Cisco Identity Services Engine, Release 2.0 Migration Tool ... · Cisco Identity Services Engine,...

Cisco Identity Services Engine, Release 2.0 Migration Tool GuideFirst Published: 2015-05-07

Last Modified: 2015-10-15

Americas HeadquartersCisco Systems, Inc.170 West Tasman DriveSan Jose, CA 95134-1706USAhttp://www.cisco.comTel: 408 526-4000 800 553-NETS (6387)Fax: 408 527-0883

© 2015 Cisco Systems, Inc. All rights reserved.

C O N T E N T S

C H A P T E R 1 Cisco Secure ACS to Cisco ISE Data Migration 1

Migration Overview 1

Data Migration from Cisco Secure ACS 2

Supported Data Migration Paths 2

Supported Cisco Secure ACS Releases for Data Migration 3

Enabling the Migration Interfaces 3

Enabling Trusted Certificates in the Migration Tool 4

Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE 4

Migrating from Cisco Secure ACS, Release 3.x 5



Policy Models 6

Cisco Secure ACS Service Selection Policy and Cisco ISE Policy Set 6

Cisco Secure ACS Policy Access Service and Cisco ISE Policy Set 7

Cisco Secure ACS Distributed Deployment Model 7

Cisco ISE Distributed Deployment Model 7

Migration Features 8

Data Export 8

Resume a Failed Data Migration 8

Migration of TACACS+ Features to Cisco ISE 9

Migration of External Proxy Servers 9

Migration of External Proxy Server Sequences 10

Migration Tool Reports 10

Export Report 11

Policy Gap Analysis Report 11

Import Report 12

UTF-8 Support 12

Network Access User Configuration 12

Cisco Identity Services Engine, Release 2.0 Migration Tool Guide iii

RSA 13

RADIUS Token 13

Policies 13

FIPS Support for ISE 802.1X Services 13

Cisco Secure ACS/Cisco ISE Version Validation 14

C H A P T E R 2 Cisco Secure ACS to Cisco ISE Migration Tool 15

Data Migration from Cisco Secure ACS to Cisco ISE 15

Data Migration Time Estimate 15

Cisco Secure ACS to Cisco ISE Migration Tool 16

Minimum Data Configuration Required to Start Migration 16

Migration Tool Monitors Progress of Data Migration 17

Checkpoints to Continue Migration in the Migration Tool 17

Export Configuration Data from Cisco Secure ACS 17

Analyze Configuration Data 17

Data Persistence 17

Import Configuration Data into Cisco ISE 17

Software Requirements 18

C H A P T E R 3 Data Migration Principles 19

Data Migration and Deployment Scenarios 19

Migrating Data from a Single Cisco Secure ACS Appliance 19

Migrating Data from a Distributed Environment 20

Preparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6 21

Policy Services Migration Guidelines 21

Per Policy Service Migration Guidelines 22

Cisco Secure ACS Policy Rules Migration Guidelines 23

Unsupported Rule Elements 23

C H A P T E R 4 Migration Tool Installation 27

Migration Tool Installation Guidelines 27

System Requirements 28

Security Considerations 28

Downloading Migration Tool Files from Cisco ISE Admin Portal 28

Initializing the Cisco Secure ACS to Cisco ISE Migration Tool 29

Cisco Identity Services Engine, Release 2.0 Migration Tool Guideiv

Contents

C H A P T E R 5 Persistent Data Transfer Procedure 31

Exporting Data from Cisco Secure ACS 31

Analyzing Policy Gap between Cisco ISE and Cisco Secure ACS 32

Importing Data in to Cisco ISE 34

Migrated Data Verification in Cisco ISE 34

A P P E N D I X A Data Structure Mapping 35

Data Structure Mapping 35

Migrated Data Objects 35

Data Objects Not Migrated 37

Partially Migrated Data Objects 38

Supported Attributes and Data Types 38

User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE 2.0 38

User Attribute: Association to the User 38

Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release

2.0 39

Host Attribute: Association to the Host 39

RADIUSAttributesMigrated fromCisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release

2.0 40

RADIUS Attribute: Association to RADIUS Server 40

Data Information Mapping 40

Network Device Mapping 41

Active Directory Mapping 41

External RADIUS Server Mapping 42

Hosts (Endpoints) Mapping 42

Identity Dictionary Mapping 43

Identity Group Mapping 44

LDAP Mapping 44

NDG Types Mapping 45

NDG Hierarchy Mapping 45

RADIUS Dictionary (Vendors) Mapping 46

RADIUS Dictionary (Attributes) Mapping 46

User Mapping 47

Certificate Authentication Profile Mapping 47

Cisco Identity Services Engine, Release 2.0 Migration Tool Guide v

Contents

Authorization Profile Mapping 48

Downloadable ACL Mapping 48

External RADIUS Server Mapping 48

External TACACS+ Server Mapping 49

Command Sets Attributes Mapping 49

Shell Profile Attributes Mapping 50

Identity Attributes Dictionary Mapping 50

RADIUS Token Mapping 51

RSA Mapping 52

RSA Prompts Mapping 53

Identity Store Sequences Mapping 53

Default Network Devices Mapping 54

A P P E N D I X B Troubleshooting the Cisco Secure ACS to Cisco ISE Migration Tool 55

Unable to Start the Migration Tool 55

Troubleshooting Connection Issues in the Migration Tool 55

Error Messages Displayed in Logs 56

Connection Error 56

I/O Exception Error 57

Out of Memory Error 57

Default Folders, Files, and Reports are Not Created 57

Migration Export Phase is Very Slow 57

Reporting Issues to Cisco TAC 58

Cisco Identity Services Engine, Release 2.0 Migration Tool Guidevi

Contents

C H A P T E R 1Cisco Secure ACS to Cisco ISE Data Migration

This chapter describes information related to data migration from Cisco Secure Access Control System(ACS), Release 5.5 or 5.6 , to Cisco Identity Services Engine (ISE), Release 2.0.

• Migration Overview, page 1

• Data Migration from Cisco Secure ACS , page 2

• Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, page 4

• Policy Models, page 6

• Cisco Secure ACS Distributed Deployment Model, page 7

• Cisco ISE Distributed Deployment Model, page 7

• Migration Features, page 8

• Migration Tool Reports, page 10

• UTF-8 Support, page 12

• FIPS Support for ISE 802.1X Services, page 13

• Cisco Secure ACS/Cisco ISE Version Validation, page 14

Migration OverviewThe differences in Cisco Secure ACS 5.x and Cisco ISE platforms, operating systems, databases, andinformation models, mandate a migration application that reads data from Cisco Secure ACS and creates thecorresponding data in Cisco ISE. You can run the migration application after installing Cisco ISE.Themigrationapplication is a utility that Cisco provides to extract the configuration from Cisco Secure ACS and import itto Cisco ISE. The migration administrator can view the current progress as well as the detailed logs relatedto the ACS configuration during the entire migration process for troubleshooting purposes.Warning messagesare displayed for objects, attributes, and policies that are not migrated. After migration, we strongly recommendthat you verify that the migrated configurations (especially the policy sets) are appropriate.

