisco Secure ACSCA certificate or the Cisco Secure ACS management certificate.
To enable the import of data from the migration tool to the Cisco ISE server, you can either trust the CiscoISE CA certificate or the Cisco ISE management certificate.
To enable the trusted certificates in the migration tool:
• In Cisco Secure ACS, ensure that the server certificate is in the SystemAdministration >Configuration>Local Server Certificates >Local Certificates page. The CommonName (CN attribute in the Subjectfield) or DNS Name (in the Subject Alternative Name field) in the certificate is used in the ACS5Credentials dialog box to establish the connection and export data from Cisco Secure ACS.
• In Cisco ISE, ensure that the server certificate is in the Administration > System > Certificates >CertificateManagement > SystemCertificates page. The CommonName (CN attribute in the Subjectfield) or DNS Name (in the Subject Alternative Name field) is used in the ISE Credentials dialog boxto establish the connection and import data from the migration tool to Cisco ISE.
Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Settings > Trusted Certificates > Add to includethe Cisco Secure ACS and Cisco ISE certificates to enable trusted communication.You can view or delete the certificate in the migration tool.
Step 2 In theOpen dialog box, choose the folder containing the trusted root certificate and clickOpen to add the selected CiscoISE certificate to the migration tool.
Step 3 Repeat the previous step to add the Cisco Secure ACS certificate.
Related Topics
Data Migration from Cisco Secure ACS , on page 2
Migrating from Earlier Releases of Cisco Secure ACS to CiscoISE
You can migrate earlier releases of Cisco Secure ACS data to the Cisco Secure ACS, Release 5.5 or 5.6 stateso that it can be migrated to a Cisco ISE, Release 2.0, appliance using the migration tool.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide4
Cisco Secure ACS to Cisco ISE Data MigrationEnabling Trusted Certificates in the Migration Tool
Related Topics
Migrating from Cisco Secure ACS, Release 3.x, on page 5Migrating from Cisco Secure ACS, Release 4.x, on page 5Migrating from Cisco Secure ACS, Release 5.x, on page 6
Migrating from Cisco Secure ACS, Release 3.xIf you are running Cisco Secure ACS, Release 3.x in your environment, upgrade to a migration-supportedversion of Cisco Secure ACS, Release 4.x, and then upgrade to Cisco Secure ACS, Release 5.5 or 5.6.
Step 1 Check the upgrade path for Cisco Secure ACS, Release 3.x, as described in the Installation Guide for Cisco Secure ACSSolution Engine 4.1 or Installation Guide for Cisco Secure ACS Solution Engine 4.2.
Step 2 Upgrade your Cisco Secure ACS, Release 3.x server to a migration-supported version of the Cisco Secure ACS, Release4.x. For example, upgrade to one of the following Cisco Secure ACS 4.1.1.24 , Cisco Secure ACS 4.1.4, Cisco SecureACS 4.2.0.124, or Cisco Secure ACS 4.2.1 releases.
Step 3 After the upgrade, follow the steps that describe migrating from Cisco Secure ACS, Release 4.x to Cisco Secure ACS,Release 5.5 or 5.6 .
Related Topics
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 4
Migrating from Cisco Secure ACS, Release 4.xIf you are not running one of the migration-supported versions of Cisco Secure ACS, Release 4.x in yourenvironment, upgrade to a point where you can migrate from Cisco Secure ACS, Release 4.x to Cisco SecureACS, Release 5.5 or 5.6.
Step 1 Upgrade Cisco Secure ACS, Release 4.x version to a migration-supported version, if your Cisco Secure ACS, Release4.x server currently does not run one of the migration-supported versions.
Step 2 Install the samemigration-supported version of Cisco Secure ACS on the migrationmachine, which is aWindows server.Step 3 Back up the Cisco Secure ACS, Release 4.x data and restore it on the migration machine.Step 4 Place theMigration utility on the migration machine. You can get theMigration utility from the Installation and Recovery
DVD.Step 5 Run the Analyze and Export phase of the Migration utility on the migration machine.Step 6 Resolve any issues in the Analyze and Export phase.Step 7 Run the Import phase of the Migration utility on the migration machine, and during this phase, the Migration utility
imports data into the Cisco Secure ACS, Release 5.5 or 5.6 server.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 5
Cisco Secure ACS to Cisco ISE Data MigrationMigrating from Cisco Secure ACS, Release 3.x
Related Topics
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 4
Migrating from Cisco Secure ACS, Release 5.xIf you are running Cisco Secure ACS, Release 5.x in your environment, you must upgrade to Cisco SecureACS, Release 5.5 or 5.6 . To migrate internal users from Cisco Secure ACS 5.5 to Cisco ISE, you must installCisco Secure ACS 5.5 Patch 4 or later and then start the migration.
Related Topics
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 4
Policy ModelsCisco Secure ACS and Cisco ISE have both simple and rule-based authentication paradigms, but Cisco SecureACS and Cisco ISE are based on different policy models and that makes migrating policies from Cisco SecureACS to Cisco ISE a bit complex.
Cisco Secure ACS policy hierarchy starts with the Service selection rule that redirects the authenticationrequests to the access services. The access services consist of identity and authorization policies that authenticatethe user against internal or external identity stores and authorize the users based on the conditions defined.
Authentication and authorization polices are migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 2.0. Cisco ISE Release 2.0, supports the new policy model called Policy Set, which is similarto the Service Selection Policy (SSP) in Cisco Secure ACS, Release 5.5/5.6, thus simplifying the policymigration process.
Related Topics
Cisco Secure ACS Service Selection Policy and Cisco ISE Policy Set, on page 6Cisco Secure ACS Policy Access Service and Cisco ISE Policy Set, on page 7
Cisco Secure ACS Service Selection Policy and Cisco ISE Policy SetCisco Secure ACS, Release 5.5/5.6 Service Selection Policy (SSP) distributes requests to the appropriateservices based on SSP rules whereas Cisco ISE policy set holds a rule, which contains entry criteria to thepolicy set. The order of the policy set is in the same order as the entry rules, which is similar to the order ofthe SSP rules.
Several SSP rules may request the same service or reuse of service in Cisco Secure ACS. However, eachpolicy set carries its own entry condition, therefore, you cannot reuse the policy set in Cisco ISE. If you wantto migrate a single service that is requested by several SSP rules, you must create multiple policy sets that arecopies of that service, which means that you must create a policy set in Cisco ISE for each SSP rule thatrequests the same service in Cisco Secure ACS.
You can define SSP rules as disabled or monitored in Cisco Secure ACS, and the equivalent entry rules of apolicy set are always enabled in Cisco ISE. If SSP rules are disabled or monitored in Cisco Secure ACS, thepolicy services that are requested by SSP rules cannot be migrated to Cisco ISE.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide6
Cisco Secure ACS to Cisco ISE Data MigrationMigrating from Cisco Secure ACS, Release 5.x
Related Topics
Policy Models, on page 6
Cisco Secure ACS Policy Access Service and Cisco ISE Policy SetYou can define a policy service without requesting that service, which means that you can define a policyservice inactive by a rule in the SSP in Cisco Secure ACS. Cisco Secure ACS, Release 5.5 or 5.6 has anout-of-the-box DenyAccess service, which has neither policies nor allowed protocols for the default SSP rulein Cisco Secure ACS, which automatically denies all requests. There is no equivalent policy set for CiscoISE. But, you cannot have a policy set without an entry rule, which refers to the policy set in Cisco ISE.
Allowed protocols are attached to the entire service (not a specific policy) that is not conditioned (except thecondition in the SSP that points to the entire service) in Cisco Secure ACS, Release 5.5 or 5.6. Allowedprotocols refers only to the authentication policies as a result of a conditioned outer rule in Cisco ISE.
Identity policy is a flat list of rules that results in identity source (identity source and identity store sequence)in Cisco Secure ACS, Release 5.5 or 5.6. An authentication policy holds two levels of rules—outer policyrules and inner policy rules. The outer policy rules result in allowed protocols, and are the entry criteria to theset of inner policy rules. The inner policy rules result in identity source.
Both Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0, include an optional exception policyattached to each authorization policy. Cisco ISE, Release 2.0 provides an optional Global Exception Policyin addition to the exception policy that affects all authorization policies. There is no equivalent policy to thatof Global Exception Policy in Cisco Secure ACS, Release 5.5 or 5.6. The local exception policy is processedfirst followed by the Global Exception Policy and authorization policy for authorization.
Related Topics
Policy Models, on page 6
Cisco Secure ACS Distributed Deployment ModelThe Cisco Secure ACS deployment model consists of one primary and multiple secondary Cisco Secure ACSservers, where configuration changes are made on the primary Cisco Secure ACS server. These configurationsare replicated to the secondary Cisco Secure ACS servers. All primary and secondary Cisco Secure ACSservers can process AAA requests. The primary Cisco Secure ACS server is also the default log collector forthe Monitoring and Report Viewer, although you can configure any Cisco Secure ACS server to be the logcollector.
