cisco identity services engine, release 1.3 migration tool ... · cisco identity services engine,...
TRANSCRIPT
Cisco Identity Services Engine, Release 1.3 Migration Tool GuideFirst Published: 2014-10-31
Last Modified: 2014-10-31
Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883
© 2014 Cisco Systems, Inc. All rights reserved.
C O N T E N T S
P r e f a c e Preface vii
Purpose vii
Audience viii
Document Conventions viii
Related Documentation ix
C H A P T E R 1 Cisco Secure ACS to Cisco ISE Data Migration 1
Data Migration from Cisco Secure ACS 1
Supported Data Migration Paths 2
Supported Cisco Secure ACS Releases for Data Migration 2
Enabling the Migration Interfaces 3
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE 3
Migrating from Cisco Secure ACS, Release 3.x 4
Migrating from Cisco Secure ACS, Release 4.x 4
Migrating from Cisco Secure ACS, Release 5.x 5
Policy Models 5
Cisco Secure ACS Service Selection Policy and Cisco ISE Policy Set 5
Cisco Secure ACS Policy Access Service and Cisco ISE Policy Set 6
Cisco Secure ACS Distributed Deployment Model 6
Cisco ISE Distributed Deployment Model 6
Migration Features 7
Data Export 7
Resume a Failed Data Migration 7
Migration of TACACS+ Features to Cisco ISE 7
Migration of External Proxy Servers 8
Migration of External Proxy Server Sequences 9
Migration Tool Reports 9
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide iii
Export Report 10
Policy Gap Analysis Report 10
Import Report 11
UTF-8 Support 12
Network Access User Configuration 12
RSA 13
RADIUS Token 13
Policies 13
FIPS Support for ISE 802.1X Services 13
Cisco Secure ACS/Cisco ISE Version Validation 14
C H A P T E R 2 Cisco Secure ACS to Cisco ISE Migration Tool 15
Data Migration from Cisco Secure ACS to Cisco ISE 15
Data Migration Time Estimate 15
Cisco Secure ACS to Cisco ISE Migration Tool 16
Minimum Data Configuration Required to Start Migration 16
Migration Tool Monitors Progress of Data Migration 17
Checkpoints to Continue Migration in the Migration Tool 17
Export Configuration Data from Cisco Secure ACS 17
Analyze Configuration Data 17
Data Persistence 17
Import Configuration Data into Cisco ISE 17
Software Requirements 17
C H A P T E R 3 Data Migration Principles 19
Data Migration and Deployment Scenarios 19
Migrating Data from a Single Cisco Secure ACS Appliance 19
Migrating Data from a Distributed Environment 20
Preparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6 21
Policy Services Migration Guidelines 21
Per Policy Service Migration Guidelines 22
Cisco Secure ACS Policy Rules Migration Guidelines 23
Unsupported Rule Elements 23
C H A P T E R 4 Migration Tool Installation 27
Cisco Identity Services Engine, Release 1.3 Migration Tool Guideiv
Contents
Migration Tool Installation Guidelines 27
System Requirements 28
Security Considerations 28
Downloading Migration Tool Files from Cisco ISE Admin Portal 28
Initializing the Cisco Secure ACS to Cisco ISE Migration Tool 29
C H A P T E R 5 Persistent Data Transfer Procedure 33
Exporting Data from Cisco Secure ACS 33
Analyzing Policy Gap between Cisco ISE and Cisco Secure ACS 36
Importing Data in to Cisco ISE 38
Migrated Data Verification in Cisco ISE 41
A P P E N D I X A Data Structure Mapping 43
Data Structure Mapping 43
Migrated Data Objects 43
Data Objects Not Migrated 44
Partially Migrated Data Objects 46
Supported Attributes and Data Types 46
User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE 1.4 46
User Attribute: Association to the User 46
Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release
1.4 47
Host Attribute: Association to the Host 47
RADIUSAttributesMigrated fromCisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release
1.4 48
RADIUS Attribute: Association to RADIUS Server 48
Data Information Mapping 48
Network Device Mapping 49
Active Directory Mapping 49
External RADIUS Server Mapping 50
Hosts (Endpoints) Mapping 50
Identity Dictionary Mapping 51
Identity Group Mapping 52
LDAP Mapping 52
NDG Types Mapping 54
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide v
Contents
NDG Hierarchy Mapping 54
RADIUS Dictionary (Vendors) Mapping 54
RADIUS Dictionary (Attributes) Mapping 55
User Mapping 56
Certificate Authentication Profile Mapping 56
Authorization Profile Mapping 57
Downloadable ACL Mapping 57
External RADIUS Server Mapping 57
Identity Attributes Dictionary Mapping 58
RADIUS Token Mapping 58
RSA Mapping 60
RSA Prompts Mapping 60
Identity Store Sequences Mapping 61
Default Network Devices Mapping 61
A P P E N D I X B Troubleshooting the Cisco Secure ACS to Cisco ISE Migration Tool 63
Unable to Start the Migration Tool 63
Error Messages Displayed in Logs 63
Connection Error 63
I/O Exception Error 64
Out of Memory Error 64
Default Folders, Files, and Reports are Not Created 64
Migration Export Phase is Very Slow 65
Reporting Issues to Cisco TAC 65
Cisco Identity Services Engine, Release 1.3 Migration Tool Guidevi
Contents
Preface
This guide describes the process for migrating data from a Cisco Secure Access Control Server (ACS) ,Release 5.5 or 5.6 to Cisco Identity Services Engine (ISE), Release 1.42.0, using the Cisco Secure ACS toCisco ISE Migration Tool.
Not all Cisco Secure ACS data can be migrated to Cisco ISE due to the functional gap that is dynamicallychanging with each Cisco Secure ACS or Cisco ISE release. The migration tool provides you a completelist of unsupported objects.
Note
• Purpose, page vii
• Audience, page viii
• Document Conventions, page viii
• Related Documentation, page ix
PurposeThis migration guide is a part of the Cisco Identity Services Engine (ISE), Release 1.4 documentation set thatincludes the following information.
• Cisco Secure ACS to Cisco ISE Migration Tool installation requirements, prerequisites, and guidelinesfor data migration.
• Step-by-step procedures for migrating data from a Cisco Secure ACS, Release 5.5/5.6 database to theCisco ISE, Release 1.4, appliance.
• Lists of Cisco Secure ACS, Release 5.5/5.6 data items that can be and cannot be migrated.
• Reference links to Cisco Secure ACS documentation, which defines the upgrade andmigration proceduresthat is required by earlier releases of Cisco Secure ACS, Release 3.x and Release 4.x.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide vii
AudienceThis migration guide is for network administrators who are responsible for migrating existing Cisco SecureACS, Release 5.5/5.6 database information to a Cisco ISE, Release 1.4 appliance by using the Cisco SecureACS to Cisco ISE Migration Tool.
Document ConventionsThis document uses the following conventions:
DescriptionConvention
Commands and keywords and user-entered text appear in boldfont.
bold font
Document titles, new or emphasized terms, and arguments forwhich you supply values are in italic font.
Italic font
Keywords or arguments in square brackets are optional.[x]
Default responses to system prompts appear in square brackets.[ ]
A vertical line, called a pipe, indicates a choice within a set ofkeywords or arguments.
|
Optional alternative keywords are grouped in brackets andseparated by vertical bars.
[x | y]
Required alternative keywords are grouped in braces andseparated by vertical bars.
{x | y}
Nested set of square brackets or braces indicate optional orrequired choices within optional or required elements. Bracesand a vertical bar within square brackets indicate a requiredchoice within an optional element.
[x {y | z}]
Examples of screen displays, prompts and scripts in a monospace, fixed width font.
Courier font
Examples of information you enter.Bold Courier font
Nonprinting characters (for example, passwords) appear inangle brackets.
< >
An exclamation point (!) or a pound sign (#) at the beginningof a line code indicates a comment line.
! #
Cisco Identity Services Engine, Release 1.3 Migration Tool Guideviii
PrefaceAudience
Reader Alert Conventions
This document uses the following conventions for reader alerts:
Means reader take note. Notes contain helpful suggestions or references to material not covered in themanual.
Note
Means the following information will help you solve a problem, or could be some useful information.Tip
Means reader be careful. In this situation, you might do something that could result in equipment damageor loss of data.
Caution
Means the described action saves time. You can save time by performing the action described in theparagraph.
Timesaver
Means reader be warned. In this situation, you might perform an action that could result in bodilyinjury.
Warning
Related DocumentationRelease-Specific Documents
General product information for Cisco ISE is available at http://www.cisco.com/go/ise. End-user documentationis available on Cisco.com at http://www.cisco.com/c/en/us/support/security/identity-services-engine/tsd-products-support-series-home.html.
Table 1: Product Documentation for Cisco Identity Services Engine
http://www.cisco.com/en/US/products/ps11640/prod_release_notes_list.html
Release Notes for Cisco Identity Services Engine,Release 1.4
http://www.cisco.com/en/US/products/ps11640/products_device_support_tables_list.html
Cisco Identity Services Engine Network ComponentCompatibility, Release 1.4
http://www.cisco.com/en/US/products/ps11640/products_user_guide_list.html
Cisco Identity Services Engine User Guide, Release1.4
Cisco Identity Services Engine Sponsor Portal UserGuide, Release 1.4
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide ix
PrefaceRelated Documentation
http://www.cisco.com/en/US/products/ps11640/prod_installation_guides_list.html
Cisco Identity Services Engine Hardware InstallationGuide, Release 1.4
Cisco Identity Services Engine Upgrade Guide,Release 1.4
Cisco Identity Services Engine, Release 1.4MigrationTool Guide
Regulatory Compliance and Safety Information forCisco Identity Services Engine 3400 Series Applianceand Cisco 3400 Secure Access Control System
http://www.cisco.com/en/US/products/ps11640/prod_command_reference_list.html
Cisco Identity Services Engine CLI Reference Guide,Release 1.4
Cisco Identity Services Engine API Reference Guide,Release 1.4
http://www.cisco.com/en/US/products/ps11640/products_documentation_roadmaps_list.html
Cisco Identity Services Engine In-BoxDocumentationand China RoHS Pointer Card
Platform-Specific Documents
Links to other platform-specific documentation are available at the following locations:
Table 2: Platform-Specific Documents
http://www.cisco.com/en/US/products/ps11640/tsd_products_support_series_home.html
Cisco ISE
http://www.cisco.com/en/US/products/ps6128/tsd_products_support_series_home.html
Cisco NAC Appliance
http://www.cisco.com/en/US/products/ps10160/tsd_products_support_series_home.html
Cisco NAC Guest Server
http://www.cisco.com/en/US/products/ps8464/tsd_products_support_series_home.html
Cisco NAC Profiler
http://www.cisco.com/en/US/products/ps9911/tsd_products_support_series_home.html
Cisco Secure Access Control System
http://www.cisco.com/en/US/docs/unified_computing/ucs/overview/guide/UCS_rack_roadmap.html
Cisco UCS C-Series Servers
Cisco Identity Services Engine, Release 1.3 Migration Tool Guidex
PrefaceRelated Documentation
C H A P T E R 1Cisco Secure ACS to Cisco ISE Data Migration
This chapter describes information related to data migration from Cisco Secure Access Control System(ACS), Release 5.5 or 5.6 , to Cisco Identity Services Engine (ISE), Release 1.4.