Cisco Identity Services Engine, Release 2.0 Migration Tool Guide 1

Data Migration from Cisco Secure ACSBefore you migrate the existing Cisco Secure ACS, Release 5.5 or 5.6 data to a Cisco ISE, Release 2.0, VMor appliance, ensure that you have read and understood all setup, backup, and installation instructions.

We recommend that you fully understand the related data structure and schema differences between CiscoSecure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 systems before you attempt to migrate existingCisco Secure ACS, Release 5.5 or 5.6 data.

When you migrate from Cisco Secure ACS, Release 5.5 or 5.6 database to Cisco ISE, Release 2.0, datamigration supports the following:

• Provides support for the features of Cisco Secure ACS, Release 5.5 or 5.6 in Cisco ISE, Release 2.0.

Cisco ISE 2.0 does not support migration from Cisco Secure ACS version 5.7 or later.Note

• Provides support for new features in Cisco ISE, Release 2.0 when data is migrated from Cisco SecureACS, Release 5.5 or 5.6 .

Not all Cisco Secure ACS data can be migrated into Cisco ISE due to the functional gap that is dynamicallychanging with each Cisco Secure ACS or Cisco ISE release. Migrating data from Cisco Secure ACS,Release 5.5 or 5.6 to Cisco ISE, Release 2.0 minimizes the configuration gap, which means it supportsCisco Secure ACS features that were not supported before in Cisco ISE.

Note

Due to the differences in the Cisco ISE and Cisco Secure ACS data related to the naming convention,policy hierarchy, pre-defined objects, and so on, the migration tool may not support all objects. However,it displays warnings and errors for objects that are not migrated to facilitate corrective measures.

Note

Related Topics

Supported Data Migration Paths, on page 2Enabling the Migration Interfaces, on page 3Supported Cisco Secure ACS Releases for Data Migration, on page 3Enabling Trusted Certificates in the Migration Tool , on page 4

Supported Data Migration PathsYou cannot migrate data from Cisco Secure ACS, Releases 3.x, 4.x, and 5.x to Cisco ISE, Release 1.0, butprevious data migration is supported only from Cisco Secure ACS, Release 5.1 to Cisco ISE, Release 1.0;Cisco Secure ACS, Release 5.1/5.2 to Cisco ISE, Release 1.1; or Cisco Secure ACS, Release 5.3 to CiscoISE, Release 1.2.

Cisco Identity Services Engine, Release 2.0 Migration Tool Guide2

Cisco Secure ACS to Cisco ISE Data MigrationData Migration from Cisco Secure ACS

Data migration from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0 is now supported usingthe Cisco Secure ACS to Cisco ISE Migration Tool. You can also upgrade Cisco Secure ACS, Release 3.xto Cisco Secure ACS, Release 4.x, and then to Cisco Secure ACS, Release 5.5 or 5.6 .

Cisco Secure ACS 3.x, 4.x, 5.0, 5.1, 5.2, 5.3 are not supported. Cisco ISE 1.3, 1.4, and 2.0 support ACS 5.5and 5.6.

Related Topics

Data Migration from Cisco Secure ACS , on page 2

Supported Cisco Secure ACS Releases for Data MigrationYou can migrate data from earlier releases of Cisco Secure ACS software to a point where you can migrateit to Cisco ISE, Release 2.0.

Depending upon the starting release stage of the Cisco Secure ACS data that you want to migrate to a CiscoISE, Release 2.0, appliance, there may be several migration stages required before you can use the migrationtool.

Related Topics


Enabling the Migration InterfacesBefore you can begin the migration process, you must enable the interfaces used for the data migration onthe Cisco Secure ACS and Cisco ISE servers. It is recommended to disable the migration interfaces on boththe servers after the migration process is completed.

Step 1 Enable the migration interface on the Cisco Secure ACSmachine by entering the following command in the Cisco SecureACS CLI:acs config-web-interface migration enable

Step 2 Enable the migration interface on the Cisco ISE server by performing the following tasks:a) In the Cisco ISE CLI, enter application configure ise.b) Enter 11 to enable/disable ACS Migration.c) Enter Y.

Disable the migration interface on the Cisco Secure ACS machine using the following command: acsconfig-web-interface migration disable, after the migration process is completed.

Note

Disable the migration interface on the Cisco ISE server after the migration process is completed.Note


Cisco Secure ACS to Cisco ISE Data MigrationSupported Cisco Secure ACS Releases for Data Migration

Related Topics


Enabling Trusted Certificates in the Migration Tool

Before You Begin

Download the migration tool from Cisco ISE to a client machine. To enable the export of data from the CiscoSecure ACS server to the migration tool (on the client machine), you can either trust the Cisco Secure ACSCA certificate or the Cisco Secure ACS management certificate.

To enable the import of data from the migration tool to the Cisco ISE server, you can either trust the CiscoISE CA certificate or the Cisco ISE management certificate.

To enable the trusted certificates in the migration tool:

• In Cisco Secure ACS, ensure that the server certificate is in the SystemAdministration >Configuration>Local Server Certificates >Local Certificates page. The CommonName (CN attribute in the Subjectfield) or DNS Name (in the Subject Alternative Name field) in the certificate is used in the ACS5Credentials dialog box to establish the connection and export data from Cisco Secure ACS.

• In Cisco ISE, ensure that the server certificate is in the Administration > System > Certificates >CertificateManagement > SystemCertificates page. The CommonName (CN attribute in the Subjectfield) or DNS Name (in the Subject Alternative Name field) is used in the ISE Credentials dialog boxto establish the connection and import data from the migration tool to Cisco ISE.

Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Settings > Trusted Certificates > Add to includethe Cisco Secure ACS and Cisco ISE certificates to enable trusted communication.You can view or delete the certificate in the migration tool.

Step 2 In theOpen dialog box, choose the folder containing the trusted root certificate and clickOpen to add the selected CiscoISE certificate to the migration tool.

Step 3 Repeat the previous step to add the Cisco Secure ACS certificate.

Related Topics


Migrating from Earlier Releases of Cisco Secure ACS to CiscoISE

You can migrate earlier releases of Cisco Secure ACS data to the Cisco Secure ACS, Release 5.5 or 5.6 stateso that it can be migrated to a Cisco ISE, Release 2.0, appliance using the migration tool.