Cisco ISE Distributed Deployment ModelThe Cisco ISE deployment model consists of one primary node with multiple secondary nodes. Each CiscoISE node in a deployment can take one or more of the following personas: Administration, Policy Service,and Monitoring. After you install Cisco ISE, all the nodes will be in the standalone state. You must defineone of the Cisco ISE nodes as the primary node running as an Administration persona. After defining theprimary node, you can configure other Cisco ISE nodes with Policy Service and Monitoring personas. Youcan then register other secondary nodes with the primary node and define specific roles for each of them.When you register Cisco ISE node as a secondary node, Cisco ISE immediately creates a database link fromthe primary to the secondary node and begins the process of replication. All configuration changes are made
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 7
Cisco Secure ACS to Cisco ISE Data MigrationCisco Secure ACS Policy Access Service and Cisco ISE Policy Set
on the primary Administration ISE node and replicated to the secondary nodes. The Monitoring ISE nodeacts as the log collector.
Migration FeaturesThe migration tool is responsible for transferring Cisco Secure ACS data to Cisco ISE and performs threemajor steps:
1 Exports data from Cisco Secure ACS.
2 Persists data in the migration tool.
3 Imports data into Cisco ISE.
Related Topics
Data Export, on page 8Data ImportObject ScalabilityResume a Failed Data Migration, on page 8
Data ExportThe first stage in the migration process is to export Cisco Secure ACS data using the Cisco Secure ACSProgrammatic Interface (PI). You have to log in to the Cisco Secure ACS, Release 5.5 or 5.6 system fromwhich you will be exporting data and request to export the data into the migration application. The exporteddata is validated to verify if it can be imported into a Cisco ISE, Release 2.0 appliance successfully. In caseswhere the data is invalid, the status is logged in the Export Report.
Related Topics
Migration Features, on page 8
Resume a Failed Data MigrationThe migration tool maintains a checkpoint at each stage of the import or export operation. This means that ifthe process of importing or exporting fails, you do not have to restart the process from the beginning. Youcan start from the last checkpoint before the failure occurred.
If the migration process fails, the migration tool terminates the process. When you restart the migration toolafter a failure, a dialog box is displayed that allows you to choose to resume the previous import/export ordiscard the previous process and start a new migration process. If you choose to resume the previous process,the migration process resumes from the last checkpoint. Resuming from a failure also resumes the report torun from the previous process.
Related Topics
Migration Features, on page 8
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide8
Cisco Secure ACS to Cisco ISE Data MigrationMigration Features
Migration of TACACS+ Features to Cisco ISEGiven below are the TACACS+ settings that are migrated to Cisco ISE.
• Enable Password: Internal users are migrated from Cisco Secure ACS along with the enable passwordattribute to Cisco ISE.
• Network Devices: Network devices configured with TACACS+ settings, such as shared secret andsingle connect mode in Cisco Secure ACS are exported to the migration tool.
◦Default Network Device: The default network device object configured with TACACS+ settingsare exported from Cisco Secure ACS and imported to ISE during migration on a fresh installationof Cisco ISE, Release 2.0. In an existing Cisco ISE configuration, the default network devices(with RADIUS and TACACS + settings) are updated.
• Shell Profiles: The shell profile object in Cisco Secure ACS is exported to the migration tool. It isimported to Cisco ISE and displayed in theWork Centers > Device Administration > Policy Results> TACACS Profiles page. The page contains predefined attributes that are identified by ISE and therest of them are displayed as custom attributes. The migrated attributes have a description to indicatethat they were migrated from Cisco Secure ACS. Both static and dynamic attributes are supported.
• Command Sets: The command sets object in Cisco Secure ACS is exported to the migration tool. It isimported to Cisco ISE and displayed in theWork Centers > Device Administration > Policy Results> TACACS Command Sets page. Cisco Secure ACS adds a description for migrated objects that donot have one. For migrated objects that already have a description, Cisco Secure ACS retains the same.
• TACACS Global Settings: The TACACS+ Global Settings object in Cisco Secure ACS is exported tothe Migration tool and validation errors or warnings are reported. The data can be imported as part ofthe predefined data objects in the migration tool.
• TACACS Policies: TACACS+ authentication, authorization, and authorization exception policies forthe device administration service are imported to Cisco ISE. The results of an authorization policy rulemay be command sets and a shell profile. If a command set or shell profile is not exported due to anerror, then the policy is not exported to the migration tool.
During migration, the migration tool maintains two policy sets, one for network access and another fordevice administration services. During import to ISE, the migration tool checks the type of service, anddetermines the policy to which it has to be imported.
Be sure to check the policy configuration in Cisco ISE after migration.Note
Migration of External Proxy ServersThe migration tool can export proxy objects from the following external proxy servers:
• TACACS+ External Proxy Server:When an external proxy server is configured with TACACS+, the TACACS+ objects are migrated totheWork Centers > Device Administration > Network Resources > External TACACS Serverspage.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 9
Cisco Secure ACS to Cisco ISE Data MigrationMigration of TACACS+ Features to Cisco ISE
• RADIUS External Proxy Server:When an external proxy server is configured with RADIUS, the RADIUS objects are migrated to theAdministration > Network Resources > External RADIUS Servers page.
• Cisco Secure ACS External Proxy Server:When an external proxy server is configured with the Cisco Secure ACS (supports both TACACS+ andRADIUS) option, the TACACS and RADIUS objects are migrated to different locations. The TACACS+objects are migrated to theWork Centers >Device Administration >Network Resources >ExternalTACACS Servers page with the word "TACACS_" prefixed to the object name. The RADIUS objectsare migrated to the Administration > Network Resources > External RADIUS Servers page withthe word "RADIUS_" prefixed to the object name.
Cisco Secure ACS does not support single connect configuration, therefore, during import the migrationapplication creates the proxy objects with default values supported by Cisco ISE for this attribute.
Migration of External Proxy Server SequencesThe migration tool can export a set of external servers from the following external proxy servers:
• TACACS+ External Proxy Server:When an external proxy server is configured with TACACS+ server sequence, the TACACS+ objectsaremigrated to theWorkCenters >Device Administration >NetworkResources >TACACSServerSequence page.
• RADIUS External Proxy Server:When an external proxy server is configured with RADIUS server sequence, the RADIUS objects aremigrated to the Administration > Network Resources > RADIUS Server Sequence page.
• Cisco Secure ACS External Proxy Server:When an external proxy server is configured with Cisco Secure ACS (supports both TACACS andRADIUS) option, the TACACS and RADIUS objects are migrated to different locations. The TACACS+objects aremigrated to theWorkCenters >Device Administration >NetworkResources >TACACSServer Sequence page with the word "TACACS_" prefixed to the object name. The RADIUS objectsare migrated to theAdministration >Network Resources >RADIUS Server Sequence page with theword "RADIUS_" prefixed to the object name.
Migration Tool ReportsCisco ISE generates reports for import, export, and policy gap analysis during Cisco Secure ACS, Release5.5/5.6 data migration.
If you decide to share the report files with anyone, or want to save them to another location, you can find thefollowing files in the Reports folder of the migration tool directory:
• import_report.txt
• export_report.txt
• policy_gap_report.txt
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide10
Cisco Secure ACS to Cisco ISE Data MigrationMigration of External Proxy Server Sequences
Related Topics
Export Report, on page 11Import Report, on page 12Policy Gap Analysis Report, on page 11
Export ReportThis report indicates specific information or errors that are encountered during the export of data from theCisco Secure ACS database. It contains a data analysis section at the end of the report, which describes thefunctional gap between Cisco Secure ACS and Cisco ISE. The export report also includes error informationfor exported objects that will not be imported.
Table 1: Cisco Secure ACS to Cisco ISE Migration Tool Export Report
Message DescriptionMessage TypeReport Type
Lists the names of the data objects that were exportedsuccessfully.
InformationExport
Lists export failures or exports that were not attemptedbecause the data object is not supported by Cisco ISE,Release 2.0.
Warning
Related Topics
Migration Tool Reports, on page 10
Policy Gap Analysis ReportThis reports lists specific information related to the policy gap between Cisco Secure ACS and Cisco ISE,and is available after completion of the export process by clicking the Policy Gap Analysis Report button inthe migration tool user interface.
During the export phase, the migration tool identifies the gaps in the authentication and authorization policies.If any policy is not migrated, it is listed in the Policy Gap Analysis report. The report lists all the incompatiblerules and conditions that are related to policies. It describes data that cannot be migrated and the reason witha manual workaround.
Some conditions can be automatically migrated by using the appropriate Cisco ISE terminology, for example,a condition named Device Type In is migrated as Device Type Equals. If a condition is supported or can beautomatically translated, it does not appear in the report. If a condition is found as “Not Supported” or “Partiallysupported,” the policy is not imported and the conditions appear in the report. It is the responsibility of theadministrator who is performing the migration to modify or delete such conditions. If they are not modifiedor deleted, policies are not migrated to Cisco ISE.
Related Topics
Migration Tool Reports, on page 10
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 11
Cisco Secure ACS to Cisco ISE Data MigrationExport Report
Import ReportThis report indicates specific information or errors that are encountered during the import of data into theCisco ISE appliance.