• Data Migration from Cisco Secure ACS , page 1
• Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, page 3
• Policy Models, page 5
• Cisco Secure ACS Distributed Deployment Model, page 6
• Cisco ISE Distributed Deployment Model, page 6
• Migration Features, page 7
• Migration Tool Reports, page 9
• UTF-8 Support, page 12
• FIPS Support for ISE 802.1X Services, page 13
• Cisco Secure ACS/Cisco ISE Version Validation, page 14
Data Migration from Cisco Secure ACSBefore you migrate the existing Cisco Secure ACS, Release 5.5 or 5.6 data to a Cisco ISE, Release 1.4, VMor appliance, ensure that you have read and understood all setup, backup, and installation instructions.
We recommend that you fully understand the related data structure and schema differences between CiscoSecure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 1.4 systems before you attempt to migrate existingCisco Secure ACS, Release 5.5 or 5.6 data.
When you migrate from Cisco Secure ACS, Release 5.5 or 5.6 database to Cisco ISE, Release 1.4, datamigration supports the following:
• Provides support for the features of Cisco Secure ACS, Release 5.5 or 5.6 in Cisco ISE, Release 1.4.
• Provides support for new features in Cisco ISE, Release 1.4 when data is migrated from Cisco SecureACS, Release 5.5 or 5.6 .
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 1
Not all Cisco Secure ACS data can be migrated into Cisco ISE due to the functional gap that is dynamicallychanging with each Cisco Secure ACS or Cisco ISE release. Migrating data from Cisco Secure ACS,Release 5.5 or 5.6 to Cisco ISE, Release 1.4 minimizes the configuration gap, which means it supportsCisco Secure ACS features that were not supported before in Cisco ISE.
Note
Due to the differences in the Cisco ISE and Cisco Secure ACS data related to the naming convention,policy hierarchy, pre-defined objects, and so on, the migration tool may not support all objects. However,it displays warnings and errors for objects that are not migrated to facilitate corrective measures.
Note
Related Topics
Supported Data Migration Paths, on page 2Enabling the Migration Interfaces, on page 3Supported Cisco Secure ACS Releases for Data Migration, on page 2
Supported Data Migration PathsYou cannot migrate data from Cisco Secure ACS, Releases 3.x, 4.x, and 5.x to Cisco ISE, Release 1.0, butprevious data migration is supported only from Cisco Secure ACS, Release 5.1 to Cisco ISE, Release 1.0;Cisco Secure ACS, Release 5.1/5.2 to Cisco ISE, Release 1.1; or Cisco Secure ACS, Release 5.3 to CiscoISE, Release 1.2.
Data migration from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4 is now supported usingthe Cisco Secure ACS to Cisco ISE Migration Tool. You can also upgrade Cisco Secure ACS, Release 3.xto Cisco Secure ACS, Release 4.x, and then to Cisco Secure ACS, Release 5.5 or 5.6 .
Related Topics
Data Migration from Cisco Secure ACS , on page 1
Supported Cisco Secure ACS Releases for Data MigrationYou can migrate data from earlier releases of Cisco Secure ACS software to a point where you can migrateit to Cisco ISE, Release 1.4.
Depending upon the starting release stage of the Cisco Secure ACS data that you want to migrate to a CiscoISE, Release 1.4, appliance, there may be several migration stages required before you can use the migrationtool.
Related Topics
Data Migration from Cisco Secure ACS , on page 1
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide2
Cisco Secure ACS to Cisco ISE Data MigrationSupported Data Migration Paths
Enabling the Migration InterfacesBefore you can begin the migration process, you must enable the interfaces used for the data migration onthe Cisco Secure ACS and Cisco ISE servers. It is recommended to disable the migration interfaces on boththe servers after the migration process is completed.
Step 1 Enable the migration interface on the Cisco Secure ACSmachine by entering the following command in the Cisco SecureACS CLI:acs config-web-interface migration enable
Step 2 Enable the migration interface on the Cisco ISE server by performing the following tasks:a) In the Cisco ISE CLI, enter application configure ise.b) Enter 11 to enable/disable ACS Migration.c) Enter Y.
Disable the migration interface on the Cisco Secure ACS machine using the following command: acsconfig-web-interface migration disable, after the migration process is completed.
Note
Disable the migration interface on the Cisco ISE server after the migration process is completed.Note
Related Topics
Data Migration from Cisco Secure ACS , on page 1
Migrating from Earlier Releases of Cisco Secure ACS to CiscoISE
You can migrate earlier releases of Cisco Secure ACS data to the Cisco Secure ACS, Release 5.5 or 5.6 stateso that it can be migrated to a Cisco ISE, Release 1.4, appliance using the migration tool.
Related Topics
Migrating from Cisco Secure ACS, Release 3.x, on page 4Migrating from Cisco Secure ACS, Release 4.x, on page 4Migrating from Cisco Secure ACS, Release 5.x, on page 5
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 3
Cisco Secure ACS to Cisco ISE Data MigrationEnabling the Migration Interfaces
Migrating from Cisco Secure ACS, Release 3.xIf you are running Cisco Secure ACS, Release 3.x in your environment, upgrade to a migration-supportedversion of Cisco Secure ACS, Release 4.x, and then upgrade to Cisco Secure ACS, Release 5.5 or 5.6.
Step 1 Check the upgrade path for Cisco Secure ACS, Release 3.x, as described in the Installation Guide for Cisco Secure ACSSolution Engine 4.1 or Installation Guide for Cisco Secure ACS Solution Engine 4.2.
Step 2 Upgrade your Cisco Secure ACS, Release 3.x server to a migration-supported version of the Cisco Secure ACS, Release4.x. For example, upgrade to one of the following Cisco Secure ACS 4.1.1.24 , Cisco Secure ACS 4.1.4, Cisco SecureACS 4.2.0.124, or Cisco Secure ACS 4.2.1 releases.
Step 3 After the upgrade, follow the steps that describe migrating from Cisco Secure ACS, Release 4.x to Cisco Secure ACS,Release 5.5 or 5.6 .
Related Topics
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 3
Migrating from Cisco Secure ACS, Release 4.xIf you are not running one of the migration-supported versions of Cisco Secure ACS, Release 4.x in yourenvironment, upgrade to a point where you can migrate from Cisco Secure ACS, Release 4.x to Cisco SecureACS, Release 5.5 or 5.6.
Step 1 Upgrade Cisco Secure ACS, Release 4.x version to a migration-supported version, if your Cisco Secure ACS, Release4.x server currently does not run one of the migration-supported versions.
Step 2 Install the samemigration-supported version of Cisco Secure ACS on the migrationmachine, which is aWindows server.Step 3 Back up the Cisco Secure ACS, Release 4.x data and restore it on the migration machine.Step 4 Place theMigration utility on the migration machine. You can get theMigration utility from the Installation and Recovery
DVD.Step 5 Run the Analyze and Export phase of the Migration utility on the migration machine.Step 6 Resolve any issues in the Analyze and Export phase.Step 7 Run the Import phase of the Migration utility on the migration machine, and during this phase, the Migration utility
imports data into the Cisco Secure ACS, Release 5.5 or 5.6 server.
Related Topics
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 3
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide4
Cisco Secure ACS to Cisco ISE Data MigrationMigrating from Cisco Secure ACS, Release 3.x
Migrating from Cisco Secure ACS, Release 5.xIf you are running Cisco Secure ACS, Release 5.x in your environment, you must upgrade to Cisco SecureACS, Release 5.5 or 5.6 .
Related Topics
Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 3
Policy ModelsCisco Secure ACS and Cisco ISE have both simple and rule-based authentication paradigms, but Cisco SecureACS and Cisco ISE are based on different policy models and that makes migrating policies from Cisco SecureACS to Cisco ISE a bit complex.
Cisco Secure ACS policy hierarchy starts with the Service selection rule that redirects the authenticationrequests to the access services. The access services consist of identity and authorization policies that authenticatethe user against internal or external identity stores and authorize the users based on the conditions defined.
Authentication and authorization polices are migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 1.4. Cisco ISE Release 1.4, supports the new policy model called Policy Set, which is similarto the Service Selection Policy (SSP) in Cisco Secure ACS, Release 5.5/5.6, thus simplifying the policymigration process.
Related Topics
Cisco Secure ACS Service Selection Policy and Cisco ISE Policy Set, on page 5Cisco Secure ACS Policy Access Service and Cisco ISE Policy Set, on page 6
Cisco Secure ACS Service Selection Policy and Cisco ISE Policy SetCisco Secure ACS, Release 5.5/5.6 Service Selection Policy (SSP) distributes requests to the appropriateservices based on SSP rules whereas Cisco ISE policy set holds a rule, which contains entry criteria to thepolicy set. The order of the policy set is in the same order as the entry rules, which is similar to the order ofthe SSP rules.
Several SSP rules may request the same service or reuse of service in Cisco Secure ACS. However, eachpolicy set carries its own entry condition, therefore, you cannot reuse the policy set in Cisco ISE. If you wantto migrate a single service that is requested by several SSP rules, you must create multiple policy sets that arecopies of that service, which means that you must create a policy set in Cisco ISE for each SSP rule thatrequests the same service in Cisco Secure ACS.
You can define SSP rules as disabled or monitored in Cisco Secure ACS, and the equivalent entry rules of apolicy set are always enabled in Cisco ISE. If SSP rules are disabled or monitored in Cisco Secure ACS, thepolicy services that are requested by SSP rules cannot be migrated to Cisco ISE.
Related Topics
Policy Models, on page 5
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 5
Cisco Secure ACS to Cisco ISE Data MigrationMigrating from Cisco Secure ACS, Release 5.x
Cisco Secure ACS Policy Access Service and Cisco ISE Policy SetYou can define a policy service without requesting that service, which means that you can define a policyservice inactive by a rule in the SSP in Cisco Secure ACS. Cisco Secure ACS, Release 5.5 or 5.6 has anout-of-the-box DenyAccess service, which has neither policies nor allowed protocols for the default SSP rulein Cisco Secure ACS, which automatically denies all requests. There is no equivalent policy set for CiscoISE. But, you cannot have a policy set without an entry rule, which refers to the policy set in Cisco ISE.