Cisco Secure ACS to Cisco ISE Data MigrationEnabling Trusted Certificates in the Migration Tool

Related Topics

Migrating from Cisco Secure ACS, Release 3.x, on page 5Migrating from Cisco Secure ACS, Release 4.x, on page 5Migrating from Cisco Secure ACS, Release 5.x, on page 6

Migrating from Cisco Secure ACS, Release 3.xIf you are running Cisco Secure ACS, Release 3.x in your environment, upgrade to a migration-supportedversion of Cisco Secure ACS, Release 4.x, and then upgrade to Cisco Secure ACS, Release 5.5 or 5.6.

Step 1 Check the upgrade path for Cisco Secure ACS, Release 3.x, as described in the Installation Guide for Cisco Secure ACSSolution Engine 4.1 or Installation Guide for Cisco Secure ACS Solution Engine 4.2.

Step 2 Upgrade your Cisco Secure ACS, Release 3.x server to a migration-supported version of the Cisco Secure ACS, Release4.x. For example, upgrade to one of the following Cisco Secure ACS 4.1.1.24 , Cisco Secure ACS 4.1.4, Cisco SecureACS 4.2.0.124, or Cisco Secure ACS 4.2.1 releases.

Step 3 After the upgrade, follow the steps that describe migrating from Cisco Secure ACS, Release 4.x to Cisco Secure ACS,Release 5.5 or 5.6 .

Related Topics

Migrating from Earlier Releases of Cisco Secure ACS to Cisco ISE, on page 4

Migrating from Cisco Secure ACS, Release 4.xIf you are not running one of the migration-supported versions of Cisco Secure ACS, Release 4.x in yourenvironment, upgrade to a point where you can migrate from Cisco Secure ACS, Release 4.x to Cisco SecureACS, Release 5.5 or 5.6.

Step 1 Upgrade Cisco Secure ACS, Release 4.x version to a migration-supported version, if your Cisco Secure ACS, Release4.x server currently does not run one of the migration-supported versions.

Step 2 Install the samemigration-supported version of Cisco Secure ACS on the migrationmachine, which is aWindows server.Step 3 Back up the Cisco Secure ACS, Release 4.x data and restore it on the migration machine.Step 4 Place theMigration utility on the migration machine. You can get theMigration utility from the Installation and Recovery

DVD.Step 5 Run the Analyze and Export phase of the Migration utility on the migration machine.Step 6 Resolve any issues in the Analyze and Export phase.Step 7 Run the Import phase of the Migration utility on the migration machine, and during this phase, the Migration utility

imports data into the Cisco Secure ACS, Release 5.5 or 5.6 server.


Cisco Secure ACS to Cisco ISE Data MigrationMigrating from Cisco Secure ACS, Release 3.x

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/igse41.html

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.1/installation/guide/solution_engine/igse41.html

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_solution_engine/4.2/installation/guide/solution_engine/SE42.html

Related Topics


Migrating from Cisco Secure ACS, Release 5.xIf you are running Cisco Secure ACS, Release 5.x in your environment, you must upgrade to Cisco SecureACS, Release 5.5 or 5.6 . To migrate internal users from Cisco Secure ACS 5.5 to Cisco ISE, you must installCisco Secure ACS 5.5 Patch 4 or later and then start the migration.

Related Topics


Policy ModelsCisco Secure ACS and Cisco ISE have both simple and rule-based authentication paradigms, but Cisco SecureACS and Cisco ISE are based on different policy models and that makes migrating policies from Cisco SecureACS to Cisco ISE a bit complex.

Cisco Secure ACS policy hierarchy starts with the Service selection rule that redirects the authenticationrequests to the access services. The access services consist of identity and authorization policies that authenticatethe user against internal or external identity stores and authorize the users based on the conditions defined.

Authentication and authorization polices are migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 2.0. Cisco ISE Release 2.0, supports the new policy model called Policy Set, which is similarto the Service Selection Policy (SSP) in Cisco Secure ACS, Release 5.5/5.6, thus simplifying the policymigration process.

Related Topics

Cisco Secure ACS Service Selection Policy and Cisco ISE Policy Set, on page 6Cisco Secure ACS Policy Access Service and Cisco ISE Policy Set, on page 7

Cisco Secure ACS Service Selection Policy and Cisco ISE Policy SetCisco Secure ACS, Release 5.5/5.6 Service Selection Policy (SSP) distributes requests to the appropriateservices based on SSP rules whereas Cisco ISE policy set holds a rule, which contains entry criteria to thepolicy set. The order of the policy set is in the same order as the entry rules, which is similar to the order ofthe SSP rules.

Several SSP rules may request the same service or reuse of service in Cisco Secure ACS. However, eachpolicy set carries its own entry condition, therefore, you cannot reuse the policy set in Cisco ISE. If you wantto migrate a single service that is requested by several SSP rules, you must create multiple policy sets that arecopies of that service, which means that you must create a policy set in Cisco ISE for each SSP rule thatrequests the same service in Cisco Secure ACS.

You can define SSP rules as disabled or monitored in Cisco Secure ACS, and the equivalent entry rules of apolicy set are always enabled in Cisco ISE. If SSP rules are disabled or monitored in Cisco Secure ACS, thepolicy services that are requested by SSP rules cannot be migrated to Cisco ISE.


Cisco Secure ACS to Cisco ISE Data MigrationMigrating from Cisco Secure ACS, Release 5.x

Related Topics

Policy Models, on page 6

Cisco Secure ACS Policy Access Service and Cisco ISE Policy SetYou can define a policy service without requesting that service, which means that you can define a policyservice inactive by a rule in the SSP in Cisco Secure ACS. Cisco Secure ACS, Release 5.5 or 5.6 has anout-of-the-box DenyAccess service, which has neither policies nor allowed protocols for the default SSP rulein Cisco Secure ACS, which automatically denies all requests. There is no equivalent policy set for CiscoISE. But, you cannot have a policy set without an entry rule, which refers to the policy set in Cisco ISE.

Allowed protocols are attached to the entire service (not a specific policy) that is not conditioned (except thecondition in the SSP that points to the entire service) in Cisco Secure ACS, Release 5.5 or 5.6. Allowedprotocols refers only to the authentication policies as a result of a conditioned outer rule in Cisco ISE.

Identity policy is a flat list of rules that results in identity source (identity source and identity store sequence)in Cisco Secure ACS, Release 5.5 or 5.6. An authentication policy holds two levels of rules—outer policyrules and inner policy rules. The outer policy rules result in allowed protocols, and are the entry criteria to theset of inner policy rules. The inner policy rules result in identity source.