Table 2: Cisco Secure ACS to Cisco ISE Migration Tool Import Report
Message DescriptionMessage TypeReport Type
Lists the names of the data objects that were importedsuccessfully.
InformationImport
Identifies a data object error due to:
• Object exists already
• Object name exceeds the character limit
• Object name contains unsupported specialcharacters
• Object contains unsupported data characters
Error
Related Topics
Migration Tool Reports, on page 10
UTF-8 SupportCisco ISE, Release 2.0, supports 8 bit Unicode Transformation Format (UTF-8) for some administrationconfigurations. The following configuration items are exported and imported with UTF-8 encoding:
• Network Access User Configuration
• RSA
• RADIUS Token
• Policies
• Identity Group Mapping
Network Access User Configuration• Username
• Password and re-enter password
• First name
• Last name
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide12
Cisco Secure ACS to Cisco ISE Data MigrationImport Report
RSARSA prompts and messages are shown to the end-user by the supplicant.
• Messages
• Prompts
RADIUS TokenRADIUS token prompt is presented on the end-user supplicant.
• Authentication Tab > Prompts
• Administrator Configuration
• Administrator username and password
• Configure administrator by using UTF-8
Policies• Authentication > Value for AV expression
• Authorization > Other Conditions > Value for AV expression
• Attribute-value conditions
• Authentication > Simple Condition/compound Condition > Value for AV expression
• Authorization > Simple Condition/compound Condition > Value for AV expression
FIPS Support for ISE 802.1X ServicesThe Cisco ISE FIPS mode should not be enabled before the migration process is complete.
To support Federal Information Processing Standard (FIPS), the migration tool migrates the default networkdevice keywrap data.
FIPS-compliant and supported protocols:
• Process Host Lookup
• Extensible Authentication Protocol-Translation Layer Security (EAP-TLS)
• Protected Extensible Authentication Protocol (PEAP)
• EAP-Flexible Authentication via Secure Tunneling (FAST)
FIPS-noncompliant and unsupported protocols:
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 13
Cisco Secure ACS to Cisco ISE Data MigrationRSA
• EAP-Message Digest 5 (MD5)
• Password Authentication Protocol and ASCII
• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)
• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
• Lightweight Extensible Authentication Protocol (LEAP)
Cisco Secure ACS/Cisco ISE Version ValidationThe migration tool identifies the Cisco Secure ACS release version before the export phase begins. Themigration process will not start if the Cisco Secure ACS version is lower or higher than 5.5/5.6/5.7/5.8. Inaddition, before importing the data to Cisco ISE, the tool verifies that the Cisco ISE release version is 2.0.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide14
Cisco Secure ACS to Cisco ISE Data MigrationCisco Secure ACS/Cisco ISE Version Validation
C H A P T E R 2Cisco Secure ACS to Cisco ISE Migration Tool
This chapter provides information about the Cisco Secure ACS to Cisco ISE Migration Tool that is used fordata migration from a Cisco Secure ACS, Release 5.5 or 5.6 database to a Cisco ISE, Release 2.0 system.
• Data Migration from Cisco Secure ACS to Cisco ISE, page 15
• Cisco Secure ACS to Cisco ISE Migration Tool, page 16
• Software Requirements, page 18
Data Migration from Cisco Secure ACS to Cisco ISEThe only supported direct migration process that uses the Cisco Secure ACS to Cisco ISE Migration Tool isfrom a Cisco Secure ACS, Release 5.5 or 5.6 to a Cisco ISE, Release 2.0 system.
There are three steps in the migration process:
1 Exporting the Cisco Secure ACS, Release 5.5 or 5.6 data from its database
2 Persisting the data by using the migration tool
3 Importing the persisted data into the Cisco ISE, Release 2.0 system
Data Migration Time EstimateThe Cisco Secure ACS (Cisco SNS 3415) to Cisco ISE Migration Tool may run for approximately 21 hoursto migrate 4 LDAPs, 1,000 identity groups, 20 network device locations, 25 access services, 50 SSPs, 100DACLs, 320 authorization rules, 600 authorization profiles, 20 command sets and shell profiles (each commandcontains 100 commands), 30,000 network devices, 25,000 users, and 150,000 hosts.
The migration tool may run for approximately 52 hours to migrate the following configurations:
• 4 LDAPs
• 1,000 identity groups
• 500 user identity groups
• 20 network device locations
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 15
• 100 network device groups
• 25 access services
• 50 SSPs
• 600 downloadable access control lists (DACLs)
• 320 authorization rules
• 600 authorization profiles (with or without policy sets)
• 20 command sets and shell profiles (each command contains 100 commands)
• 40 policy sets (limited by max rules)
• 20 custom user dictionaries
• 100,000 network devices
• 300,000 users
• 150,000 hosts
Cisco Secure ACS to Cisco ISE Migration ToolBefore running the migration tool, ensure that you have upgraded to Cisco ISE, Release 2.0, and have installedthe latest patches for Cisco Secure ACS, Release 5.5 or 5.6 .
The migration tool helps you to migrate the data from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE,Release 2.0 system. The design of the tool addresses the inherent migration problems that result from differencesin the underlying hardware platforms and systems, databases, and data schemes.
The migration tool runs on Linux-based andWindows-based systems. The migration tool works by exportingthe Cisco Secure ACS data files, analyzing the data, and making the required data modifications that arenecessary for importing the data into a format that is usable by the Cisco ISE, Release 2.0 system.
• The migration tool requires minimum user interaction, and full set of configuration data.
• The migration tool provides you a complete list of unsupported objects.
The Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 applications may or may not run onthe same type of physical hardware. The migration tool uses the Cisco Secure ACS Programmatic Interface(PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). TheCisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and Cisco ISE applicationsto run on supported hardware platforms or VMware servers. Because Cisco Secure ACS is considered a closedappliance, running the migration tool directly on a Cisco ACS appliance is not permitted. Instead, the CiscoSecure ACS PI reads and returns the configuration data in a normalized form. The Cisco ISE REST APIsperform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by CiscoISE software.
Minimum Data Configuration Required to Start MigrationA minimal amount of configuration data is needed at the beginning of the migration process before theapplication proceeds to migrate the full set of configuration items. However, as the migration progresses,
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide16
Cisco Secure ACS to Cisco ISE Migration ToolCisco Secure ACS to Cisco ISE Migration Tool
some data may not be mapped automatically between the two applications. The administrator handling themigration is notified of this type of data, which must be resolved before the migration is complete.
Migration Tool Monitors Progress of Data MigrationAs the migration proceeds, you can monitor the real-timemigration status along with the progress of activities.In case of troubleshooting, detailed logs are available and accessible in the migration tool.
Checkpoints to Continue Migration in the Migration ToolYou can perform export and import operations individually or in sequence. Exporting and importing may takea long time and depends on the amount of data being migrated. Therefore, the migration tool periodicallydisplays checkpoints with the status of the activity being performed. You can restart the migration processfrom a checkpoint in case of a failure.
Export Configuration Data from Cisco Secure ACSYou can start the export process after you are authenticated by the Cisco Secure ACS system and request forthe data to be exported.
A direct upgrade from Cisco Secure ACS to Cisco ISE is not supported. The migration tool assists you if youwant to uninstall Cisco Secure ACS, Release 5.5 or 5.6 software and reimage the physical hardware withCisco ISE, Release 2.0 software.
Analyze Configuration DataDuring the export phase, the migration tool reads and analyzes the data to confirm that it can be createdcorrespondingly on the Cisco ISE system. Because the Cisco Secure ACS and Cisco ISE policy models arenot the same, some of the data might not be supported by Cisco ISE. The migration tool reports any dataissues that may require an administrator intervention at the end of the export phase.
Data PersistenceThe migration tool persists the Cisco Secure ACS data while the re-image process is completing and beforethe import stage begins.
Import Configuration Data into Cisco ISEDuring this step, the migration tool imports configuration data into Cisco ISE.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 17
Cisco Secure ACS to Cisco ISE Migration ToolMigration Tool Monitors Progress of Data Migration
Software RequirementsTable 3: Software Requirements for the Cisco Secure ACS to Cisco ISE Migration Tool
Themigration tool runs onWindows and Linuxmachines. Themachine should have JAVA installed on it.
Operating System
The minimum disk space required is 1 GB.
This space is required not only for the installation of themigration tool, but also because the migration tool will storethe migrated data and will generate reports and logs.
Minimum disk space
The minimum RAM required is 2 GB.
If you have about 300,000 users, 50,000 hosts, 50,000 networkdevices, then we recommend that you have a minimum of 2GB of RAM.
Minimum RAM
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide18
Cisco Secure ACS to Cisco ISE Migration ToolSoftware Requirements
C H A P T E R 3Data Migration Principles
This chapter describes data migration from Cisco Secure ACS, Release 5.5 or 5.6 when deployed on asingle appliance or in a distributed deployment to Cisco ISE, Release 2.0.