Allowed protocols are attached to the entire service (not a specific policy) that is not conditioned (except thecondition in the SSP that points to the entire service) in Cisco Secure ACS, Release 5.5 or 5.6. Allowedprotocols refers only to the authentication policies as a result of a conditioned outer rule in Cisco ISE.
Identity policy is a flat list of rules that results in identity source (identity source and identity store sequence)in Cisco Secure ACS, Release 5.5 or 5.6. An authentication policy holds two levels of rules—outer policyrules and inner policy rules. The outer policy rules result in allowed protocols, and are the entry criteria to theset of inner policy rules. The inner policy rules result in identity source.
Both Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 1.4, include an optional exception policyattached to each authorization policy. Cisco ISE, Release 1.4 provides an optional Global Exception Policyin addition to the exception policy that affects all authorization policies. There is no equivalent policy to thatof Global Exception Policy in Cisco Secure ACS, Release 5.5 or 5.6. The local exception policy is processedfirst followed by the Global Exception Policy and authorization policy for authorization.
Related Topics
Policy Models, on page 5
Cisco Secure ACS Distributed Deployment ModelThe Cisco Secure ACS deployment model consists of one primary and multiple secondary Cisco Secure ACSservers, where configuration changes are made on the primary Cisco Secure ACS server. These configurationsare replicated to the secondary Cisco Secure ACS servers. All primary and secondary Cisco Secure ACSservers can process AAA requests. The primary Cisco Secure ACS server is also the default log collector forthe Monitoring and Report Viewer, although you can configure any Cisco Secure ACS server to be the logcollector.
Cisco ISE Distributed Deployment ModelThe Cisco ISE deployment model consists of one primary node with multiple secondary nodes. Each CiscoISE node in a deployment can take one or more of the following personas: Administration, Policy Service,and Monitoring. After you install Cisco ISE, all the nodes will be in the standalone state. You must defineone of the Cisco ISE nodes as the primary node running as an Administration persona. After defining theprimary node, you can configure other Cisco ISE nodes with Policy Service and Monitoring personas. Youcan then register other secondary nodes with the primary node and define specific roles for each of them.When you register Cisco ISE node as a secondary node, Cisco ISE immediately creates a database link fromthe primary to the secondary node and begins the process of replication. All configuration changes are madeon the primary Administration ISE node and replicated to the secondary nodes. The Monitoring ISE nodeacts as the log collector.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide6
Cisco Secure ACS to Cisco ISE Data MigrationCisco Secure ACS Policy Access Service and Cisco ISE Policy Set
Migration FeaturesThe migration tool is responsible for transferring Cisco Secure ACS data to Cisco ISE and performs threemajor steps:
1 Exports data from Cisco Secure ACS.
2 Persists data in the migration tool.
3 Imports data into Cisco ISE.
Related Topics
Data Export, on page 7Data ImportObject ScalabilityResume a Failed Data Migration, on page 7
Data ExportThe first stage in the migration process is to export Cisco Secure ACS data using the Cisco Secure ACSProgrammatic Interface (PI). You have to log in to the Cisco Secure ACS, Release 5.5 or 5.6 system fromwhich you will be exporting data and request to export the data into the migration application. The exporteddata is validated to verify if it can be imported into a Cisco ISE, Release 1.4 appliance successfully. In caseswhere the data is invalid, the status is logged in the Export Report.
Related Topics
Migration Features, on page 7
Resume a Failed Data MigrationThe migration tool maintains a checkpoint at each stage of the import or export operation. This means that ifthe process of importing or exporting fails, you do not have to restart the process from the beginning. Youcan start from the last checkpoint before the failure occurred.
If the migration process fails, the migration tool terminates the process. When you restart the migration toolafter a failure, a dialog box is displayed that allows you to choose to resume the previous import/export ordiscard the previous process and start a new migration process. If you choose to resume the previous process,the migration process resumes from the last checkpoint. Resuming from a failure also resumes the report torun from the previous process.
Related Topics
Migration Features, on page 7
Migration of TACACS+ Features to Cisco ISEGiven below are the TACACS+ settings that are migrated to Cisco ISE.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 7
Cisco Secure ACS to Cisco ISE Data MigrationMigration Features
• Enable Password: Internal users are migrated from Cisco Secure ACS along with the enable passwordattribute to Cisco ISE.
• Network Devices: Network devices configured with TACACS+ settings, such as shared secret andsingle connect mode in Cisco Secure ACS are exported to the migration tool.
◦Default Network Device: The default network device object configured with TACACS+ settingsare exported from Cisco Secure ACS and imported to ISE during migration on a fresh installationof Cisco ISE, Release 2.0. In an existing Cisco ISE configuration, the default network devices(with RADIUS and TACACS + settings) are updated.
• Shell Profiles: The shell profile object in Cisco Secure ACS is exported to the migration tool. It isimported to Cisco ISE and displayed in theWork Centers > Device Administration > Policy Results> TACACS Profiles page. The page contains predefined attributes that are identified by ISE and therest of them are displayed as custom attributes. The migrated attributes have a description to indicatethat they were migrated from Cisco Secure ACS. Both static and dynamic attributes are supported.
• Command Sets: The command sets object in Cisco Secure ACS is exported to the migration tool. It isimported to Cisco ISE and displayed in theWork Centers > Device Administration > Policy Results> TACACS Command Sets page. Cisco Secure ACS adds a description for migrated objects that donot have one. For migrated objects that already have a description, Cisco Secure ACS retains the same.
• TACACS Global Settings: The TACACS+ Global Settings object in Cisco Secure ACS is exported tothe Migration tool and validation errors or warnings are reported. The data can be imported as part ofthe predefined data objects in the migration tool.
• TACACS Policies: TACACS+ authentication, authorization, and authorization exception policies forthe device administration service are imported to Cisco ISE. The results of an authorization policy rulemay be command sets and a shell profile. If a command set or shell profile is not exported due to anerror, then the policy is not exported to the migration tool.
During migration, the migration tool maintains two policy sets, one for network access and another fordevice administration services. During import to ISE, the migration tool checks the type of service, anddetermines the policy to which it has to be imported.
Be sure to check the policy configuration in Cisco ISE after migration.Note
Migration of External Proxy ServersThe migration tool can export proxy objects from the following external proxy servers:
• TACACS+ External Proxy Server:When an external proxy server is configured with TACACS+, the TACACS+ objects are migrated totheWork Centers > Device Administration > Network Resources > External TACACS Serverspage.
• RADIUS External Proxy Server:When an external proxy server is configured with RADIUS, the RADIUS objects are migrated to theAdministration > Network Resources > External RADIUS Servers page.
• Cisco Secure ACS External Proxy Server:
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide8
Cisco Secure ACS to Cisco ISE Data MigrationMigration of External Proxy Servers
When an external proxy server is configured with the Cisco Secure ACS (supports both TACACS+ andRADIUS) option, the TACACS and RADIUS objects are migrated to different locations. The TACACS+objects are migrated to theWork Centers >Device Administration >Network Resources >ExternalTACACS Servers page with the word "TACACS_" prefixed to the object name. The RADIUS objectsare migrated to the Administration > Network Resources > External RADIUS Servers page withthe word "RADIUS_" prefixed to the object name.
Cisco Secure ACS does not support single connect configuration, therefore, during import the migrationapplication creates the proxy objects with default values supported by Cisco ISE for this attribute.
Migration of External Proxy Server SequencesThe migration tool can export a set of external servers from the following external proxy servers:
• TACACS+ External Proxy Server:When an external proxy server is configured with TACACS+ server sequence, the TACACS+ objectsaremigrated to theWorkCenters >Device Administration >NetworkResources >TACACSServerSequence page.
• RADIUS External Proxy Server:When an external proxy server is configured with RADIUS server sequence, the RADIUS objects aremigrated to the Administration > Network Resources > RADIUS Server Sequence page.
• Cisco Secure ACS External Proxy Server:When an external proxy server is configured with Cisco Secure ACS (supports both TACACS andRADIUS) option, the TACACS and RADIUS objects are migrated to different locations. The TACACS+objects aremigrated to theWorkCenters >Device Administration >NetworkResources >TACACSServer Sequence page with the word "TACACS_" prefixed to the object name. The RADIUS objectsare migrated to theAdministration >Network Resources >RADIUS Server Sequence page with theword "RADIUS_" prefixed to the object name.
Migration Tool ReportsCisco ISE generates reports for import, export, and policy gap analysis during Cisco Secure ACS, Release5.5/5.6 data migration.
If you decide to share the report files with anyone, or want to save them to another location, you can find thefollowing files in the Reports folder of the migration tool directory:
• import_report.txt
• export_report.txt
• policy_gap_report.txt
Related Topics
Export Report, on page 10Import Report, on page 11Policy Gap Analysis Report, on page 10
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 9
Cisco Secure ACS to Cisco ISE Data MigrationMigration of External Proxy Server Sequences
Export ReportThis report indicates specific information or errors that are encountered during the export of data from theCisco Secure ACS database. It contains a data analysis section at the end of the report, which describes thefunctional gap between Cisco Secure ACS and Cisco ISE. The export report also includes error informationfor exported objects that will not be imported.
Table 3: Cisco Secure ACS to Cisco ISE Migration Tool Export Report
Message DescriptionMessage TypeReport Type
Lists the names of the data objects that were exportedsuccessfully.
InformationExport
Lists export failures or exports that were not attemptedbecause the data object is not supported by Cisco ISE,Release 1.4 (for example, if it were a TACACS-baseddevice).
Warning
Related Topics
Migration Tool Reports, on page 9
Policy Gap Analysis ReportThis reports lists specific information related to the policy gap between Cisco Secure ACS and Cisco ISE,and is available after completion of the export process by clicking the Policy Gap Analysis Report button inthe migration tool user interface.
During the export phase, the migration tool identifies the gaps in the authentication and authorization policies.If any policy is not migrated, it is listed in the Policy Gap Analysis report. The report lists all the incompatiblerules and conditions that are related to policies. It describes data that cannot be migrated and the reason witha manual workaround.