Both Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0, include an optional exception policyattached to each authorization policy. Cisco ISE, Release 2.0 provides an optional Global Exception Policyin addition to the exception policy that affects all authorization policies. There is no equivalent policy to thatof Global Exception Policy in Cisco Secure ACS, Release 5.5 or 5.6. The local exception policy is processedfirst followed by the Global Exception Policy and authorization policy for authorization.

Related Topics

Policy Models, on page 6

Cisco Secure ACS Distributed Deployment ModelThe Cisco Secure ACS deployment model consists of one primary and multiple secondary Cisco Secure ACSservers, where configuration changes are made on the primary Cisco Secure ACS server. These configurationsare replicated to the secondary Cisco Secure ACS servers. All primary and secondary Cisco Secure ACSservers can process AAA requests. The primary Cisco Secure ACS server is also the default log collector forthe Monitoring and Report Viewer, although you can configure any Cisco Secure ACS server to be the logcollector.

Cisco ISE Distributed Deployment ModelThe Cisco ISE deployment model consists of one primary node with multiple secondary nodes. Each CiscoISE node in a deployment can take one or more of the following personas: Administration, Policy Service,and Monitoring. After you install Cisco ISE, all the nodes will be in the standalone state. You must defineone of the Cisco ISE nodes as the primary node running as an Administration persona. After defining theprimary node, you can configure other Cisco ISE nodes with Policy Service and Monitoring personas. Youcan then register other secondary nodes with the primary node and define specific roles for each of them.When you register Cisco ISE node as a secondary node, Cisco ISE immediately creates a database link fromthe primary to the secondary node and begins the process of replication. All configuration changes are made


Cisco Secure ACS to Cisco ISE Data MigrationCisco Secure ACS Policy Access Service and Cisco ISE Policy Set

on the primary Administration ISE node and replicated to the secondary nodes. The Monitoring ISE nodeacts as the log collector.

Migration FeaturesThe migration tool is responsible for transferring Cisco Secure ACS data to Cisco ISE and performs threemajor steps:

1 Exports data from Cisco Secure ACS.

2 Persists data in the migration tool.

3 Imports data into Cisco ISE.

Related Topics

Data Export, on page 8Data ImportObject ScalabilityResume a Failed Data Migration, on page 8

Data ExportThe first stage in the migration process is to export Cisco Secure ACS data using the Cisco Secure ACSProgrammatic Interface (PI). You have to log in to the Cisco Secure ACS, Release 5.5 or 5.6 system fromwhich you will be exporting data and request to export the data into the migration application. The exporteddata is validated to verify if it can be imported into a Cisco ISE, Release 2.0 appliance successfully. In caseswhere the data is invalid, the status is logged in the Export Report.

Related Topics

Migration Features, on page 8

Resume a Failed Data MigrationThe migration tool maintains a checkpoint at each stage of the import or export operation. This means that ifthe process of importing or exporting fails, you do not have to restart the process from the beginning. Youcan start from the last checkpoint before the failure occurred.

If the migration process fails, the migration tool terminates the process. When you restart the migration toolafter a failure, a dialog box is displayed that allows you to choose to resume the previous import/export ordiscard the previous process and start a new migration process. If you choose to resume the previous process,the migration process resumes from the last checkpoint. Resuming from a failure also resumes the report torun from the previous process.

Related Topics

Migration Features, on page 8


Cisco Secure ACS to Cisco ISE Data MigrationMigration Features

Migration of TACACS+ Features to Cisco ISEGiven below are the TACACS+ settings that are migrated to Cisco ISE.

• Enable Password: Internal users are migrated from Cisco Secure ACS along with the enable passwordattribute to Cisco ISE.

• Network Devices: Network devices configured with TACACS+ settings, such as shared secret andsingle connect mode in Cisco Secure ACS are exported to the migration tool.

◦Default Network Device: The default network device object configured with TACACS+ settingsare exported from Cisco Secure ACS and imported to ISE during migration on a fresh installationof Cisco ISE, Release 2.0. In an existing Cisco ISE configuration, the default network devices(with RADIUS and TACACS + settings) are updated.

• Shell Profiles: The shell profile object in Cisco Secure ACS is exported to the migration tool. It isimported to Cisco ISE and displayed in theWork Centers > Device Administration > Policy Results> TACACS Profiles page. The page contains predefined attributes that are identified by ISE and therest of them are displayed as custom attributes. The migrated attributes have a description to indicatethat they were migrated from Cisco Secure ACS. Both static and dynamic attributes are supported.

• Command Sets: The command sets object in Cisco Secure ACS is exported to the migration tool. It isimported to Cisco ISE and displayed in theWork Centers > Device Administration > Policy Results> TACACS Command Sets page. Cisco Secure ACS adds a description for migrated objects that donot have one. For migrated objects that already have a description, Cisco Secure ACS retains the same.

• TACACS Global Settings: The TACACS+ Global Settings object in Cisco Secure ACS is exported tothe Migration tool and validation errors or warnings are reported. The data can be imported as part ofthe predefined data objects in the migration tool.

• TACACS Policies: TACACS+ authentication, authorization, and authorization exception policies forthe device administration service are imported to Cisco ISE. The results of an authorization policy rulemay be command sets and a shell profile. If a command set or shell profile is not exported due to anerror, then the policy is not exported to the migration tool.

During migration, the migration tool maintains two policy sets, one for network access and another fordevice administration services. During import to ISE, the migration tool checks the type of service, anddetermines the policy to which it has to be imported.

Be sure to check the policy configuration in Cisco ISE after migration.Note

Migration of External Proxy ServersThe migration tool can export proxy objects from the following external proxy servers:

• TACACS+ External Proxy Server:When an external proxy server is configured with TACACS+, the TACACS+ objects are migrated totheWork Centers > Device Administration > Network Resources > External TACACS Serverspage.


Cisco Secure ACS to Cisco ISE Data MigrationMigration of TACACS+ Features to Cisco ISE

• RADIUS External Proxy Server:When an external proxy server is configured with RADIUS, the RADIUS objects are migrated to theAdministration > Network Resources > External RADIUS Servers page.

• Cisco Secure ACS External Proxy Server:When an external proxy server is configured with the Cisco Secure ACS (supports both TACACS+ andRADIUS) option, the TACACS and RADIUS objects are migrated to different locations. The TACACS+objects are migrated to theWork Centers >Device Administration >Network Resources >ExternalTACACS Servers page with the word "TACACS_" prefixed to the object name. The RADIUS objectsare migrated to the Administration > Network Resources > External RADIUS Servers page withthe word "RADIUS_" prefixed to the object name.

Cisco Secure ACS does not support single connect configuration, therefore, during import the migrationapplication creates the proxy objects with default values supported by Cisco ISE for this attribute.