• Data Migration and Deployment Scenarios, page 19
• Preparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6, page 21
• Policy Services Migration Guidelines, page 21
• Per Policy Service Migration Guidelines, page 22
• Cisco Secure ACS Policy Rules Migration Guidelines, page 23
• Unsupported Rule Elements, page 23
Data Migration and Deployment ScenariosCisco Secure ACS and Cisco ISE exist on different hardware platforms and have different operating systems,databases, and information models. Therefore, you cannot perform a standard upgrade from Cisco SecureACS to Cisco ISE. Instead, the migration tool reads data from Cisco Secure ACS and creates correspondingdata in Cisco ISE.
Migrating Data from a Single Cisco Secure ACS Appliance
Before You Begin
When you are ready to start migrating Cisco Secure ACS, Release 5.5 or 5.6 data to a Cisco ISE, Release 2.0,ensure that it is to a standalone Cisco ISE node. After the migration is successfully completed, you can beginany deployment configuration (such as setting up Administrator ISE and Policy Service ISE personas).
It is a requirement that the migration import phase be performed on a “clean” new installation of the CiscoISE software on a supported hardware appliance. For a list of supported hardware appliances, refer to theCisco Identity Services Engine Hardware Installation Guide, Release 2.0.
If you have a single Cisco Secure ACS appliance in your environment (or several Cisco Secure ACS appliances,but not in a distributed setup), run the migration tool against the Cisco Secure ACS appliance.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 19
You can use the migration tool and the following migration procedure in cases where Cisco Secure ACS andCisco ISE use the same hardware; the CSACS-1121 appliance:
Step 1 Install the migration tool on a standalone Windows or Linux machine.Step 2 Export the Cisco Secure ACS, Release 5.5 or 5.6 data from the Cisco Secure ACS-1121 hardware appliance to a secure
external server with a database.Step 3 Back up the Cisco Secure ACS data.Step 4 Re-image the Cisco Secure ACS-1121 hardware appliance, which has the same physical hardware as any of the supported
Cisco ISE appliances, with Cisco ISE, Release 2.0, software. Refer to the for the supported hardware.Step 5 Import the converted Cisco Secure ACS, Release 5.5 or 5.6 data from the secure external server into the Cisco ISE,
Release 2.0.
Migrating Data from a Distributed Environment
Before You Begin
If you have a large internal database, Cisco recommends that you run the migration from a standalone primaryappliance and not from a primary appliance that is connected to several secondary appliances. After thecompletion of the migration process, you can register all the secondary appliances.
In a distributed environment, there is one primary Cisco Secure ACS appliance and one or more secondaryCisco Secure ACS appliances that interoperate with the primary appliance.
If you are running Cisco Secure ACS in a distributed environment, you must:
Step 1 Back up the primary Cisco Secure ACS appliance and restore it on the migration machine.Step 2 Run the migration tool against the primary Cisco Secure ACS appliance.
Figure 1: Cisco Secure ACS and Cisco ISE Installed on Different Appliances
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide20
Data Migration PrinciplesMigrating Data from a Distributed Environment
Preparation for Migration from Cisco Secure ACS, Release 5.5or 5.6
We recommend that you do not change to Simple mode after a successful migration from Cisco Secure ACS.Because, you might lose all the migrated policies in Cisco ISE. You cannot retrieve those migrated polices,but you can switch to Policy Set mode from Simple mode.
You must consider the following before you start migrating Cisco Secure ACS data to Cisco ISE:
• Migrate Cisco Secure ACS, Release 5.5 or 5.6 data only in the Policy Set mode in Cisco ISE, Release2.0.
• Migrate on a fresh installation of Cisco ISE, Release 2.0. In Cisco ISE, chooseAdministration > System> Settings > Policy Sets to enable the policy sets.
• Generate one policy set per enabled rule in the Service Selection Policy (SSP) and order them accordingto the order of the SSP rules.
The service that is the result of the SSP default rule becomes the default policy set in Cisco ISE, Release2.0. For all the policy sets created in the migration process, the first matching policy set is the matchingtype.
Note
Policy Services Migration GuidelinesYou must check the following to ensure policy services migration from Cisco Secure ACS to Cisco ISE:
• Service Selection Policies (SSP) contain SSP rules that are disabled or monitored in Cisco Secure ACS,Release 5.5 or 5.6, they are not migrated to Cisco ISE.
• Service Selection Policy (SSP) contains a SSP rule that is enabled in Cisco Secure ACS, Release 5.5 or5.6
◦that requests a service, which contains a Group Mapping policy, it is not migrated to Cisco ISE.(Cisco ISE does not support Group Mapping Policy).
◦that requests a service and its identity policy contains rules, which result in RADIUS IdentityServer, it is not migrated to Cisco ISE. (Cisco ISE differs to use RADIUS Identity Servers forauthentication).
◦that requests a service, which has policies that use attributes or policy elements that are not supportedby Cisco ISE, it is not migrated to Cisco ISE.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 21
Data Migration PrinciplesPreparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6
Per Policy Service Migration GuidelinesThis section describes the changes for each policy service that you migrate from Cisco Secure ACS, Release5.5 or 5.6 to Cisco ISE 2.0 because you migrate Cisco Secure ACS data only in the Policy Set mode in CiscoISE, Release 2.0.
Cisco Secure ACS Service Selection Policy Default Rule Matches Cisco ISE Default Policy Set
You can create a policy set with the name of the service in Cisco ISE. If the policy set matches the service,which is the result of the SSP default rule in Cisco Secure ACS, Release 5.5 or 5.6 , then the policy set becomesthe default policy set in Cisco ISE, Release 2.0. The condition of the SSP rule in Cisco Secure ACS, Release5.5 or 5.6 becomes the entry condition of the policy set in Cisco ISE, Release 2.0. In the case of the CiscoISE, Release 2.0 default policy set, there is no entry condition required.
Migration of Cisco Secure ACS DenyAccess Service to Cisco ISE Authentication and Authorization Policies
When you convert the DenyAccess service in Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release2.0, the authentication and authorization policies change to the following:
• The authentication policy has only the default outer rule with the results set to Default Network Accessfor the Allowed Protocol and DenyAccess for the identity source.
• The authorization policy has only the default rule set to DenyAccess (standard permission).
Migration of Cisco Secure ACS Service Identity Policy to Cisco ISE Authentication Policy of the Policy Set
When you want to convert the identity policy of the service in Cisco Secure ACS, Release 5.5 or 5.6 to theauthentication policy of the policy set in Cisco ISE, Release 2.0, perform the following:
• Create an authentication policy that has a single, enabled, outer rule.
• Specify the condition of the outer rule as Device:Location starts with All Locations (this is always thematched condition).
• Set the results of the default outer rule to Default Network Access for the Allowed Protocol andDenyAccess for the identity source.The result of the outer rule is the Allowed Protocol of the related service. The inner rules of theauthentication policy are the rules of the related identity policy. The order of the inner rules of theauthentication policy follows the same order of rules in the related identity policy. The state (enabled,disabled, or monitored) of the inner rules of the authentication policy follows the state of the rules inthe related identity policy.
Migration of Cisco Secure ACS Service Authorization Polcy to Cisco ISE Authorization Policy of the PolicySet
When you want to convert the authorization policy of the service in Cisco Secure ACS, Release 5.5 or 5.6 tothe authorization policy of the policy set in Cisco ISE, Release 2.0:
• The rules of the policy set Local Exception Authorization policy are the rules of the ExceptionAuthorization policy of the related service
• The rules of the policy set Authorization policy are the rules of the Authorization policy of the relatedservice
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide22
Data Migration PrinciplesPer Policy Service Migration Guidelines
• The order of the rules of the policy set in Local Exception Authorization policy and Authorization policyfollows the order of the rules in Local Exception Authorization policy and Authorization policy of therelated service
• The state (enabled, disabled, monitored) of the rules of the policy set Local Exception Authorizationpolicy and Authorization policy follows the state of the rules in Local Exception Authorization policyand Authorization policy in the related service
Cisco Secure ACS Policy Rules Migration GuidelinesWhen rules cannot be migrated, the policy model as a whole cannot be migrated due to security aspects aswell as data integrity. You can view details of problematic rules in the Policy Gap Analysis Report. If you donot modify or delete an unsupported rule, the policy is not migrated to Cisco ISE.
In general, you must consider these rules while migrating data from Cisco Secure ACS, Release 5.5 or 5.6 toCisco ISE, Release 2.0:
• Objects with special characters are not migrated.
• Attributes (RADIUS, VSA, identity, and host) of type enum are migrated as integers with allowed values.
• All endpoint attributes (no matter the attribute data type) are migrated as String data types.
• RADIUS attributes and VSA values cannot be filtered and added to Cisco ISE logs.
Unsupported Rule ElementsCisco Secure ACS and Cisco ISE are based on different policy models, and there is a gap between pieces ofCisco Secure ACS data when it is migrated to Cisco ISE. When Cisco Secure ACS and Cisco ISE releaseversions change, not all Cisco Secure ACS policies and rules can be migrated due to:
• Unsupported attributes used by the policy
• Unsupported AND/OR condition structure (mainly, once complex conditions are configured)
• Unsupported operators
Table 4: Unsupported Rule Elements
DescriptionStatus of SupportRule Elements
Date and time conditions in an authorization policythat have a weekly recurrence setting, are notmigrated to Cisco ISE. As a result, the rules are alsonot migrated.