Some conditions can be automatically migrated by using the appropriate Cisco ISE terminology, for example,a condition named Device Type In is migrated as Device Type Equals. If a condition is supported or can beautomatically translated, it does not appear in the report. If a condition is found as “Not Supported” or “Partiallysupported,” the policy is not imported and the conditions appear in the report. It is the responsibility of the
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide10
Cisco Secure ACS to Cisco ISE Data MigrationExport Report
administrator who is performing the migration to modify or delete such conditions. If they are not modifiedor deleted, policies are not migrated to Cisco ISE.
Figure 1: Example of Policy Gap Analysis Report
Related Topics
Migration Tool Reports, on page 9
Import ReportThis report indicates specific information or errors that are encountered during the import of data into theCisco ISE appliance.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 11
Cisco Secure ACS to Cisco ISE Data MigrationImport Report
Table 4: Cisco Secure ACS to Cisco ISE Migration Tool Import Report
Message DescriptionMessage TypeReport Type
Lists the names of the data objects that were importedsuccessfully.
InformationImport
Identifies a data object error due to:
• Object exists already
• Object name exceeds the character limit
• Object name contains unsupported specialcharacters
• Object contains unsupported data characters
Error
Related Topics
Migration Tool Reports, on page 9
UTF-8 SupportCisco ISE, Release 1.4, supports 8 bit Unicode Transformation Format (UTF-8) for some administrationconfigurations. The following configuration items are exported and imported with UTF-8 encoding:
• Network Access User Configuration
• RSA
• RADIUS Token
• Policies
• Identity Group Mapping
Network Access User Configuration• Username
• Password and re-enter password
• First name
• Last name
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide12
Cisco Secure ACS to Cisco ISE Data MigrationUTF-8 Support
RSARSA prompts and messages are shown to the end-user by the supplicant.
• Messages
• Prompts
RADIUS TokenRADIUS token prompt is presented on the end-user supplicant.
• Authentication Tab > Prompts
• Administrator Configuration
• Administrator username and password
• Configure administrator by using UTF-8
Policies• Authentication > Value for AV expression
• Authorization > Other Conditions > Value for AV expression
• Attribute-value conditions
• Authentication > Simple Condition/compound Condition > Value for AV expression
• Authorization > Simple Condition/compound Condition > Value for AV expression
FIPS Support for ISE 802.1X ServicesThe Cisco ISE FIPS mode should not be enabled before the migration process is complete.
To support Federal Information Processing Standard (FIPS), the migration tool migrates the default networkdevice keywrap data.
FIPS-compliant and supported protocols:
• Process Host Lookup
• Extensible Authentication Protocol-Translation Layer Security (EAP-TLS)
• Protected Extensible Authentication Protocol (PEAP)
• EAP-Flexible Authentication via Secure Tunneling (FAST)
FIPS-noncompliant and unsupported protocols:
• EAP-Message Digest 5 (MD5)
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 13
Cisco Secure ACS to Cisco ISE Data MigrationRSA
• Password Authentication Protocol and ASCII
• Challenge Handshake Authentication Protocol (CHAP)
• Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)
• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)
• Lightweight Extensible Authentication Protocol (LEAP)
Cisco Secure ACS/Cisco ISE Version ValidationThe migration tool identifies the Cisco Secure ACS release version before the export phase begins. Themigration process will not start if the Cisco Secure ACS version is lower or higher than 5.5/5.6/5.7/5.8. Inaddition, before importing the data to Cisco ISE, the tool verifies that the Cisco ISE release version is 1.4.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide14
Cisco Secure ACS to Cisco ISE Data MigrationCisco Secure ACS/Cisco ISE Version Validation
C H A P T E R 2Cisco Secure ACS to Cisco ISE Migration Tool
This chapter provides information about the Cisco Secure ACS to Cisco ISE Migration Tool that is used fordata migration from a Cisco Secure ACS, Release 5.5 or 5.6 database to a Cisco ISE, Release 1.4 system.
• Data Migration from Cisco Secure ACS to Cisco ISE, page 15
• Cisco Secure ACS to Cisco ISE Migration Tool, page 16
• Software Requirements, page 17
Data Migration from Cisco Secure ACS to Cisco ISEThe only supported direct migration process that uses the Cisco Secure ACS to Cisco ISE Migration Tool isfrom a Cisco Secure ACS, Release 5.5 or 5.6 to a Cisco ISE, Release 1.4 system.
There are three steps in the migration process:
1 Exporting the Cisco Secure ACS, Release 5.5 or 5.6 data from its database
2 Persisting the data by using the migration tool
3 Importing the persisted data into the Cisco ISE, Release 1.4 system
Data Migration Time EstimateThe Cisco Secure ACS to Cisco ISE Migration Tool may run for approximately 20 hours to migrate 10,000devices, 25,000 users, 100,000 hosts, 100 identity groups, 420 downloadable access control lists (DACLs),320 authorization profiles, 6 devices hierarchies, and 20 network device groups (NDGs).
The migration tool may run for approximately 52 hours to migrate the following configurations:
• 4 LDAPs
• 1,000 identity groups
• 500 user identity groups
• 20 network device locations
• 100 network device groups
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 15
• 25 access services
• 50 SSPs
• 600 downloadable access control lists (DACLs)
• 320 authorization rules
• 600 authorization profiles (with or without policy sets)
• 20 command sets and shell profiles (each command contains 100 commands)
• 40 policy sets (limited by max rules)
• 20 custom user dictionaries
• 100,000 network devices
• 300,000 users
• 150,000 hosts
Cisco Secure ACS to Cisco ISE Migration ToolBefore running the migration tool, ensure that you have upgraded to Cisco ISE, Release 1.4, and have installedthe latest patches for Cisco Secure ACS, Release 5.5 or 5.6 .
The migration tool helps you to migrate the data from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE,Release 1.4 system. The design of the tool addresses the inherent migration problems that result from differencesin the underlying hardware platforms and systems, databases, and data schemes.
The migration tool runs on Linux-based andWindows-based systems. The migration tool works by exportingthe Cisco Secure ACS data files, analyzing the data, and making the required data modifications that arenecessary for importing the data into a format that is usable by the Cisco ISE, Release 1.4 system.
• The migration tool requires minimum user interaction, and full set of configuration data.
• The migration tool provides you a complete list of unsupported objects.
The Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 1.4 applications may or may not run onthe same type of physical hardware. The migration tool uses the Cisco Secure ACS Programmatic Interface(PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). TheCisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and Cisco ISE applicationsto run on supported hardware platforms or VMware servers. Because Cisco Secure ACS is considered a closedappliance, running the migration tool directly on a Cisco ACS appliance is not permitted. Instead, the CiscoSecure ACS PI reads and returns the configuration data in a normalized form. The Cisco ISE REST APIsperform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by CiscoISE software.
Minimum Data Configuration Required to Start MigrationA minimal amount of configuration data is needed at the beginning of the migration process before theapplication proceeds to migrate the full set of configuration items. However, as the migration progresses,some data may not be mapped automatically between the two applications. The administrator handling themigration is notified of this type of data, which must be resolved before the migration is complete.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide16
Cisco Secure ACS to Cisco ISE Migration ToolCisco Secure ACS to Cisco ISE Migration Tool
Migration Tool Monitors Progress of Data MigrationAs the migration proceeds, you can monitor the real-timemigration status along with the progress of activities.In case of troubleshooting, detailed logs are available and accessible in the migration tool.
Checkpoints to Continue Migration in the Migration ToolYou can perform export and import operations individually or in sequence. Exporting and importing may takea long time and depends on the amount of data being migrated. Therefore, the migration tool periodicallydisplays checkpoints with the status of the activity being performed. You can restart the migration processfrom a checkpoint in case of a failure.
Export Configuration Data from Cisco Secure ACSYou can start the export process after you are authenticated by the Cisco Secure ACS system and request forthe data to be exported.
A direct upgrade from Cisco Secure ACS to Cisco ISE is not supported. The migration tool assists you if youwant to uninstall Cisco Secure ACS, Release 5.5 or 5.6 software and reimage the physical hardware withCisco ISE, Release 1.4 software.
Analyze Configuration DataDuring the export phase, the migration tool reads and analyzes the data to confirm that it can be createdcorrespondingly on the Cisco ISE system. Because the Cisco Secure ACS and Cisco ISE policy models arenot the same, some of the data might not be supported by Cisco ISE. The migration tool reports any dataissues that may require an administrator intervention at the end of the export phase.
Data PersistenceThe migration tool persists the Cisco Secure ACS data while the re-image process is completing and beforethe import stage begins.
Import Configuration Data into Cisco ISEDuring this step, the migration tool imports configuration data into Cisco ISE.
Software RequirementsTable 5: Software Requirements for the Cisco Secure ACS to Cisco ISE Migration Tool
Themigration tool runs onWindows and Linuxmachines. Themachine should have JAVA installed on it.
Operating System
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 17
Cisco Secure ACS to Cisco ISE Migration ToolMigration Tool Monitors Progress of Data Migration
The minimum disk space required is 1 GB.
This space is required not only for the installation of themigration tool, but also because the migration tool will storethe migrated data and will generate reports and logs.
Minimum disk space
The minimum RAM required is 2 GB.
If you have about 300,000 users, 50,000 hosts, 50,000 networkdevices, then we recommend that you have a minimum of 2GB of RAM.
Minimum RAM
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide18
Cisco Secure ACS to Cisco ISE Migration ToolSoftware Requirements
C H A P T E R 3Data Migration Principles
This chapter describes data migration from Cisco Secure ACS, Release 5.5 or 5.6 when deployed on asingle appliance or in a distributed deployment to Cisco ISE, Release 1.4.
• Data Migration and Deployment Scenarios, page 19
• Preparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6, page 21
• Policy Services Migration Guidelines, page 21
• Per Policy Service Migration Guidelines, page 22
• Cisco Secure ACS Policy Rules Migration Guidelines, page 23
• Unsupported Rule Elements, page 23
Data Migration and Deployment ScenariosCisco Secure ACS and Cisco ISE exist on different hardware platforms and have different operating systems,databases, and information models. Therefore, you cannot perform a standard upgrade from Cisco SecureACS to Cisco ISE. Instead, the migration tool reads data from Cisco Secure ACS and creates correspondingdata in Cisco ISE.
Migrating Data from a Single Cisco Secure ACS Appliance
Before You Begin
When you are ready to start migrating Cisco Secure ACS, Release 5.5 or 5.6 data to a Cisco ISE, Release 1.4,ensure that it is to a standalone Cisco ISE node. After the migration is successfully completed, you can beginany deployment configuration (such as setting up Administrator ISE and Policy Service ISE personas).
It is a requirement that the migration import phase be performed on a “clean” new installation of the CiscoISE software on a supported hardware appliance. For a list of supported hardware appliances, refer to theCisco Identity Services Engine Hardware Installation Guide, Release 1.4.