Migration of External Proxy Server SequencesThe migration tool can export a set of external servers from the following external proxy servers:

• TACACS+ External Proxy Server:When an external proxy server is configured with TACACS+ server sequence, the TACACS+ objectsaremigrated to theWorkCenters >Device Administration >NetworkResources >TACACSServerSequence page.

• RADIUS External Proxy Server:When an external proxy server is configured with RADIUS server sequence, the RADIUS objects aremigrated to the Administration > Network Resources > RADIUS Server Sequence page.

• Cisco Secure ACS External Proxy Server:When an external proxy server is configured with Cisco Secure ACS (supports both TACACS andRADIUS) option, the TACACS and RADIUS objects are migrated to different locations. The TACACS+objects aremigrated to theWorkCenters >Device Administration >NetworkResources >TACACSServer Sequence page with the word "TACACS_" prefixed to the object name. The RADIUS objectsare migrated to theAdministration >Network Resources >RADIUS Server Sequence page with theword "RADIUS_" prefixed to the object name.

Migration Tool ReportsCisco ISE generates reports for import, export, and policy gap analysis during Cisco Secure ACS, Release5.5/5.6 data migration.

If you decide to share the report files with anyone, or want to save them to another location, you can find thefollowing files in the Reports folder of the migration tool directory:

• import_report.txt

• export_report.txt

• policy_gap_report.txt


Cisco Secure ACS to Cisco ISE Data MigrationMigration of External Proxy Server Sequences

Related Topics

Export Report, on page 11Import Report, on page 12Policy Gap Analysis Report, on page 11

Export ReportThis report indicates specific information or errors that are encountered during the export of data from theCisco Secure ACS database. It contains a data analysis section at the end of the report, which describes thefunctional gap between Cisco Secure ACS and Cisco ISE. The export report also includes error informationfor exported objects that will not be imported.

Table 1: Cisco Secure ACS to Cisco ISE Migration Tool Export Report

Message DescriptionMessage TypeReport Type

Lists the names of the data objects that were exportedsuccessfully.

InformationExport

Lists export failures or exports that were not attemptedbecause the data object is not supported by Cisco ISE,Release 2.0.

Warning

Related Topics

Migration Tool Reports, on page 10

Policy Gap Analysis ReportThis reports lists specific information related to the policy gap between Cisco Secure ACS and Cisco ISE,and is available after completion of the export process by clicking the Policy Gap Analysis Report button inthe migration tool user interface.

During the export phase, the migration tool identifies the gaps in the authentication and authorization policies.If any policy is not migrated, it is listed in the Policy Gap Analysis report. The report lists all the incompatiblerules and conditions that are related to policies. It describes data that cannot be migrated and the reason witha manual workaround.

Some conditions can be automatically migrated by using the appropriate Cisco ISE terminology, for example,a condition named Device Type In is migrated as Device Type Equals. If a condition is supported or can beautomatically translated, it does not appear in the report. If a condition is found as “Not Supported” or “Partiallysupported,” the policy is not imported and the conditions appear in the report. It is the responsibility of theadministrator who is performing the migration to modify or delete such conditions. If they are not modifiedor deleted, policies are not migrated to Cisco ISE.

Related Topics



Cisco Secure ACS to Cisco ISE Data MigrationExport Report

Import ReportThis report indicates specific information or errors that are encountered during the import of data into theCisco ISE appliance.

Table 2: Cisco Secure ACS to Cisco ISE Migration Tool Import Report

Message DescriptionMessage TypeReport Type

Lists the names of the data objects that were importedsuccessfully.

InformationImport

Identifies a data object error due to:

• Object exists already

• Object name exceeds the character limit

• Object name contains unsupported specialcharacters

• Object contains unsupported data characters

Error

Related Topics


UTF-8 SupportCisco ISE, Release 2.0, supports 8 bit Unicode Transformation Format (UTF-8) for some administrationconfigurations. The following configuration items are exported and imported with UTF-8 encoding:

• Network Access User Configuration

• RSA

• RADIUS Token

• Policies

• Identity Group Mapping

Network Access User Configuration• Username

• Password and re-enter password

• First name

• Last name


Cisco Secure ACS to Cisco ISE Data MigrationImport Report

• Email

RSARSA prompts and messages are shown to the end-user by the supplicant.

• Messages

• Prompts

RADIUS TokenRADIUS token prompt is presented on the end-user supplicant.

• Authentication Tab > Prompts

• Administrator Configuration

• Administrator username and password

• Configure administrator by using UTF-8

Policies• Authentication > Value for AV expression

• Authorization > Other Conditions > Value for AV expression

• Attribute-value conditions

• Authentication > Simple Condition/compound Condition > Value for AV expression

• Authorization > Simple Condition/compound Condition > Value for AV expression

FIPS Support for ISE 802.1X ServicesThe Cisco ISE FIPS mode should not be enabled before the migration process is complete.

To support Federal Information Processing Standard (FIPS), the migration tool migrates the default networkdevice keywrap data.

FIPS-compliant and supported protocols:

• Process Host Lookup

• Extensible Authentication Protocol-Translation Layer Security (EAP-TLS)

• Protected Extensible Authentication Protocol (PEAP)

• EAP-Flexible Authentication via Secure Tunneling (FAST)

FIPS-noncompliant and unsupported protocols:


Cisco Secure ACS to Cisco ISE Data MigrationRSA

• EAP-Message Digest 5 (MD5)

• Password Authentication Protocol and ASCII

• Challenge Handshake Authentication Protocol (CHAP)

• Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)

• Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)

• Lightweight Extensible Authentication Protocol (LEAP)

Cisco Secure ACS/Cisco ISE Version ValidationThe migration tool identifies the Cisco Secure ACS release version before the export phase begins. Themigration process will not start if the Cisco Secure ACS version is lower or higher than 5.5/5.6/5.7/5.8. Inaddition, before importing the data to Cisco ISE, the tool verifies that the Cisco ISE release version is 2.0.


Cisco Secure ACS to Cisco ISE Data MigrationCisco Secure ACS/Cisco ISE Version Validation

C H A P T E R 2Cisco Secure ACS to Cisco ISE Migration Tool

This chapter provides information about the Cisco Secure ACS to Cisco ISE Migration Tool that is used fordata migration from a Cisco Secure ACS, Release 5.5 or 5.6 database to a Cisco ISE, Release 2.0 system.

• Data Migration from Cisco Secure ACS to Cisco ISE, page 15

• Cisco Secure ACS to Cisco ISE Migration Tool, page 16

• Software Requirements, page 18

Data Migration from Cisco Secure ACS to Cisco ISEThe only supported direct migration process that uses the Cisco Secure ACS to Cisco ISE Migration Tool isfrom a Cisco Secure ACS, Release 5.5 or 5.6 to a Cisco ISE, Release 2.0 system.