Not SupportedDate and Time
Date and time conditions in an authentication policyare not migrated to Cisco ISE. As a result, the rulesare also not migrated.
Not SupportedDate and Time
The "In" operator is converted to STARTS_WITH.SupportedIn
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 23
Data Migration PrinciplesCisco Secure ACS Policy Rules Migration Guidelines
DescriptionStatus of SupportRule Elements
The "Not In" operator is converted toNOT_STARTS_WITH.
Not SupportedNot In
The "Contains Any" operator is converted to acompound conditionwith EQUALS&ORoperators.
Example: In ACS, ADExternalGrpContains Any(A, B) is converted to (AD ExternalGrp Equals A)OR (AD ExternalGrp Equals B) in Cisco ISE.
SupportedContains Any
The "Contains All" operator is converted to acompound condition with EQUALS & ANDoperators.
Example: In ACS AD:ExternalGrp contains allA;B is converted to (AD ExternalGrp Equals A)AND (AD ExternalGrp Equals B) in Cisco ISE.
SupportedContains All
Rules that use these operators in their conditions arenot migrated:
• Authentication policies that include compoundconditions that have different logicalexpressions other than a || b || c ||… and/or a&& b && c &&… such as (a || b) && c.
• Authorization policies that include compoundconditions that have different local expressionsother than a && b && c && are not migratedas part of the rule condition. As a workaround,you can manually use library compoundconditions for some advanced logicalexpressions.
Not SupportedCombination of logicalexpressions
Rules that include only network conditions are notmigrated. In case the condition includes networkconditions and other supported conditions, thenetwork conditions are ignored and are not migratedas part of the rule condition.
Not SupportedNetwork conditions
Rules with conditions that include user attributeswith a data type other than the “String” data type arenot migrated.
Partially SupportedUser attributes
Authentication fails in case the condition refers tohost attributes.
Authorization policies that include a condition thathas host (endpoint) attributes are not migrated toCisco ISE authorization policies.
Not SupportedHost attributes
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide24
Data Migration PrinciplesUnsupported Rule Elements
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 25
Data Migration PrinciplesUnsupported Rule Elements
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide26
Data Migration PrinciplesUnsupported Rule Elements
C H A P T E R 4Migration Tool Installation
This chapter provides guidelines on how to install the Cisco Secure ACS to Cisco ISE Migration Tool.
• Migration Tool Installation Guidelines, page 27
• System Requirements, page 28
• Security Considerations, page 28
• Downloading Migration Tool Files from Cisco ISE Admin Portal, page 28
• Initializing the Cisco Secure ACS to Cisco ISE Migration Tool, page 29
Migration Tool Installation Guidelines• Ensure that your environment is ready for migration. In addition to a Cisco Secure ACS, Release 5.5 or5.6 Windows or Linux source machine, you must deploy a secure external system with a database fordual-appliance (migrating data in a distributed deployment) migration and have a Cisco ISE, Release2.0, appliance as a target system.
• Ensure that you have configured the Cisco Secure ACS, Release 5.5 or 5.6 source machine with a singleIP address. The migration tool may fail during migration if each interface has multiple IP address aliases.
• Ensure that you have a backup of ACS configuration data if the migration from Cisco Secure ACS toCisco ISE is performed on the same appliance.
• Ensure that you have completed these tasks:
◦If this is a dual-appliance migration, you have installed the Cisco ISE, Release 2.0 software on thetarget machine.
◦If this is a single-appliance migration, you have the Cisco ISE, Release 2.0 software available tore-image the appliance or virtual machine.
◦Have all the appropriate Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0credentials and passwords.
• Ensure that you can establish network connections between the source machine and the secure externalsystem.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 27
System RequirementsTable 5: System Requirements for Migration Machines
RequirementsPlatform
Ensure that you have configured the Cisco Secure ACS source machineto have a single IP address.
Cisco Secure ACS, Release 5.5 or5.6 source machine
Ensure that the Cisco ISE target machine has at least 2 GB of RAM.Cisco ISE, Release 2.0 targetmachine
Migration machine - Ensure that the migration machine has a minimum of 2 GB of RAM.
Install Java JRE, version 1.7 or higher 64 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.
64-Bit Windows and Linux
Install Java JRE, version 1.7 or higher 32 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.
32-Bit Windows and Linux
Security ConsiderationsThe export phase of the migration process creates a data file that is used as the input for the import process.The content of the data file is encrypted and cannot be read directly.
You need to know the Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 administratorusernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISEappliance. You should use a reserved username so that records created by the import utility can be identifiedin an audit log.
You must enter the hostname of the primary Cisco Secure ACS server and the Cisco ISE server, along withthe administrator credentials. After you have been authenticated, the migration tool proceeds to migrate thefull set of configured data items in a form similar to an upgrade. Make sure that you have enabled the PIinterface on the ACS server and the ACS migration interface on the ISE server before running the migrationtool.
Downloading Migration Tool Files from Cisco ISE Admin PortalBefore You Begin
• Set the initial amount of memory allocated for the java Heap Sizes for the migration process in the configbat file. The attribute to set the heap size in config.bat is: _Xms = 64 and _Xmx = 1024 (The memoryis 64 and 1024 megabytes, respectively).
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide28
Migration Tool InstallationSystem Requirements
• If the Cisco Secure ACS and Cisco ISE softwares are installed on different appliances, download themigration tool files.
Step 1 You can download the migTool.zip file:
• By entering the following URL on the Cisco ISE user interface address bar:
https://<hostname-or-hostipaddress>/admin/migTool.zip
• Or, navigating to theWork Centers > Device Administration > Overview page, and click themigration tool inthe Prepare section to launch the migration tool.
Step 2 Extract the contents of the .zip file. The extracted contents of the .zip file creates a directory structure that holds theconfig.bat andmigration.bat files.
Step 3 Edit the config.bat file to set the initial amount of memory allocated for the java Heap Sizes.Step 4 Click Save.
Initializing the Cisco Secure ACS to Cisco ISE Migration ToolBefore You Begin
You should run the migration tool only after a fresh Cisco ISE installation or after you have reset the CiscoISE application configuration and cleared the Cisco ISE database using the application reset-config command.Therefore, the Cisco ISE FIPS mode should not be enabled before the migration process is complete.
When the migration tool is initialized, it pops up a message box asking if you want to view the unsupportedlist. The migration tool can migrate only a subset of Cisco Secure ACS objects into Cisco ISE. The toolsupplies a list of unsupported (or partially supported) objects that it cannot migrate. You can also view thelist of unsupported objects by selecting Help > Unsupported Object Details from the Cisco Secure ACS toCisco ISE Migration Tool interface.
Step 1 Click migration.bat to launch the migration process.Step 2 Click Yes to display a list of unsupported and partially supported objects.Step 3 Click Close.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 29
Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide30
Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool
C H A P T E R 5Persistent Data Transfer Procedure
This chapter describes exporting and importing Cisco Secure ACS, Release 5.5 or 5.6 data into Cisco ISE,Release 2.0 system using the migration tool.
• Exporting Data from Cisco Secure ACS, page 31
• Analyzing Policy Gap between Cisco ISE and Cisco Secure ACS, page 32
• Importing Data in to Cisco ISE, page 34
• Migrated Data Verification in Cisco ISE, page 34
Exporting Data from Cisco Secure ACSAfter starting the migration tool, complete the following steps to export data from Cisco Secure ACS to themigration tool.
Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Settings to display the list of data objects availablefor migration.
Step 2 (Optional) You are not required to configure the dependency handling in order to perform migration. Check the checkboxes of the data objects you want to export in case their dependency data is missed and click Save.
Step 3 In the Cisco Secure ACS to Cisco ISE Migration Tool window, clickMigration and then click Export From ACS.Step 4 Enter the Cisco Secure ACS host name, user name, and password for the Cisco Secure ACS, Release 5.5 or 5.6 system
and click Connect in the ACS5 Credentials window.Step 5 Monitor the migration process in the Cisco Secure ACS to Cisco ISEMigration Tool window, which displays the current
count of successful object exports and lists any objects that triggered warnings or errors.Step 6 To get more information about a warning or an error that occurred during the export process, click any underlined numbers
in the Warnings or Errors column on the Migrations tab. The Object Errors and Warnings Details window displays the
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 31
result of a warning or an error during export. It provides the object group, the type, and the date and time of a warningor an error.
Step 7 Scroll to display the details of the selected object error, and then click Close.Step 8 When the data export process is completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays the
status of export that Exporting finished.Step 9 Click Export Report(s) to view the contents of the export report. Each export report contains header information with
the operation type, date and time, and system IP address or host name. Each object group details the types and relatedinformation. Reports end with a summary of the start and end date, the time, and the duration of the operation.
Step 10 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.