If you have a single Cisco Secure ACS appliance in your environment (or several Cisco Secure ACS appliances,but not in a distributed setup), run the migration tool against the Cisco Secure ACS appliance.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 19
You can use the migration tool and the following migration procedure in cases where Cisco Secure ACS andCisco ISE use the same hardware; the CSACS-1121 appliance:
Step 1 Install the migration tool on a standalone Windows or Linux machine.Step 2 Export the Cisco Secure ACS, Release 5.5 or 5.6 data from the Cisco Secure ACS-1121 hardware appliance to a secure
external server with a database.Step 3 Back up the Cisco Secure ACS data.Step 4 Re-image the Cisco Secure ACS-1121 hardware appliance, which has the same physical hardware as any of the supported
Cisco ISE appliances, with Cisco ISE, Release 1.4, software.Step 5 Import the converted Cisco Secure ACS, Release 5.5 or 5.6 data from the secure external server into the Cisco ISE,
Release 1.4.
Migrating Data from a Distributed Environment
Before You Begin
If you have a large internal database, Cisco recommends that you run the migration from a standalone primaryappliance and not from a primary appliance that is connected to several secondary appliances. After thecompletion of the migration process, you can register all the secondary appliances.
In a distributed environment, there is one primary Cisco Secure ACS appliance and one or more secondaryCisco Secure ACS appliances that interoperate with the primary appliance.
If you are running Cisco Secure ACS in a distributed environment, you must:
Step 1 Back up the primary Cisco Secure ACS appliance and restore it on the migration machine.Step 2 Run the migration tool against the primary Cisco Secure ACS appliance.
Figure 2: Cisco Secure ACS and Cisco ISE Installed on Different Appliances
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide20
Data Migration PrinciplesMigrating Data from a Distributed Environment
Preparation for Migration from Cisco Secure ACS, Release 5.5or 5.6
We recommend that you do not change to Simple mode after a successful migration from Cisco Secure ACS.Because, you might lose all the migrated policies in Cisco ISE. You cannot retrieve those migrated polices,but you can switch to Policy Set mode from Simple mode.
You must consider the following before you start migrating Cisco Secure ACS data to Cisco ISE:
• Migrate Cisco Secure ACS, Release 5.5 or 5.6 data only in the Policy Set mode in Cisco ISE, Release1.4.
• Migrate on a fresh installation of Cisco ISE, Release 1.4. In Cisco ISE, chooseAdministration > System> Settings > Policy Sets to enable the policy sets.
• Generate one policy set per enabled rule in the Service Selection Policy (SSP) and order them accordingto the order of the SSP rules.
The service that is the result of the SSP default rule becomes the default policy set in Cisco ISE, Release1.4. For all the policy sets created in the migration process, the first matching policy set is the matchingtype.
Note
Policy Services Migration GuidelinesYou must check the following to ensure policy services migration from Cisco Secure ACS to Cisco ISE:
• Service Selection Policies (SSP) contain SSP rules that are disabled or monitored in Cisco Secure ACS,Release 5.5 or 5.6, they are not migrated to Cisco ISE.
• Service Selection Policy (SSP) contains a SSP rule that is enabled in Cisco Secure ACS, Release 5.5 or5.6
◦that requests a device administration service, it is not migrated to Cisco ISE. (Cisco ISE does notsupport device administration).
◦that requests a service, which contains a Group Mapping policy, it is not migrated to Cisco ISE.(Cisco ISE does not support Group Mapping Policy).
◦that requests a service and its identity policy contains rules, which result in RADIUS IdentityServer, it is not migrated to Cisco ISE. (Cisco ISE differs to use RADIUS Identity Servers forauthentication).
◦that requests a service, which has policies that use attributes or policy elements that are not supportedby Cisco ISE, it is not migrated to Cisco ISE.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 21
Data Migration PrinciplesPreparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6
Per Policy Service Migration GuidelinesThis section describes the changes for each policy service that you migrate from Cisco Secure ACS, Release5.5 or 5.6 to Cisco ISE 1.4 because you migrate Cisco Secure ACS data only in the Policy Set mode in CiscoISE, Release 1.4.
Cisco Secure ACS Service Selection Policy Default Rule Matches Cisco ISE Default Policy Set
You can create a policy set with the name of the service in Cisco ISE. If the policy set matches the service,which is the result of the SSP default rule in Cisco Secure ACS, Release 5.5 or 5.6 , then the policy set becomesthe default policy set in Cisco ISE, Release 1.4. The condition of the SSP rule in Cisco Secure ACS, Release5.5 or 5.6 becomes the entry condition of the policy set in Cisco ISE, Release 1.4. In the case of the CiscoISE, Release 1.4 default policy set, there is no entry condition required.
Migration of Cisco Secure ACS DenyAccess Service to Cisco ISE Authentication and Authorization Policies
When you convert the DenyAccess service in Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release1.4, the authentication and authorization policies change to the following:
• The authentication policy has only the default outer rule with the results set to Default Network Accessfor the Allowed Protocol and DenyAccess for the identity source.
• The authorization policy has only the default rule set to DenyAccess (standard permission).
Migration of Cisco Secure ACS Service Identity Policy to Cisco ISE Authentication Policy of the Policy Set
When you want to convert the identity policy of the service in Cisco Secure ACS, Release 5.5 or 5.6 to theauthentication policy of the policy set in Cisco ISE, Release 1.4, perform the following:
• Create an authentication policy that has a single, enabled, outer rule.
• Specify the condition of the outer rule as Device:Location starts with All Locations (this is always thematched condition).
• Set the results of the default outer rule to Default Network Access for the Allowed Protocol andDenyAccess for the identity source.The result of the outer rule is the Allowed Protocol of the related service. The inner rules of theauthentication policy are the rules of the related identity policy. The order of the inner rules of theauthentication policy follows the same order of rules in the related identity policy. The state (enabled,disabled, or monitored) of the inner rules of the authentication policy follows the state of the rules inthe related identity policy.
Migration of Cisco Secure ACS Service Authorization Polcy to Cisco ISE Authorization Policy of the PolicySet
When you want to convert the authorization policy of the service in Cisco Secure ACS, Release 5.5 or 5.6 tothe authorization policy of the policy set in Cisco ISE, Release 1.4:
• The rules of the policy set Local Exception Authorization policy are the rules of the ExceptionAuthorization policy of the related service
• The rules of the policy set Authorization policy are the rules of the Authorization policy of the relatedservice
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide22
Data Migration PrinciplesPer Policy Service Migration Guidelines
• The order of the rules of the policy set in Local Exception Authorization policy and Authorization policyfollows the order of the rules in Local Exception Authorization policy and Authorization policy of therelated service
• The state (enabled, disabled, monitored) of the rules of the policy set Local Exception Authorizationpolicy and Authorization policy follows the state of the rules in Local Exception Authorization policyand Authorization policy in the related service
Cisco Secure ACS Policy Rules Migration GuidelinesWhen rules cannot be migrated, the policy model as a whole cannot be migrated due to security aspects aswell as data integrity. You can view details of problematic rules in the Policy Gap Analysis Report. If you donot modify or delete an unsupported rule, the policy is not migrated to Cisco ISE.
In general, you must consider these rules while migrating data from Cisco Secure ACS, Release 5.5 or 5.6 toCisco ISE, Release 1.4:
• Objects with special characters are not migrated.
• Attributes (RADIUS, VSA, identity, and host) of type enum are migrated as integers with allowed values.
• All endpoint attributes (no matter the attribute data type) are migrated as String data types.
• RADIUS attributes and VSA values cannot be filtered and added to Cisco ISE logs.
Unsupported Rule ElementsCisco Secure ACS and Cisco ISE are based on different policy models, and there is a gap between pieces ofCisco Secure ACS data when it is migrated to Cisco ISE. When Cisco Secure ACS and Cisco ISE releaseversions change, not all Cisco Secure ACS policies and rules can be migrated due to:
• Unsupported attributes used by the policy
• Unsupported AND/OR condition structure (mainly, once complex conditions are configured)
• Unsupported operators
Table 6: Unsupported Rule Elements
DescriptionStatus of SupportRule Elements
Date and time conditions in an authorization policythat have a weekly recurrence setting, are notmigrated to Cisco ISE. As a result, the rules are alsonot migrated.
Not SupportedDate and Time
Date and time conditions in an authentication policyare not migrated to Cisco ISE. As a result, the rulesare also not migrated.
Not SupportedDate and Time
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 23
Data Migration PrinciplesCisco Secure ACS Policy Rules Migration Guidelines
DescriptionStatus of SupportRule Elements
The “In” operator is used for Hierarchies and “Is” forString type only. This can be translated using“Matches”.
Partially SupportedIn
The “Not In” operator is used for Hierarchies and “Is”for String type only. This can be translated using“Matches”.
Partially SupportedNot In
The “Contains Any” operator is only for externalgroups such as Active Directory and LightweightDirectory Access Protocol.
Not SupportedContains Any
The “Contains All” operator is only for externalgroups such as Active Directory and LightweightDirectory Access Protocol.
Not SupportedContains All
Rules that use these operators in their conditions arenot migrated:
• Authentication policies that include compoundconditions that have different logicalexpressions other than a || b || c ||… and/or a&& b && c &&… such as (a || b) && c.
• Authorization policies that include compoundconditions that have different local expressionsother than a && b && c && are not migratedas part of the rule condition. As a workaround,you can manually use library compoundconditions for some advanced logicalexpressions.
Not SupportedCombination of logicalexpressions
Rules that include only network conditions are notmigrated. In case the condition includes networkconditions and other supported conditions, thenetwork conditions are ignored and are not migratedas part of the rule condition.
Not SupportedNetwork conditions
Rules with conditions that include user attributeswith a data type other than the “String” data type arenot migrated.
Partially SupportedUser attributes
Authentication fails in case the condition refers tohost attributes.
Authorization policies that include a condition thathas host (endpoint) attributes are not migrated toCisco ISE authorization policies.
Not SupportedHost attributes
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide24
Data Migration PrinciplesUnsupported Rule Elements
DescriptionStatus of SupportRule Elements
Cisco ISE does not support Terminal AccessController Access-Control System (TACACS). CiscoSecure ACS Service Selection Policy rules that useTACACS attributes are not migrated.
Not SupportedTACACS attributes
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 25
Data Migration PrinciplesUnsupported Rule Elements
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide26
Data Migration PrinciplesUnsupported Rule Elements
C H A P T E R 4Migration Tool Installation
This chapter provides guidelines on how to install the Cisco Secure ACS to Cisco ISE Migration Tool.