There are three steps in the migration process:

1 Exporting the Cisco Secure ACS, Release 5.5 or 5.6 data from its database

2 Persisting the data by using the migration tool

3 Importing the persisted data into the Cisco ISE, Release 2.0 system

Data Migration Time EstimateThe Cisco Secure ACS (Cisco SNS 3415) to Cisco ISE Migration Tool may run for approximately 21 hoursto migrate 4 LDAPs, 1,000 identity groups, 20 network device locations, 25 access services, 50 SSPs, 100DACLs, 320 authorization rules, 600 authorization profiles, 20 command sets and shell profiles (each commandcontains 100 commands), 30,000 network devices, 25,000 users, and 150,000 hosts.

The migration tool may run for approximately 52 hours to migrate the following configurations:

• 4 LDAPs

• 1,000 identity groups

• 500 user identity groups

• 20 network device locations


• 100 network device groups

• 25 access services

• 50 SSPs

• 600 downloadable access control lists (DACLs)

• 320 authorization rules

• 600 authorization profiles (with or without policy sets)

• 20 command sets and shell profiles (each command contains 100 commands)

• 40 policy sets (limited by max rules)

• 20 custom user dictionaries

• 100,000 network devices

• 300,000 users

• 150,000 hosts

Cisco Secure ACS to Cisco ISE Migration ToolBefore running the migration tool, ensure that you have upgraded to Cisco ISE, Release 2.0, and have installedthe latest patches for Cisco Secure ACS, Release 5.5 or 5.6 .

The migration tool helps you to migrate the data from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE,Release 2.0 system. The design of the tool addresses the inherent migration problems that result from differencesin the underlying hardware platforms and systems, databases, and data schemes.

The migration tool runs on Linux-based andWindows-based systems. The migration tool works by exportingthe Cisco Secure ACS data files, analyzing the data, and making the required data modifications that arenecessary for importing the data into a format that is usable by the Cisco ISE, Release 2.0 system.

• The migration tool requires minimum user interaction, and full set of configuration data.

• The migration tool provides you a complete list of unsupported objects.

The Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 applications may or may not run onthe same type of physical hardware. The migration tool uses the Cisco Secure ACS Programmatic Interface(PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). TheCisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and Cisco ISE applicationsto run on supported hardware platforms or VMware servers. Because Cisco Secure ACS is considered a closedappliance, running the migration tool directly on a Cisco ACS appliance is not permitted. Instead, the CiscoSecure ACS PI reads and returns the configuration data in a normalized form. The Cisco ISE REST APIsperform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by CiscoISE software.

Minimum Data Configuration Required to Start MigrationA minimal amount of configuration data is needed at the beginning of the migration process before theapplication proceeds to migrate the full set of configuration items. However, as the migration progresses,


Cisco Secure ACS to Cisco ISE Migration ToolCisco Secure ACS to Cisco ISE Migration Tool

some data may not be mapped automatically between the two applications. The administrator handling themigration is notified of this type of data, which must be resolved before the migration is complete.

Migration Tool Monitors Progress of Data MigrationAs the migration proceeds, you can monitor the real-timemigration status along with the progress of activities.In case of troubleshooting, detailed logs are available and accessible in the migration tool.

Checkpoints to Continue Migration in the Migration ToolYou can perform export and import operations individually or in sequence. Exporting and importing may takea long time and depends on the amount of data being migrated. Therefore, the migration tool periodicallydisplays checkpoints with the status of the activity being performed. You can restart the migration processfrom a checkpoint in case of a failure.

Export Configuration Data from Cisco Secure ACSYou can start the export process after you are authenticated by the Cisco Secure ACS system and request forthe data to be exported.

A direct upgrade from Cisco Secure ACS to Cisco ISE is not supported. The migration tool assists you if youwant to uninstall Cisco Secure ACS, Release 5.5 or 5.6 software and reimage the physical hardware withCisco ISE, Release 2.0 software.

Analyze Configuration DataDuring the export phase, the migration tool reads and analyzes the data to confirm that it can be createdcorrespondingly on the Cisco ISE system. Because the Cisco Secure ACS and Cisco ISE policy models arenot the same, some of the data might not be supported by Cisco ISE. The migration tool reports any dataissues that may require an administrator intervention at the end of the export phase.

Data PersistenceThe migration tool persists the Cisco Secure ACS data while the re-image process is completing and beforethe import stage begins.

Import Configuration Data into Cisco ISEDuring this step, the migration tool imports configuration data into Cisco ISE.


Cisco Secure ACS to Cisco ISE Migration ToolMigration Tool Monitors Progress of Data Migration

Software RequirementsTable 3: Software Requirements for the Cisco Secure ACS to Cisco ISE Migration Tool

Themigration tool runs onWindows and Linuxmachines. Themachine should have JAVA installed on it.

Operating System

The minimum disk space required is 1 GB.

This space is required not only for the installation of themigration tool, but also because the migration tool will storethe migrated data and will generate reports and logs.

Minimum disk space

The minimum RAM required is 2 GB.

If you have about 300,000 users, 50,000 hosts, 50,000 networkdevices, then we recommend that you have a minimum of 2GB of RAM.

Minimum RAM


Cisco Secure ACS to Cisco ISE Migration ToolSoftware Requirements

C H A P T E R 3Data Migration Principles

This chapter describes data migration from Cisco Secure ACS, Release 5.5 or 5.6 when deployed on asingle appliance or in a distributed deployment to Cisco ISE, Release 2.0.

• Data Migration and Deployment Scenarios, page 19

• Preparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6, page 21

• Policy Services Migration Guidelines, page 21

• Per Policy Service Migration Guidelines, page 22

• Cisco Secure ACS Policy Rules Migration Guidelines, page 23

• Unsupported Rule Elements, page 23

Data Migration and Deployment ScenariosCisco Secure ACS and Cisco ISE exist on different hardware platforms and have different operating systems,databases, and information models. Therefore, you cannot perform a standard upgrade from Cisco SecureACS to Cisco ISE. Instead, the migration tool reads data from Cisco Secure ACS and creates correspondingdata in Cisco ISE.

Migrating Data from a Single Cisco Secure ACS Appliance

Before You Begin

When you are ready to start migrating Cisco Secure ACS, Release 5.5 or 5.6 data to a Cisco ISE, Release 2.0,ensure that it is to a standalone Cisco ISE node. After the migration is successfully completed, you can beginany deployment configuration (such as setting up Administrator ISE and Policy Service ISE personas).