Analyzing Policy Gap between Cisco ISE and Cisco Secure ACSAfter exporting the data, administrator should analyze the export report and the policy gap report, fix the listederrors in the ACS configuration and address the warnings and other issues.
The following gaps are observed for a configuration set that is migrated from Cisco Secure ACS to CiscoISE. Reconciliation is possible for some of these gaps.
• Identity Groups
◦Internal User Issues
◦Parity gap between Cisco Secure ACS and Cisco ISE
◦Password type
◦Password change on next login
◦Password change
◦Naming constraints
◦External Identity Stores are migrated successfully. You have to verify the names.
• Network Devices or Network Device Groups
◦Network device migration caveats for Cisco ISE 2.1
◦IP ranges that are not supported in Cisco ISE
◦Exclusion is for overlapping IPs
◦IPV4 only
◦Default Device must have RADIUS enabled
◦Reconciliation flow for migration tool
◦If the device does not exist in Cisco ISE (defined by no overlap of IP configuration), thenthe device will be added during migration.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide32
Persistent Data Transfer ProcedureAnalyzing Policy Gap between Cisco ISE and Cisco Secure ACS
◦If the device exists (IP or subnet matches exactly and name matches exactly), then themigration tool adds the TACACS+ elements
◦If the device exists (IP/subnet matches exactly or name matches exactly), then the migrationtool reports error
• Authorization ResultsCommand Sets and Shell Profiles are migrated successfully. Inconsistency would be with object names.
◦Cisco ISE strictly adheres to names
◦Policy results namespace shared with Network Access users
◦Recommendation is to use a prefix for Device admin authorization results
• Policies
◦Cisco Secure ACS 5.x Access Service separated from Selection Policy
◦Can have services that are not engaged
◦Can have services selected by different Service Selection rules
◦Cisco Secure ACS 5.x Group map
◦Transition of group map from Cisco Secure ACS 4.x
◦Group map content must be migrated to authorization Policy in Cisco ISE
◦Authentication allowed Protocols
◦Part of Service configuration in Cisco Secure ACS 5.x
◦Part of Policy Results in Cisco ISE
After addressing the errors or warnings, perform the export process again. For the procedure of exporting datafrom Cisco Secure ACS, see Exporting Data from Cisco Secure ACS, on page 31.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 33
Persistent Data Transfer ProcedureAnalyzing Policy Gap between Cisco ISE and Cisco Secure ACS
Importing Data in to Cisco ISE
Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Import To ISE.Step 2 ClickOK when you are prompted to add attributes to the LDAP identity stores before they are imported into Cisco ISE.Step 3 From the LDAP Identity Store drop-down list, choose the identity store to which you want to add attributes, and click
Add Attribute.Step 4 Enter a name in the Attribute Name field, choose an attribute type from the Attribute Type drop-down list, enter a
value in the Default Value field, and click Save & Exit.Step 5 After adding attributes, click Import To ISE, enter the Cisco ISE Fully Qualified Domain Name (FQDN), username,
and password in the ISE Credentials window and clickConnect. The migration tool ensures that this matches the FQDNin the SSL certificate.
Step 6 When the data import process is completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays thestatus of import as Importing finished.
Step 7 To view a complete report on the imported data, click Import Report(s).Step 8 To get more information about a warning or an error that occurred during the import process, click any underlined
numbers in the Warnings or Errors column on theMigrations tab.Step 9 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.Step 10 Click View Log Console to display the real-time view of the export or import operations.
Migrated Data Verification in Cisco ISETo verify that the Cisco Secure ACS data is migrated into Cisco ISE, log into the Cisco ISE and check thatthe various Cisco Secure ACS objects can be viewed.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide34
Persistent Data Transfer ProcedureImporting Data in to Cisco ISE
A P P E N D I X AData Structure Mapping
This appendix provides information about the data objects that are migrated, partially migrated, and notmigrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0.
• Data Structure Mapping, page 35
• Migrated Data Objects, page 35
• Data Objects Not Migrated, page 37
• Partially Migrated Data Objects, page 38
• Supported Attributes and Data Types, page 38
• Data Information Mapping, page 40
Data Structure MappingData structure mapping from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0, is the processby which data objects are analyzed and validated in the migration tool during the export phase.
Migrated Data ObjectsThe following data objects are migrated from Cisco Secure ACS to Cisco ISE:
• Network device group (NDG) types and hierarchies
• Network devices
• Default network device
• External RADIUS servers
• External TACACS+ servers
• TACACS+ server sequence
• TACACS+ settings
• Identity groups
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 35
• Internal users
• Internal users with enable password
• Internal endpoints (hosts)
• Lightweight Directory Access Protocol (LDAP)
• Microsoft Active Directory (AD)
• RSA (Partial support, see Table A-19)
• RADIUS token (See Table A-18)
• Certificate authentication profiles
• Date and time conditions (Partial support, see Unsupported Rule Elements)
• RADIUS attribute and vendor-specific attributes (VSA) values (see Table A-5 and Table A-6)
• RADIUS vendor dictionaries (see Notes for Table A-5 and Table A-6.)
• Internal users attributes (see Table A-1 and Table A-2)
• Internal endpoint attributes
• TACACS+ Profiles
• Downloadable access control lists (DACLs)
• Identity (authentication) policies
• Authentication, Authorization, and Authorization exception polices for TACACS+ (for policy objects)
• TACACS+ Command Sets
• Authorization exception policies (for network access)
• Service selection policies (for network access)
• RADIUS proxy service
• TACACS+ proxy service
• User password complexity
• Identity sequence and RSA prompts
• UTF-8 data (see UTF-8 Support page)
• EAP authentication protocol—PEAP-TLS
• User check attributes
• Identity sequence advanced option
• Additional attributes available in policy conditions—AuthenticationIdentityStore
• Additional string operators—Start with, Ends with, Contains, Not contains
• RADIUS identity server attributes
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide36
Data Structure MappingMigrated Data Objects
Data Objects Not MigratedThe following data objects are not migrated from Cisco Secure ACS to Cisco ISE, Release 2.0:
• Monitoring reports
• Scheduled backups
• Repositories
• Administrators, roles, and administrators settings
• Customer/debug log configurations
• Deployment information (secondary nodes)
• Certificates (certificate authorities and local certificates)
• Security Group Access Control Lists (SGACLs)
• Security Groups (SGs)
• AAA servers for supported Security Group Access (SGA) devices
• Security Group mapping
• SGA egress matrix
• SGA data within network devices
• Security Group Tag (SGT) in SGA authorization policy results
• Network conditions (end station filters, device filters, device port filters)
• Dial-in attribute support
• Display RSA node missing secret
• Maximum user sessions
• Account disablement
• Users password type
• Internal users configured with Password Type as External Identity Store
• Additional attribute available in a policy condition—NumberOfHoursSinceUserCreation
•Wildcards for hosts
• Network device ranges
• OCSP service
• Syslog messages over SSL/TCP
• Configurable copyright banner
• Internal user expiry days
• IP address exclusion
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 37
Data Structure MappingData Objects Not Migrated
Partially Migrated Data ObjectsThe following data objects are partially migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE,Release 2.0:
• Identity and host attributes that are of type date are not migrated.
• RSA sdopts.rec file and secondary information are not migrated.
• Multi-Active Directory domain (only Active Directory domain joined to the primary) is migrated.
• LDAP configuration defined for primary ACS instance is migrated.
Supported Attributes and Data Types
User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE 2.0
Target Data Type in Cisco ISE, Release 2.0Supported User Attributes in Cisco Secure ACS,Release 5.5 or 5.6
StringString
Not supportedUI32
Not supportedIPv4
SupportedBoolean
Not supportedDate
SupportedEnum
User Attribute: Association to the UserCisco ISE, Release 2.0Attributes Associated to Users in Cisco Secure ACS,
Release 5.5 or 5.6
SupportedString
Not SupportedUI32
Not SupportedIPv4
Not SupportedBoolean
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide38
Data Structure MappingPartially Migrated Data Objects
Cisco ISE, Release 2.0Attributes Associated to Users in Cisco Secure ACS,Release 5.5 or 5.6
Not SupportedDate
Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 2.0
Target Data Type in Cisco ISE, Release 2.0Supported Host Attributes in Cisco Secure ACS,Release 5.5 or 5.6
StringString
UI32UI32
IPv4IPv4
BooleanBoolean
Not supportedDate
Integers with allowed valuesEnum
Host Attribute: Association to the HostCisco ISE, Release 2.0Attributes Associated to Hosts in Cisco Secure ACS,
Release 5.5 or 5.6
SupportedString
Supported (Value is converted to String)UI32
Supported (Value is converted to String)IPv4
Supported (Value is converted to String)Boolean
Supported (Value is converted to String)Date
Supported (Value is converted to String)Enum
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 39
Data Structure MappingHosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0
RADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 2.0
Target Data Type in Cisco ISE, Release 2.0Supported RADIUS Attributes in Cisco Secure ACS,Release 5.5 or 5.6
UI32UI32
UI64UI64
IPv4IPv4
Octect StringHex String
StringString
Integers with allowed valuesEnum
RADIUS Attribute: Association to RADIUS ServerCisco ISE, Release 2.0Attributes Associated to RADIUS Servers in Cisco
Secure ACS, Release 5.5 or 5.6
SupportedUI32
SupportedUI64
SupportedIPv4
Supported (Hex Strings are converted to OctetsStrings)
Hex String
SupportedString
Supported (Enums are integers with allowed values)Enum
Data Information MappingThis section provides tables that list the data information that is mapped during the export process. The tablesinclude object categories from Cisco Secure ACS, Release 5.5 or 5.6 and its equivalent in Cisco ISE, Release2.0. The data-mapping tables in this section list the status of valid or not valid data objects mapped whenmigrating data during the export stage of the migration process.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide40
Data Structure MappingRADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0
Network Device MappingCisco ISE PropertiesCisco Secure ACS Properties
Migrates as isName
Migrates as isDescription
Migrates as isNetwork device group
Migrates as isSingle IP address
Migrates as isSingle IP and subnet address
Not SupportedCollection of IP and subnet addresses
Not SupportedExclude IP address
Migrates as isTACACS information
Migrates as isRADIUS shared secret
Migrates as isTACACS+ shared secret
Migrates as isCTS
SNMP data is available only in Cisco ISE; therefore, there isno SNMP information for migrated devices.