• Migration Tool Installation Guidelines, page 27
• System Requirements, page 28
• Security Considerations, page 28
• Downloading Migration Tool Files from Cisco ISE Admin Portal, page 28
• Initializing the Cisco Secure ACS to Cisco ISE Migration Tool, page 29
Migration Tool Installation Guidelines• Ensure that your environment is ready for migration. In addition to a Cisco Secure ACS, Release 5.5 or5.6 Windows or Linux source machine, you must deploy a secure external system with a database fordual-appliance (migrating data in a distributed deployment) migration and have a Cisco ISE, Release1.4, appliance as a target system.
• Ensure that you have configured the Cisco Secure ACS, Release 5.5 or 5.6 source machine with a singleIP address. The migration tool may fail during migration if each interface has multiple IP address aliases.
• Ensure that you have a backup of ACS configuration data if the migration from Cisco Secure ACS toCisco ISE is performed on the same appliance.
• Ensure that you have completed these tasks:
◦If this is a dual-appliance migration, you have installed the Cisco ISE, Release 1.4 software on thetarget machine.
◦If this is a single-appliance migration, you have the Cisco ISE, Release 1.4 software available tore-image the appliance or virtual machine.
◦Have all the appropriate Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 1.4credentials and passwords.
• Ensure that you can establish network connections between the source machine and the secure externalsystem.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 27
System RequirementsTable 7: System Requirements for Migration Machines
RequirementsPlatform
Ensure that you have configured the Cisco Secure ACS source machineto have a single IP address.
Cisco Secure ACS, Release 5.5 or5.6 source machine
Ensure that the Cisco ISE target machine has at least 2 GB of RAM.Cisco ISE, Release 1.4 targetmachine
Install Java JRE, version 1.6 or higher 32 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.
Linux, Windows XP
Install Java JRE, version 1.6 or higher 64 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.
64-Bit Windows 7
Install Java JRE, version 1.6 or higher 32 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.
32-Bit Windows 7
Security ConsiderationsThe export phase of the migration process creates a data file that is used as the input for the import process.The content of the data file is encrypted and cannot be read directly.
You need to know the Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 1.4 administratorusernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISEappliance. You should use a reserved username so that records created by the import utility can be identifiedin an audit log.
You must enter the IP address (or hostname) of the primary Cisco Secure ACS server and the Cisco ISEserver, along with the administrator credentials. After you have been authenticated, the migration tool proceedsto migrate the full set of configured data items in a form similar to an upgrade. Make sure that you haveenabled the PI interface on the ACS server and the ACS migration interface on the ISE server before runningthe migration tool.
Downloading Migration Tool Files from Cisco ISE Admin PortalBefore You Begin
• Set the initial amount of memory allocated for the java Heap Sizes for the migration process in the configbat file. The attribute to set the heap size in config.bat is: _Xms = 64 and _Xmx = 1024 (The memoryis 64 and 1024 megabytes, respectively).
• You can download the latest migTool.zip file from the Cisco ISE user interface address bar.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide28
Migration Tool InstallationSystem Requirements
•
Step 1 If the Cisco Secure ACS and Cisco ISE software is installed on different appliances, download the migration tool filesby entering the following URL on the Cisco ISE user interface address bar:https://<hostname-or-hostipaddress>/admin/migTool.zip
Step 2 Extract the contents of the .zip file. The extracted contents of the .zip file creates a directory structure that holds theconfig.bat andmigration.bat files.
Step 3 Edit the config.bat file to set the initial amount of memory allocated for the java Heap Sizes.Step 4 Click Save.
Initializing the Cisco Secure ACS to Cisco ISE Migration ToolBefore You Begin
You should run the migration tool only after a fresh Cisco ISE installation or after you have reset the CiscoISE application configuration and cleared the Cisco ISE database using the application reset-config command.Therefore, the Cisco ISE FIPS mode should not be enabled before the migration process is complete.
When the migration tool is initialized, it pops up a message box asking if you want to view the unsupportedlist. The migration tool can migrate only a subset of Cisco Secure ACS objects into Cisco ISE. The toolsupplies a list of unsupported (or partially supported) objects that it cannot migrate. You can also view the
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 29
Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool
list of unsupported objects by selecting Help > Unsupported Object Details from the Cisco Secure ACS toCisco ISE Migration Tool interface.
Step 1 Click migration.bat to launch the migration process.
Figure 3: Message Displayed for Unsupported Objects
Step 2 Click Yes to display a list of unsupported and partially supported objects.
Figure 4: List of Unsupported and Partially Supported Objects
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide30
Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool
Step 3 Click Close.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 31
Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide32
Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool
C H A P T E R 5Persistent Data Transfer Procedure
This chapter describes exporting and importing Cisco Secure ACS, Release 5.5 or 5.6 data into Cisco ISE,Release 1.4 system using the migration tool.
• Exporting Data from Cisco Secure ACS, page 33
• Analyzing Policy Gap between Cisco ISE and Cisco Secure ACS, page 36
• Importing Data in to Cisco ISE, page 38
• Migrated Data Verification in Cisco ISE, page 41
Exporting Data from Cisco Secure ACSAfter starting the migration tool, complete the following steps to export data from Cisco Secure ACS to themigration tool.
Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Settings to display the list of data objects availablefor migration.
Step 2 (Optional) You are not required to configure the dependency handling in order to perform migration. Check the checkboxes of the data objects you want to export in case their dependency data is missed and click Save.
Step 3 In the Cisco Secure ACS to Cisco ISE Migration Tool window, clickMigration and then click Export From ACS.Step 4 Enter the IP address (or hostname) and the password for the Cisco Secure ACS, Release 5.5 or 5.6 system and click
Connect in the ACS5 Credentials window.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 33
Step 5 Monitor the migration process in the Cisco Secure ACS to Cisco ISEMigration Tool window, which displays the currentcount of successful object exports and lists any objects that triggered warnings or errors.
Step 6 To get more information about a warning or an error that occurred during the export process, click any underlined numbersin the Warnings or Errors column on the Migrations tab. The Object Errors and Warnings Details window displays theresult of a warning or an error during export. It provides the object group, the type, and the date and time of a warningor an error.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide34
Persistent Data Transfer ProcedureExporting Data from Cisco Secure ACS
Step 7 Scroll to display the details of the selected object error, and then click Close.Step 8 When the data export process is completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays the
status of export that Exporting finished.
Step 9 Click Export Report(s) to view the contents of the export report. Each export report contains header information withthe operation type, date and time, and system IP address or host name. Each object group details the types and relatedinformation. Reports end with a summary of the start and end date, the time, and the duration of the operation.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 35
Persistent Data Transfer ProcedureExporting Data from Cisco Secure ACS
Step 10 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.
Analyzing Policy Gap between Cisco ISE and Cisco Secure ACSAfter exporting the data, administrator should analyze the export report and the policy gap report, fix the listederrors in the ACS configuration and address the warnings and other issues.
The following gaps are observed for a configuration set that is migrated from Cisco Secure ACS to CiscoISE. Reconciliation is possible for some of these gaps.
• Identity Groups
◦Internal User Issues
◦Parity gap between Cisco Secure ACS and Cisco ISE
◦Password type
◦Password change on next login
◦Password change
◦Naming constraints
◦External Identity Stores are migrated successfully. You have to verify the names.
• Network Devices or Network Device Groups
◦Network device migration caveats for Cisco ISE 2.1
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide36
Persistent Data Transfer ProcedureAnalyzing Policy Gap between Cisco ISE and Cisco Secure ACS
◦IP ranges that are not supported in Cisco ISE
◦Exclusion is for overlapping IPs
◦IPV4 only
◦Default Device must have RADIUS enabled
◦Reconciliation flow for migration tool
◦If the device does not exist in Cisco ISE (defined by no overlap of IP configuration), thenthe device will be added during migration.
◦If the device exists (IP or subnet matches exactly and name matches exactly), then themigration tool adds the TACACS+ elements
◦If the device exists (IP/subnet matches exactly or name matches exactly), then the migrationtool reports error
• Authorization ResultsCommand Sets and Shell Profiles are migrated successfully. Inconsistency would be with object names.
◦Cisco ISE strictly adheres to names
◦Policy results namespace shared with Network Access users
◦Recommendation is to use a prefix for Device admin authorization results
• Policies
◦Cisco Secure ACS 5.x Access Service separated from Selection Policy
◦Can have services that are not engaged
◦Can have services selected by different Service Selection rules
◦Cisco Secure ACS 5.x Group map
◦Transition of group map from Cisco Secure ACS 4.x
◦Group map content must be migrated to authorization Policy in Cisco ISE
◦Authentication allowed Protocols
◦Part of Service configuration in Cisco Secure ACS 5.x
◦Part of Policy Results in Cisco ISE
After addressing the errors or warnings, perform the export process again. For the procedure of exporting datafrom Cisco Secure ACS, see Exporting Data from Cisco Secure ACS, on page 33.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 37
Persistent Data Transfer ProcedureAnalyzing Policy Gap between Cisco ISE and Cisco Secure ACS
Importing Data in to Cisco ISE
Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Import To ISE.Step 2 ClickOK when you are prompted to add attributes to the LDAP identity stores before they are imported into Cisco ISE.
Step 3 From the LDAP Identity Store drop-down list, choose the identity store to which you want to add attributes, and clickAdd Attribute.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide38
Persistent Data Transfer ProcedureImporting Data in to Cisco ISE
Step 4 Enter a name in the Attribute Name field, choose an attribute type from the Attribute Type drop-down list, enter avalue in the Default Value field, and click Save & Exit.
Step 5 After adding attributes, click Import To ISE, enter the Cisco ISE Fully Qualified Domain Name (FQDN), username,and password in the ISE Credentials window and clickConnect. The migration tool ensures that this matches the FQDNin the SSL certificate.
Step 6 When the data import process is completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays thestatus of import as Importing finished.
Step 7 To view a complete report on the imported data, click Import Report(s).
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 39
Persistent Data Transfer ProcedureImporting Data in to Cisco ISE
Step 8 To get more information about a warning or an error that occurred during the import process, click any underlinednumbers in the Warnings or Errors column on theMigrations tab.
Step 9 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.
Step 10 Click View Log Console to display the real-time view of the export or import operations.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide40
Persistent Data Transfer ProcedureImporting Data in to Cisco ISE
Migrated Data Verification in Cisco ISETo verify that the Cisco Secure ACS data is migrated into Cisco ISE, log into the Cisco ISE and check thatthe various Cisco Secure ACS objects can be viewed.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 41
Persistent Data Transfer ProcedureMigrated Data Verification in Cisco ISE
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide42
Persistent Data Transfer ProcedureMigrated Data Verification in Cisco ISE
A P P E N D I X AData Structure Mapping
This appendix provides information about the data objects that are migrated, partially migrated, and notmigrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4.