It is a requirement that the migration import phase be performed on a “clean” new installation of the CiscoISE software on a supported hardware appliance. For a list of supported hardware appliances, refer to theCisco Identity Services Engine Hardware Installation Guide, Release 2.0.

If you have a single Cisco Secure ACS appliance in your environment (or several Cisco Secure ACS appliances,but not in a distributed setup), run the migration tool against the Cisco Secure ACS appliance.


You can use the migration tool and the following migration procedure in cases where Cisco Secure ACS andCisco ISE use the same hardware; the CSACS-1121 appliance:

Step 1 Install the migration tool on a standalone Windows or Linux machine.Step 2 Export the Cisco Secure ACS, Release 5.5 or 5.6 data from the Cisco Secure ACS-1121 hardware appliance to a secure

external server with a database.Step 3 Back up the Cisco Secure ACS data.Step 4 Re-image the Cisco Secure ACS-1121 hardware appliance, which has the same physical hardware as any of the supported

Cisco ISE appliances, with Cisco ISE, Release 2.0, software. Refer to the for the supported hardware.Step 5 Import the converted Cisco Secure ACS, Release 5.5 or 5.6 data from the secure external server into the Cisco ISE,

Release 2.0.

Migrating Data from a Distributed Environment

Before You Begin

If you have a large internal database, Cisco recommends that you run the migration from a standalone primaryappliance and not from a primary appliance that is connected to several secondary appliances. After thecompletion of the migration process, you can register all the secondary appliances.

In a distributed environment, there is one primary Cisco Secure ACS appliance and one or more secondaryCisco Secure ACS appliances that interoperate with the primary appliance.

If you are running Cisco Secure ACS in a distributed environment, you must:

Step 1 Back up the primary Cisco Secure ACS appliance and restore it on the migration machine.Step 2 Run the migration tool against the primary Cisco Secure ACS appliance.

Figure 1: Cisco Secure ACS and Cisco ISE Installed on Different Appliances


Data Migration PrinciplesMigrating Data from a Distributed Environment

Preparation for Migration from Cisco Secure ACS, Release 5.5or 5.6

We recommend that you do not change to Simple mode after a successful migration from Cisco Secure ACS.Because, you might lose all the migrated policies in Cisco ISE. You cannot retrieve those migrated polices,but you can switch to Policy Set mode from Simple mode.

You must consider the following before you start migrating Cisco Secure ACS data to Cisco ISE:

• Migrate Cisco Secure ACS, Release 5.5 or 5.6 data only in the Policy Set mode in Cisco ISE, Release2.0.

• Migrate on a fresh installation of Cisco ISE, Release 2.0. In Cisco ISE, chooseAdministration > System> Settings > Policy Sets to enable the policy sets.

• Generate one policy set per enabled rule in the Service Selection Policy (SSP) and order them accordingto the order of the SSP rules.

The service that is the result of the SSP default rule becomes the default policy set in Cisco ISE, Release2.0. For all the policy sets created in the migration process, the first matching policy set is the matchingtype.

Note

Policy Services Migration GuidelinesYou must check the following to ensure policy services migration from Cisco Secure ACS to Cisco ISE:

• Service Selection Policies (SSP) contain SSP rules that are disabled or monitored in Cisco Secure ACS,Release 5.5 or 5.6, they are not migrated to Cisco ISE.

• Service Selection Policy (SSP) contains a SSP rule that is enabled in Cisco Secure ACS, Release 5.5 or5.6

◦that requests a service, which contains a Group Mapping policy, it is not migrated to Cisco ISE.(Cisco ISE does not support Group Mapping Policy).

◦that requests a service and its identity policy contains rules, which result in RADIUS IdentityServer, it is not migrated to Cisco ISE. (Cisco ISE differs to use RADIUS Identity Servers forauthentication).

◦that requests a service, which has policies that use attributes or policy elements that are not supportedby Cisco ISE, it is not migrated to Cisco ISE.


Data Migration PrinciplesPreparation for Migration from Cisco Secure ACS, Release 5.5 or 5.6

Per Policy Service Migration GuidelinesThis section describes the changes for each policy service that you migrate from Cisco Secure ACS, Release5.5 or 5.6 to Cisco ISE 2.0 because you migrate Cisco Secure ACS data only in the Policy Set mode in CiscoISE, Release 2.0.

Cisco Secure ACS Service Selection Policy Default Rule Matches Cisco ISE Default Policy Set

You can create a policy set with the name of the service in Cisco ISE. If the policy set matches the service,which is the result of the SSP default rule in Cisco Secure ACS, Release 5.5 or 5.6 , then the policy set becomesthe default policy set in Cisco ISE, Release 2.0. The condition of the SSP rule in Cisco Secure ACS, Release5.5 or 5.6 becomes the entry condition of the policy set in Cisco ISE, Release 2.0. In the case of the CiscoISE, Release 2.0 default policy set, there is no entry condition required.

Migration of Cisco Secure ACS DenyAccess Service to Cisco ISE Authentication and Authorization Policies

When you convert the DenyAccess service in Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release2.0, the authentication and authorization policies change to the following:

• The authentication policy has only the default outer rule with the results set to Default Network Accessfor the Allowed Protocol and DenyAccess for the identity source.

• The authorization policy has only the default rule set to DenyAccess (standard permission).

Migration of Cisco Secure ACS Service Identity Policy to Cisco ISE Authentication Policy of the Policy Set

When you want to convert the identity policy of the service in Cisco Secure ACS, Release 5.5 or 5.6 to theauthentication policy of the policy set in Cisco ISE, Release 2.0, perform the following:

• Create an authentication policy that has a single, enabled, outer rule.

• Specify the condition of the outer rule as Device:Location starts with All Locations (this is always thematched condition).

• Set the results of the default outer rule to Default Network Access for the Allowed Protocol andDenyAccess for the identity source.The result of the outer rule is the Allowed Protocol of the related service. The inner rules of theauthentication policy are the rules of the related identity policy. The order of the inner rules of theauthentication policy follows the same order of rules in the related identity policy. The state (enabled,disabled, or monitored) of the inner rules of the authentication policy follows the state of the rules inthe related identity policy.