SNMP
This property is available only in Cisco ISE (and its value isthe default, which is “unknown”).
Model name
This property is available only in Cisco ISE (and its value isthe default, which is “unknown”).
Software version
Migrates as isEnable password
Active Directory MappingCisco ISE PropertiesCisco Secure ACS Properties
Migrates as isDomain name
Migrates as isUser name
Migrates as isPassword
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 41
Data Structure MappingNetwork Device Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Migrates as isAllow password change
Migrates as isAllow machine access restrictions
Migrates as isAging time
Migrates as isUser attributes
Migrates as isGroups
Only domains joined to primary ACS instancemigrated
Multiple domain support
External RADIUS Server MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
HostnameServer IP address
Shared secretShared secret
Authentication portAuthentication port
Accounting portAccounting port
Server timeoutServer timeout
Connection attemptsConnection attempts
Hosts (Endpoints) MappingCisco ISE PropertiesCisco Secure ACS
Properties
Migrates as isMAC address
Not migratedStatus
Migrates as isDescription
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide42
Data Structure MappingExternal RADIUS Server Mapping
Cisco ISE PropertiesCisco Secure ACSProperties
Migrates the association to an endpoint group.Identity group
Endpoint attribute is migrated.Attribute
This is a property available only in Cisco ISE (and its value is a fixed value,“Authenticated”).
Authentication state
This is a property available only in Cisco ISE (and its value is a fixed value,“TBD”).
Class name
This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).
Endpoint policy
This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).
Matched policy
This is a property available only in Cisco ISE (and its value is a fixed value, “0”).Matched value
This is a property available only in Cisco ISE (and its value is a fixed value,“0.0.0.0”).
NAS IP address
This is a property available only in Cisco ISE (and its value is a fixed value,“TBD”).
OUI
This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).
Posture status
This is a property available only in Cisco ISE (and its value is a fixed value,“False”).
Static assignment
Identity Dictionary MappingCisco ISE PropertiesCisco Secure ACS
Properties
Attribute nameAttribute
DescriptionDescription
Internal nameInternal name
Data typeAttribute type
Not migratedMaximum length
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 43
Data Structure MappingIdentity Dictionary Mapping
Cisco ISE PropertiesCisco Secure ACSProperties
Not migratedDefault value
Not migratedMandatory fields
The dictionary property accepts this value (“user”).User
Identity Group MappingCisco ISE PropertiesCisco Secure ACS
Properties
NameName
DescriptionDescription
This property is migrated as part of the hierarchy details.Parent
Cisco ISE, Release 2.0 contains user and endpoint identity groups. Identity groups in Cisco Secure ACS,Release 5.5 or 5.6 are migrated to Cisco ISE, Release 2.0 as user and endpoint identity groups because auser needs to be assigned to a user identity group and an endpoint needs to be assigned to an endpointidentity group.
Note
LDAP MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Migrates as is. (Server Connection tab; see Figure A-1 on page A-10.).
Server connection information
Migrates as is. (Directory Organization tab; see Figure A-2 on pageA-10 .).
Directory organization information
Migrates as isDirectory groups
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide44
Data Structure MappingIdentity Group Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Migration is done manually (using the Cisco Secure ACS to Cisco ISEmigration tool).
Directory attributes
Only the LDAP configuration defined for the primary ACS instance is migrated.Note
NDG Types MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Cisco Secure ACS, Release 5.5 or 5.6 can support more than one network device group (NDG) with thesame name. Cisco ISE, Release 2.0 does not support this naming scheme. Therefore, only the first NDGtype with any defined name is migrated.
Note
NDG Hierarchy MappingCisco ISE PropertiesCisco Secure ACS
Properties
NameName
DescriptionDescription
No specific property is associated with this property because this value is enteredonly as part of the NDG hierarchy name. (In addition, the NDG type is the prefixfor this object name).
Parent
Any NDGs that contain a root name with a colon (:) are not migrated because Cisco ISE, Release 2.0 doesnot recognize the colon as a valid character.
Note
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 45
Data Structure MappingNDG Types Mapping
RADIUS Dictionary (Vendors) MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Vendor IDVendor ID
No need to migrate this property.Attribute prefix
Vendor attribute type field length.Vendor length field size
Vendor attribute size field length.Vendor type field size
Only RADIUS vendors that are not part of a Cisco Secure ACS, Release 5.5 or 5.6 installation are requiredto be migrated. This affects only user-defined vendors.
Note
RADIUS Dictionary (Attributes) MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
No specific property associated with this because this value is enteredonly as part of the NDG hierarchy name (NDG type is the prefix forthis object name).
Attribute ID
Not supported in Cisco ISEDirection
Not supported in Cisco ISEMultiple allowed
Migrates as isAttribute type
Not supported in Cisco ISEAdd policy condition
Not supported in Cisco ISEPolicy condition display name
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide46
Data Structure MappingRADIUS Dictionary (Vendors) Mapping
Only the user-defined RADIUS attributes that are not part of a Cisco Secure ACS, Release 5.5 or 5.6installation are required to be migrated (only the user-defined attributes need to be migrated).
Note
User MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
No need to migrate this property. (This property does not exist in CiscoISE)
Status
Migrates to identity groups in Cisco ISEIdentity group
PasswordPassword
PasswordEnable password
No need to migrate this propertyChange password on next login
User attributes are imported from the Cisco ISE and are associated withusers
User attributes list
Not supportedExpiry days
Certificate Authentication Profile MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Principle user name (X.509 attribute).Principle user name (X.509 attribute)
Binary certificate comparison with certificate from LDAP orAD.
Binary certificate comparisonwith certificatefrom LDAP or AD
AD or LDAP name for certificate fetching.AD or LDAP name for certificate fetching
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 47
Data Structure MappingUser Mapping
Authorization Profile MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Migrates as isDACLID (downloadable ACL ID)
• Migrates as is if static attribute.
• Migrated as is, if dynamic attribute, except DynamicVLAN.
Attribute type (static and dynamic)
RADIUS attributes.Attributes (filtered for static type only)
Downloadable ACL MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
DACL contentDACL content
External RADIUS Server MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
HostnameServer IP address
Shared secretShared secret
Authentication portAuthentication port
Accounting portAccounting port
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide48
Data Structure MappingAuthorization Profile Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Server timeoutServer timeout
Connection attemptsConnection attempts
External TACACS+ Server MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Host IPIP address
Connection PortConnection Port
TimeoutNetwork Timeout
Shared secretShared secret
Command Sets Attributes MappingCisco ISECisco Secure ACS
NameName
DescriptionDescription
Permit any command that is not listed belowPermit any command that is not in the tablebelow
Grant (Permit, Deny, Deny Always)Grant (Permit, Deny, Deny Always)
CommandCommand
ArgumentsArguments
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 49
Data Structure MappingExternal TACACS+ Server Mapping
Shell Profile Attributes MappingCisco ISECisco Secure ACS
Common Task Attributes
NameName
DescriptionDescription
Default Privilege (0 to 15)Default Privilege (Static and Dynamic)
Maximum Privilege (0 to 15)Maximum Privilege (Static)
Access Control List (Static and Dynamic)Access Control List (Static and Dynamic)
Auto Command (Static and Dynamic)Auto Command (Static and Dynamic)
—No Callback Verify (Static and Dynamic)
No Escape (True or False)No Escape (Static and Dynamic)
—No Hang up (Static and Dynamic)
Timeout (Static and Dynamic)Timeout (Static and Dynamic)
Idle Time (Static and Dynamic)Idle Time (Static and Dynamic)
—Callback Line (Static and Dynamic)
—Callback Rotary (Static and Dynamic)
Custom Attributes
NameAttribute
Type (Mandatory and Optional)Requirement (Mandatory and Optional)
Value (Static and Dynamic)Value (Static and Dynamic)
Identity Attributes Dictionary MappingCisco ISE PropertiesCisco Secure ACS Properties
Attribute nameAttribute
Internal nameDescription
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide50
Data Structure MappingShell Profile Attributes Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Migrates as isName
Data typeAttribute type
Dictionary (Set with the value “InternalUser” if it is a user identityattribute, or “InternalEndpoint” if it is a host identity attribute.)