• Data Structure Mapping, page 43
• Migrated Data Objects, page 43
• Data Objects Not Migrated, page 44
• Partially Migrated Data Objects, page 46
• Supported Attributes and Data Types, page 46
• Data Information Mapping, page 48
Data Structure MappingData structure mapping from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4, is the processby which data objects are analyzed and validated in the migration tool during the export phase.
Migrated Data ObjectsThe following data objects are migrated from Cisco Secure ACS to Cisco ISE:
• Network device group (NDG) types and hierarchies
• Network devices
• Default network device
• External RADIUS servers
• Identity groups
• Internal users
• Internal endpoints (hosts)
• Lightweight Directory Access Protocol (LDAP)
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 43
• Microsoft Active Directory (AD)
• RSA (Partial support, see Table A-19)
• RADIUS token (See Table A-18)
• Certificate authentication profiles
• Date and time conditions (Partial support, see Unsupported Rule Elements)
• RADIUS attribute and vendor-specific attributes (VSA) values (see Table A-5 and Table A-6)
• RADIUS vendor dictionaries (see Notes for Table A-5 and Table A-6.)
• Internal users attributes (see Table A-1 and Table A-2)
• Internal endpoint attributes
• Authorization profiles
• Downloadable access control lists (DACLs)
• Identity (authentication) policies
• Authorization policies (for network access)
• Authentication, Authorization, and Authorization exception polices for TACACS+ (for policy objects)
• Authorization exception policies (for network access)
• Service selection policies (for network access)
• RADIUS proxy service
• User password complexity
• Identity sequence and RSA prompts
• UTF-8 data (see UTF-8 Support page)
• EAP authentication protocol—PEAP-TLS
• User check attributes
• Identity sequence advanced option
• Additional attributes available in policy conditions—AuthenticationIdentityStore
• Additional string operators—Start with, Ends with, Contains, Not contains
• RADIUS identity server attributes
Data Objects Not MigratedThe following data objects are not migrated from Cisco Secure ACS to Cisco ISE, Release 1.4:
• Monitoring reports
• Scheduled backups
• Repositories
• Administrators, roles, and administrators settings
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide44
Data Structure MappingData Objects Not Migrated
• Customer/debug log configurations
• Deployment information (secondary nodes)
• Certificates (certificate authorities and local certificates)
• Security Group Access Control Lists (SGACLs)
• Security Groups (SGs)
• AAA servers for supported Security Group Access (SGA) devices
• Security Group mapping
• Network Device Admission Control (NDAC) policies
• SGA egress matrix
• SGA data within network devices
• Security Group Tag (SGT) in SGA authorization policy results
• Network conditions (end station filters, device filters, device port filters)
• Device AAA policies
• Dial-in attribute support
• TACACS+ Proxy
• TACACS+ CHAP and MSCHAP Authentication
• Attribute Substitution for TACACS+ shell profiles
• Display RSA node missing secret
• Maximum user sessions
• Account disablement
• Users password type
• Internal users configured with Password Type as External Identity Store
• Additional attribute available in a policy condition—NumberOfHoursSinceUserCreation
•Wildcards for hosts
• Network device ranges
• OCSP service
• Syslog messages over SSL/TCP
• Configurable copyright banner
• Internal user expiry days
• IP address exclusion
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 45
Data Structure MappingData Objects Not Migrated
Partially Migrated Data ObjectsThe following data objects are partially migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE,Release 1.4:
• Identity and host attributes that are of type date are not migrated.
• RSA sdopts.rec file and secondary information are not migrated.
• Multi-Active Directory domain (only Active Directory domain joined to the primary) is migrated.
• LDAP configuration defined for primary ACS instance is migrated.
Supported Attributes and Data Types
User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE 1.4
Target Data Type in Cisco ISE, Release 1.4Supported User Attributes in Cisco Secure ACS,Release 5.5 or 5.6
StringString
Not supportedUI32
Not supportedIPv4
Not supportedBoolean
Not supportedDate
Not supportedEnum
User Attribute: Association to the UserCisco ISE, Release 1.4Attributes Associated to Users in Cisco Secure ACS,
Release 5.5 or 5.6
SupportedString
Not SupportedUI32
Not SupportedIPv4
Not SupportedBoolean
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide46
Data Structure MappingPartially Migrated Data Objects
Cisco ISE, Release 1.4Attributes Associated to Users in Cisco Secure ACS,Release 5.5 or 5.6
Not SupportedDate
Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 1.4
Target Data Type in Cisco ISE, Release 1.4Supported Host Attributes in Cisco Secure ACS,Release 5.5 or 5.6
StringString
UI32UI32
IPv4IPv4
BooleanBoolean
Not supportedDate
Integers with allowed valuesEnum
Host Attribute: Association to the HostCisco ISE, Release 1.4Attributes Associated to Hosts in Cisco Secure ACS,
Release 5.5 or 5.6
SupportedString
Supported (Value is converted to String)UI32
Supported (Value is converted to String)IPv4
Supported (Value is converted to String)Boolean
Supported (Value is converted to String)Date
Supported (Value is converted to String)Enum
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 47
Data Structure MappingHosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4
RADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 1.4
Target Data Type in Cisco ISE, Release 1.4Supported RADIUS Attributes in Cisco Secure ACS,Release 5.5 or 5.6
UI32UI32
UI64UI64
IPv4IPv4
Octect StringHex String
StringString
Integers with allowed valuesEnum
RADIUS Attribute: Association to RADIUS ServerCisco ISE, Release 1.4Attributes Associated to RADIUS Servers in Cisco
Secure ACS, Release 5.5 or 5.6
SupportedUI32
SupportedUI64
SupportedIPv4
Supported (Hex Strings are converted to OctetsStrings)
Hex String
SupportedString
Supported (Enums are integers with allowed values)Enum
Data Information MappingThis section provides tables that list the data information that is mapped during the export process. The tablesinclude object categories from Cisco Secure ACS, Release 5.5 or 5.6 and its equivalent in Cisco ISE, Release1.4. The data-mapping tables in this section list the status of valid or not valid data objects mapped whenmigrating data during the export stage of the migration process.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide48
Data Structure MappingRADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4
Network Device MappingCisco ISE PropertiesCisco Secure ACS Properties
Migrates as isName
Migrates as isDescription
Migrates as isNetwork device group
Migrates as isSingle IP address
Migrates as isSingle IP and subnet address
Not SupportedCollection of IP and subnet addresses
Not SupportedExclude IP address
Not migrated because the TACACS is unsupported in CiscoISE, Release 1.4.
TACACS information
Migrates as isRADIUS shared secret
Migrates as isCTS
SNMP data is available only in Cisco ISE; therefore, there isno SNMP information for migrated devices.
SNMP
This property is available only in Cisco ISE (and its value isthe default, which is “unknown”).
Model name
This property is available only in Cisco ISE (and its value isthe default, which is “unknown”).
Software version
Any network devices that are set only as TACACS are not supported for migration and are listed asnon-migrated devices.
Note
Active Directory MappingCisco ISE PropertiesCisco Secure ACS Properties
Migrates as isDomain name
Migrates as isUser name
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 49
Data Structure MappingNetwork Device Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Migrates as isPassword
Migrates as isAllow password change
Migrates as isAllow machine access restrictions
Migrates as isAging time
Migrates as isUser attributes
Migrates as isGroups
Only domains joined to primary ACS instancemigrated
Multiple domain support
External RADIUS Server MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
HostnameServer IP address
Shared secretShared secret
Authentication portAuthentication port
Accounting portAccounting port
Server timeoutServer timeout
Connection attemptsConnection attempts
Hosts (Endpoints) MappingCisco ISE PropertiesCisco Secure ACS
Properties
Migrates as isMAC address
Not migratedStatus
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide50
Data Structure MappingExternal RADIUS Server Mapping
Cisco ISE PropertiesCisco Secure ACSProperties
Migrates as isDescription
Migrates the association to an endpoint group.Identity group
Endpoint attribute is migrated.Attribute
This is a property available only in Cisco ISE (and its value is a fixed value,“Authenticated”).
Authentication state
This is a property available only in Cisco ISE (and its value is a fixed value,“TBD”).
Class name
This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).
Endpoint policy
This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).
Matched policy
This is a property available only in Cisco ISE (and its value is a fixed value, “0”).Matched value
This is a property available only in Cisco ISE (and its value is a fixed value,“0.0.0.0”).
NAS IP address
This is a property available only in Cisco ISE (and its value is a fixed value,“TBD”).
OUI
This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).
Posture status
This is a property available only in Cisco ISE (and its value is a fixed value,“False”).
Static assignment
Identity Dictionary MappingCisco ISE PropertiesCisco Secure ACS
Properties
Attribute nameAttribute
DescriptionDescription
Internal nameInternal name
Data typeAttribute type
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 51
Data Structure MappingIdentity Dictionary Mapping
Cisco ISE PropertiesCisco Secure ACSProperties
Not migratedMaximum length
Not migratedDefault value
Not migratedMandatory fields
The dictionary property accepts this value (“user”).User
Identity Group MappingCisco ISE PropertiesCisco Secure ACS
Properties
NameName
DescriptionDescription
This property is migrated as part of the hierarchy details.Parent
Cisco ISE, Release 1.4 contains user and endpoint identity groups. Identity groups in Cisco Secure ACS,Release 5.5 or 5.6 are migrated to Cisco ISE, Release 1.4 as user and endpoint identity groups because auser needs to be assigned to a user identity group and an endpoint needs to be assigned to an endpointidentity group.
Note
LDAP MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Migrates as is. (Server Connection tab; see Figure A-1 on page A-10.).
Server connection information
Migrates as is. (Directory Organization tab; see Figure A-2 on pageA-10 .).
Directory organization information
Migrates as isDirectory groups
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide52
Data Structure MappingIdentity Group Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Migration is done manually (using the Cisco Secure ACS to Cisco ISEmigration tool).
Directory attributes
Only the LDAP configuration defined for the primary ACS instance is migrated.Note
Figure 5: Server Connection Tab
Figure 6: Directory Organization Tab
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 53
Data Structure MappingLDAP Mapping
NDG Types MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Cisco Secure ACS, Release 5.5 or 5.6 can support more than one network device group (NDG) with thesame name. Cisco ISE, Release 1.4 does not support this naming scheme. Therefore, only the first NDGtype with any defined name is migrated.
Note
NDG Hierarchy MappingCisco ISE PropertiesCisco Secure ACS
Properties
NameName
DescriptionDescription
No specific property is associated with this property because this value is enteredonly as part of the NDG hierarchy name. (In addition, the NDG type is the prefixfor this object name).
Parent
Any NDGs that contain a root name with a colon (:) are not migrated because Cisco ISE, Release 1.4 doesnot recognize the colon as a valid character.
Note
RADIUS Dictionary (Vendors) MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Vendor IDVendor ID
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide54
Data Structure MappingNDG Types Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
No need to migrate this property.Attribute prefix
Vendor attribute type field length.Vendor length field size
Vendor attribute size field length.Vendor type field size
Only RADIUS vendors that are not part of a Cisco Secure ACS, Release 5.5 or 5.6 installation are requiredto be migrated. This affects only user-defined vendors.
Note
RADIUS Dictionary (Attributes) MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
No specific property associated with this because this value is enteredonly as part of the NDG hierarchy name (NDG type is the prefix forthis object name).
Attribute ID
Not supported in Cisco ISEDirection
Not supported in Cisco ISEMultiple allowed
Migrates as isAttribute type
Not supported in Cisco ISEAdd policy condition
Not supported in Cisco ISEPolicy condition display name
Only the user-defined RADIUS attributes that are not part of a Cisco Secure ACS, Release 5.5 or 5.6installation are required to be migrated (only the user-defined attributes need to be migrated).
Note
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 55
Data Structure MappingRADIUS Dictionary (Attributes) Mapping
User MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
No need to migrate this property. (This property does not exist in CiscoISE)
Status
Migrates to identity groups in Cisco ISEIdentity group
PasswordPassword
No need to migrate this property. (This property does not exist in CiscoISE)
Enable password
No need to migrate this propertyChange password on next login
User attributes are imported from the Cisco ISE and are associated withusers
User attributes list
Not supportedExpiry days
Certificate Authentication Profile MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Principle user name (X.509 attribute).Principle user name (X.509 attribute)
Binary certificate comparison with certificate from LDAP orAD.
Binary certificate comparisonwith certificatefrom LDAP or AD
AD or LDAP name for certificate fetching.AD or LDAP name for certificate fetching
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide56
Data Structure MappingUser Mapping
Authorization Profile MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Migrates as isDACLID (downloadable ACL ID)
• Migrates as is if static attribute.
• Migrated as is, if dynamic attribute, except DynamicVLAN.
Attribute type (static and dynamic)
RADIUS attributes.Attributes (filtered for static type only)
Downloadable ACL MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
DACL contentDACL content
External RADIUS Server MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
HostnameServer IP address
Shared secretShared secret
Authentication portAuthentication port
Accounting portAccounting port
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 57
Data Structure MappingAuthorization Profile Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
Server timeoutServer timeout
Connection attemptsConnection attempts
Identity Attributes Dictionary MappingCisco ISE PropertiesCisco Secure ACS Properties
Attribute nameAttribute
Internal nameDescription
Migrates as isName
Data typeAttribute type
Dictionary (Set with the value “InternalUser” if it is a user identityattribute, or “InternalEndpoint” if it is a host identity attribute.)
No such property
Allowed value = display nameNot exported or extracted yet fromthe Cisco Secure ACS
Allowed value = internal nameNot exported or extracted yet fromthe Cisco Secure ACS
Allowed value is defaultNot exported or extracted yet fromthe Cisco Secure ACS
NoneMaximum length
NoneDefault value
NoneMandatory field
NoneAdd policy condition
NonePolicy condition display name
RADIUS Token MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide58
Data Structure MappingIdentity Attributes Dictionary Mapping
Cisco ISE PropertiesCisco Secure ACS Properties
DescriptionDescription
Safeword serverSafeword server
Enable secondary applianceEnable secondary appliance
Always access primary appliance firstAlways access primary appliance first
Fallback to primary appliance in minutesFallback to primary appliance in minutes
Primary appliance IP addressPrimary appliance IP address
Primary shared secretPrimary shared secret
Primary authentication portPrimary authentication port
Primary appliance TOPrimary appliance TO (timeout)
Primary connection attemptsPrimary connection attempts
Secondary appliance IP addressSecondary appliance IP address
Secondary shared secretSecondary shared secret
Secondary authentication portSecondary authentication port
Secondary appliance TOSecondary appliance TO
Secondary connection attemptsSecondary connection attempts
Advanced > treat reject as authentication flag fail.Advanced > treat reject as authenticationflag fail
Advanced > treat rejects as user not found flag.Advanced > treat rejects as user not foundflag
Advanced > enable identity caching and aging value.Advanced > enable identity caching andaging value
Authentication > promptShell > prompt
Authorization > attribute name (In cases where the dictionaryattribute lists in Cisco Secure ACS includes the attribute“CiscoSecure-Group-Id,” it is migrated to this attribute;otherwise, the default value is “CiscoSecure-Group-Id”.)
Directory attributes
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 59
Data Structure MappingRADIUS Token Mapping
RSA MappingCisco ISE PropertiesCisco Secure ACS Properties
Name is always RSAName
Not migratedDescription
Realm configuration fileRealm configuration file
Server TOServer TO
Reauthenticate on change to PINReauthenticate on change to PIN
Not migratedRSA instance file
Treat rejects as authentication failTreat rejects as authentication fail
Treat rejects as user not foundTreat rejects as user not found
Enable identity cachingEnable identity caching
Identity caching aging timeIdentity caching aging time
RSA Prompts MappingCisco ISE PropertiesCisco Secure ACS Properties
Passcode promptPasscode prompt
Next Token promptNext Token prompt
PIN Type promptPIN Type prompt
Accept System PIN promptAccept System PIN prompt
Alphanumeric PIN promptAlphanumeric PIN prompt
Numeric PIN promptNumeric PIN prompt
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide60
Data Structure MappingRSA Mapping
Identity Store Sequences MappingCisco ISE PropertiesCisco Secure ACS Properties
NameName
DescriptionDescription
Certificate based, certificate authentication profileCertificate based, certificate authenticationprofile
Authentication search listPassword based
Do not access other stores in the sequence and set the“AuthenticationStatus” attribute to “ProcessError.”
Advanced options > if access on currentIDStore fails than break sequence
Treated as “User Not Found” and proceed to the next store inthe sequence.
Advanced options > if access on currentIDStore fails then continue to next
Not supported (should be ignored)Attribute retrieval only > exit sequence andtreat as “User Not Found”
Default Network Devices MappingCisco ISE PropertiesCisco Secure ACS Properties
Default network device statusDefault network device status
Not migratedNetwork device group
Not migratedAuthentication Options - TACACS+
Shared SecretRADIUS - shared secret
Not migratedRADIUS - CoA port
Enable keywrapRADIUS - Enable keywrap
Key encryption keyRADIUS - Key encryption key
Message authenticator code keyRADIUS - Message authenticator code key
Key input formatRADIUS - Key input format
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 61
Data Structure MappingIdentity Store Sequences Mapping
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide62
Data Structure MappingDefault Network Devices Mapping
A P P E N D I X BTroubleshooting the Cisco Secure ACS to CiscoISE Migration Tool
• Unable to Start the Migration Tool, page 63
• Error Messages Displayed in Logs, page 63
• Default Folders, Files, and Reports are Not Created, page 64
• Migration Export Phase is Very Slow , page 65
• Reporting Issues to Cisco TAC, page 65
Unable to Start the Migration ToolCondition
Unable to start the migration tool.
Action
Verify that Java JRE, Version 1.6 or later, is installed on the migration machine and that it is correctlyconfigured in the system path and classpath.
Error Messages Displayed in Logs
Connection Error
Condition
The following error message is displayed in the log: “Hosts: Connection to https://hostname-or-ip refused:null”. And, the object is reported while migrating to Cisco ISE.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 63
Action
• Make sure that the migration application machine is connected to the network and configured correctly.
• Make sure that the Cisco ISE appliance is connected to the network and that it is configured correctly.
• Make sure that the Cisco ISE appliance and the migration machine are able to connect to each otherover the network.
• Make sure that the hostname (if any) used in the Cisco ISE primary node is resolvable within the DNSwhen the migration tool connects to Cisco ISE.
• Make sure that the Cisco ISE appliance is up and running.
• Make sure that the Cisco ISE application server service is up and running.
I/O Exception Error
Condition
The following error message is displayed in the log:
“I/O exception (org.apache.http.NoHttpResponseException) caught when processing request: The target serverfailed to respond”.
Action
• Make sure that the Cisco ISE application server service is up and running.
• Make sure that the Cisco ISE web server thresholds have not been exceeded or that there are no memoryexceptions.
• Make sure that the Cisco ISE appliance CPU consumption is not 100 percent and that the CPU is active.
Out of Memory Error
Condition
The following error message is displayed in the log:
“OutofMemory”.
Action
Increase the Java heap size to at least 1 GB.
Default Folders, Files, and Reports are Not CreatedCondition
The migration tool fails to create default folders, log files, reports, and persistence data files.
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide64
Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolI/O Exception Error
Action
Make sure the user has file-system writing privileges and that there is enough disk space.
Migration Export Phase is Very SlowCondition
The export phase of the migration process is very slow.
Action
Restart the Cisco Secure ACS appliance before starting the migration process to free up memory space.
Reporting Issues to Cisco TACIf you cannot locate the source and potential resolution for a technical issue or problem, you can contact aCisco customer service representative for information on how to resolve the issue. For information about theCisco Technical Assistance Center (TAC), see the Cisco Information Packet publication that is shipped withyour appliance or visit the following website:
http://www.cisco.com/cisco/web/support/index.html
Before you contact Cisco TAC, make sure that you have the following information ready:
• The appliance chassis type and serial number.
• The maintenance agreement or warranty information (see Cisco Information Packet).
• The name, type of software, and version or release number (if applicable).
• The date you received the new appliance.
• A brief description of the problem or condition you experienced, the steps you have taken to isolate orre-create the problem, and a description of any steps you took to resolve the problem.
• Migration logfile (...migration/bin/migration.log).
• All the reports in the config folder (...migration/config).
• Cisco Secure ACS, Release 5.5 or 5.6 logfiles.
• Cisco Secure ACS, Release 5.5 or 5.6 build number.
Be sure to provide the customer service representative with any upgrade or maintenance information thatwas performed on the Cisco ISE 3300 Series appliance after your initial installation.
Note
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide 65
Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolMigration Export Phase is Very Slow
Cisco Identity Services Engine, Release 1.3 Migration Tool Guide66
Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolReporting Issues to Cisco TAC