No such property
Allowed value = display nameNot exported or extracted yet fromthe Cisco Secure ACS
Allowed value = internal nameNot exported or extracted yet fromthe Cisco Secure ACS
Allowed value is defaultNot exported or extracted yet fromthe Cisco Secure ACS
NoneMaximum length
NoneDefault value
NoneMandatory field
NoneAdd policy condition
NonePolicy condition display name
RADIUS Token MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Safeword serverSafeword server
Enable secondary applianceEnable secondary appliance
Always access primary appliance firstAlways access primary appliance first
Fallback to primary appliance in minutesFallback to primary appliance in minutes
Primary appliance IP addressPrimary appliance IP address
Primary shared secretPrimary shared secret
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 51
Data Structure MappingRADIUS Token Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Primary authentication portPrimary authentication port
Primary appliance TOPrimary appliance TO (timeout)
Primary connection attemptsPrimary connection attempts
Secondary appliance IP addressSecondary appliance IP address
Secondary shared secretSecondary shared secret
Secondary authentication portSecondary authentication port
Secondary appliance TOSecondary appliance TO
Secondary connection attemptsSecondary connection attempts
Advanced > treat reject as authentication flag fail.Advanced > treat reject as authenticationflag fail
Advanced > treat rejects as user not found flag.Advanced > treat rejects as user not foundflag
Advanced > enable identity caching and aging value.Advanced > enable identity caching andaging value
Authentication > promptShell > prompt
Authorization > attribute name (In cases where the dictionaryattribute lists in Cisco Secure ACS includes the attribute“CiscoSecure-Group-Id,” it is migrated to this attribute;otherwise, the default value is “CiscoSecure-Group-Id”.)
Directory attributes
RSA MappingCisco ISE PropertiesCisco Secure ACS Properties
Name is always RSAName
Not migratedDescription
Realm configuration fileRealm configuration file
Server TOServer TO
Reauthenticate on change to PINReauthenticate on change to PIN
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide52
Data Structure MappingRSA Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Not migratedRSA instance file
Treat rejects as authentication failTreat rejects as authentication fail
Treat rejects as user not foundTreat rejects as user not found
Enable identity cachingEnable identity caching
Identity caching aging timeIdentity caching aging time
RSA Prompts MappingCisco ISE PropertiesCisco Secure ACS Properties
Passcode promptPasscode prompt
Next Token promptNext Token prompt
PIN Type promptPIN Type prompt
Accept System PIN promptAccept System PIN prompt
Alphanumeric PIN promptAlphanumeric PIN prompt
Numeric PIN promptNumeric PIN prompt
Identity Store Sequences MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Certificate based, certificate authentication profileCertificate based, certificate authenticationprofile
Authentication search listPassword based
Do not access other stores in the sequence and set the“AuthenticationStatus” attribute to “ProcessError.”
Advanced options > if access on currentIDStore fails than break sequence
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 53
Data Structure MappingRSA Prompts Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Treated as “User Not Found” and proceed to the next store inthe sequence.
Advanced options > if access on currentIDStore fails then continue to next
Not supported (should be ignored)Attribute retrieval only > exit sequence andtreat as “User Not Found”
Default Network Devices MappingCisco ISE PropertiesCisco Secure ACS Properties
Default network device statusDefault network device status
Not migratedNetwork device group
Shared SecretTACACS+ Shared Secret
Enable Single Connect ModeTACACS+ Single Connect Device
Legacy Cisco DeviceLegacy TACACS+ Single Connect Support
TACACS+Draft Compliance Single Connect SupportTACACS+ Draft Compliant Single Connect Support
Shared SecretRADIUS - shared secret
Not migratedRADIUS - CoA port
Enable keywrapRADIUS - Enable keywrap
Key encryption keyRADIUS - Key encryption key
Message authenticator code keyRADIUS - Message authenticator code key
Key input formatRADIUS - Key input format
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide54
Data Structure MappingDefault Network Devices Mapping
A P P E N D I X BTroubleshooting the Cisco Secure ACS to CiscoISE Migration Tool
• Unable to Start the Migration Tool, page 55
• Troubleshooting Connection Issues in the Migration Tool, page 55
• Error Messages Displayed in Logs, page 56
• Default Folders, Files, and Reports are Not Created, page 57
• Migration Export Phase is Very Slow , page 57
• Reporting Issues to Cisco TAC, page 58
Unable to Start the Migration ToolCondition
Unable to start the migration tool.
Action
Verify that Java JRE, Version 1.7 or later, is installed on the migration machine and that it is correctlyconfigured in the system path and classpath.
Troubleshooting Connection Issues in the Migration ToolIf the migration tool fails to connect to Cisco Secure ACS or ISE, check the migration.log file to identify theproblem.
Error Message
The following error message: "UnknownHostException: hostname" is displayed if the Cisco Secure ACS orISE host name is not resolvable.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 55
Action
• Ensure that the Cisco Secure ACS or ISE hostname is resolvable from the client machine where you runthe migration tool.
• Check the DNS configuration and connectivity.
Error Message
The following error message: "hostname in certificate didn't match: <hostname> != </hostname_in_certificate>"is displayed if the Cisco Secure ACS or Cisco ISE hostname entered in the migration tool does not match thename in the certificate.
Action
Ensure that the certificate's Common Name in the Subject field or DNS name in Subject Alternate Name fieldin Cisco Secure ACS and Cisco ISE matches the Hostname provided in the migration tool.
Error Message
The following error message: "SSLHandshakeException: unable to find valid certification path to requestedtarget" is displayed if the Cisco Secure ACS and ISE certificates are not trusted by the migration tool.
Action
Ensure that Cisco Secure ACS and Cisco ISE certificates are trusted by adding the required certificates in theSettings > Trusted Certificates page in the Cisco Secure ACS to Cisco ISE Migration Tool.
Error Messages Displayed in Logs
Connection Error
Condition
The following error message is displayed in the log: “Hosts: Connection to https://hostname-or-ip refused:null”. And, the object is reported while migrating to Cisco ISE.
Action
• Make sure that the migration application machine is connected to the network and configured correctly.
• Make sure that the Cisco ISE appliance is connected to the network and that it is configured correctly.
• Make sure that the Cisco ISE appliance and the migration machine are able to connect to each otherover the network.
• Make sure that the hostname (if any) used in the Cisco ISE primary node is resolvable within the DNSwhen the migration tool connects to Cisco ISE.
• Make sure that the Cisco ISE appliance is up and running.
• Make sure that the Cisco ISE application server service is up and running.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide56
Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolError Messages Displayed in Logs
I/O Exception Error
Condition
The following error message is displayed in the log:
“I/O exception (org.apache.http.NoHttpResponseException) caught when processing request: The target serverfailed to respond”.
Action
• Make sure that the Cisco ISE application server service is up and running.
• Make sure that the Cisco ISE web server thresholds have not been exceeded or that there are no memoryexceptions.
• Make sure that the Cisco ISE appliance CPU consumption is not 100 percent and that the CPU is active.
Out of Memory Error
Condition
The following error message is displayed in the log:
“OutofMemory”.
Action
Increase the Java heap size to at least 1 GB.
Default Folders, Files, and Reports are Not CreatedCondition
The migration tool fails to create default folders, log files, reports, and persistence data files.
Action
Make sure the user has file-system writing privileges and that there is enough disk space.
Migration Export Phase is Very SlowCondition
The export phase of the migration process is very slow.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 57
Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolI/O Exception Error
Action
Restart the Cisco Secure ACS appliance before starting the migration process to free up memory space.
Reporting Issues to Cisco TACIf you cannot locate the source and potential resolution for a technical issue or problem, you can contact aCisco customer service representative for information on how to resolve the issue. For information about theCisco Technical Assistance Center (TAC), see the Cisco Information Packet publication that is shipped withyour appliance or visit the following website:
http://www.cisco.com/cisco/web/support/index.html
Before you contact Cisco TAC, make sure that you have the following information ready:
• The appliance chassis type and serial number.
• The maintenance agreement or warranty information (see Cisco Information Packet).
• The name, type of software, and version or release number (if applicable).
• The date you received the new appliance.
• A brief description of the problem or condition you experienced, the steps you have taken to isolate orre-create the problem, and a description of any steps you took to resolve the problem.
• Migration logfile (...migration/bin/migration.log).
• All the reports in the config folder (...migration/config).
• Cisco Secure ACS, Release 5.5 or 5.6 logfiles.
• Cisco Secure ACS, Release 5.5 or 5.6 build number.
Cisco Identity Services Engine, Release 2.0 Migration Tool Guide58
Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolReporting Issues to Cisco TAC
top related