Migration of Cisco Secure ACS Service Authorization Polcy to Cisco ISE Authorization Policy of the PolicySet

When you want to convert the authorization policy of the service in Cisco Secure ACS, Release 5.5 or 5.6 tothe authorization policy of the policy set in Cisco ISE, Release 2.0:

• The rules of the policy set Local Exception Authorization policy are the rules of the ExceptionAuthorization policy of the related service

• The rules of the policy set Authorization policy are the rules of the Authorization policy of the relatedservice


Data Migration PrinciplesPer Policy Service Migration Guidelines

• The order of the rules of the policy set in Local Exception Authorization policy and Authorization policyfollows the order of the rules in Local Exception Authorization policy and Authorization policy of therelated service

• The state (enabled, disabled, monitored) of the rules of the policy set Local Exception Authorizationpolicy and Authorization policy follows the state of the rules in Local Exception Authorization policyand Authorization policy in the related service

Cisco Secure ACS Policy Rules Migration GuidelinesWhen rules cannot be migrated, the policy model as a whole cannot be migrated due to security aspects aswell as data integrity. You can view details of problematic rules in the Policy Gap Analysis Report. If you donot modify or delete an unsupported rule, the policy is not migrated to Cisco ISE.

In general, you must consider these rules while migrating data from Cisco Secure ACS, Release 5.5 or 5.6 toCisco ISE, Release 2.0:

• Objects with special characters are not migrated.

• Attributes (RADIUS, VSA, identity, and host) of type enum are migrated as integers with allowed values.

• All endpoint attributes (no matter the attribute data type) are migrated as String data types.

• RADIUS attributes and VSA values cannot be filtered and added to Cisco ISE logs.

Unsupported Rule ElementsCisco Secure ACS and Cisco ISE are based on different policy models, and there is a gap between pieces ofCisco Secure ACS data when it is migrated to Cisco ISE. When Cisco Secure ACS and Cisco ISE releaseversions change, not all Cisco Secure ACS policies and rules can be migrated due to:

• Unsupported attributes used by the policy

• Unsupported AND/OR condition structure (mainly, once complex conditions are configured)

• Unsupported operators

Table 4: Unsupported Rule Elements

DescriptionStatus of SupportRule Elements

Date and time conditions in an authorization policythat have a weekly recurrence setting, are notmigrated to Cisco ISE. As a result, the rules are alsonot migrated.

Not SupportedDate and Time

Date and time conditions in an authentication policyare not migrated to Cisco ISE. As a result, the rulesare also not migrated.

Not SupportedDate and Time

The "In" operator is converted to STARTS_WITH.SupportedIn


Data Migration PrinciplesCisco Secure ACS Policy Rules Migration Guidelines

DescriptionStatus of SupportRule Elements

The "Not In" operator is converted toNOT_STARTS_WITH.

Not SupportedNot In

The "Contains Any" operator is converted to acompound conditionwith EQUALS&ORoperators.

Example: In ACS, ADExternalGrpContains Any(A, B) is converted to (AD ExternalGrp Equals A)OR (AD ExternalGrp Equals B) in Cisco ISE.

SupportedContains Any

The "Contains All" operator is converted to acompound condition with EQUALS & ANDoperators.

Example: In ACS AD:ExternalGrp contains allA;B is converted to (AD ExternalGrp Equals A)AND (AD ExternalGrp Equals B) in Cisco ISE.

SupportedContains All

Rules that use these operators in their conditions arenot migrated:

• Authentication policies that include compoundconditions that have different logicalexpressions other than a || b || c ||… and/or a&& b && c &&… such as (a || b) && c.

• Authorization policies that include compoundconditions that have different local expressionsother than a && b && c && are not migratedas part of the rule condition. As a workaround,you can manually use library compoundconditions for some advanced logicalexpressions.

Not SupportedCombination of logicalexpressions

Rules that include only network conditions are notmigrated. In case the condition includes networkconditions and other supported conditions, thenetwork conditions are ignored and are not migratedas part of the rule condition.

Not SupportedNetwork conditions

Rules with conditions that include user attributeswith a data type other than the “String” data type arenot migrated.

Partially SupportedUser attributes

Authentication fails in case the condition refers tohost attributes.

Authorization policies that include a condition thathas host (endpoint) attributes are not migrated toCisco ISE authorization policies.

Not SupportedHost attributes


Data Migration PrinciplesUnsupported Rule Elements





C H A P T E R 4Migration Tool Installation

This chapter provides guidelines on how to install the Cisco Secure ACS to Cisco ISE Migration Tool.

• Migration Tool Installation Guidelines, page 27

• System Requirements, page 28

• Security Considerations, page 28

• Downloading Migration Tool Files from Cisco ISE Admin Portal, page 28

• Initializing the Cisco Secure ACS to Cisco ISE Migration Tool, page 29

Migration Tool Installation Guidelines• Ensure that your environment is ready for migration. In addition to a Cisco Secure ACS, Release 5.5 or5.6 Windows or Linux source machine, you must deploy a secure external system with a database fordual-appliance (migrating data in a distributed deployment) migration and have a Cisco ISE, Release2.0, appliance as a target system.

• Ensure that you have configured the Cisco Secure ACS, Release 5.5 or 5.6 source machine with a singleIP address. The migration tool may fail during migration if each interface has multiple IP address aliases.

• Ensure that you have a backup of ACS configuration data if the migration from Cisco Secure ACS toCisco ISE is performed on the same appliance.

• Ensure that you have completed these tasks:

◦If this is a dual-appliance migration, you have installed the Cisco ISE, Release 2.0 software on thetarget machine.

◦If this is a single-appliance migration, you have the Cisco ISE, Release 2.0 software available tore-image the appliance or virtual machine.

◦Have all the appropriate Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0credentials and passwords.

• Ensure that you can establish network connections between the source machine and the secure externalsystem.


System RequirementsTable 5: System Requirements for Migration Machines

RequirementsPlatform

Ensure that you have configured the Cisco Secure ACS source machineto have a single IP address.

Cisco Secure ACS, Release 5.5 or5.6 source machine

Ensure that the Cisco ISE target machine has at least 2 GB of RAM.Cisco ISE, Release 2.0 targetmachine

Migration machine - Ensure that the migration machine has a minimum of 2 GB of RAM.

Install Java JRE, version 1.7 or higher 64 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.

64-Bit Windows and Linux

Install Java JRE, version 1.7 or higher 32 Bit. The migration tool willnot run if you do not install Java JRE on the migration machine.

32-Bit Windows and Linux

Security ConsiderationsThe export phase of the migration process creates a data file that is used as the input for the import process.The content of the data file is encrypted and cannot be read directly.

You need to know the Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 administratorusernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISEappliance. You should use a reserved username so that records created by the import utility can be identifiedin an audit log.

You must enter the hostname of the primary Cisco Secure ACS server and the Cisco ISE server, along withthe administrator credentials. After you have been authenticated, the migration tool proceeds to migrate thefull set of configured data items in a form similar to an upgrade. Make sure that you have enabled the PIinterface on the ACS server and the ACS migration interface on the ISE server before running the migrationtool.

Downloading Migration Tool Files from Cisco ISE Admin PortalBefore You Begin

• Set the initial amount of memory allocated for the java Heap Sizes for the migration process in the configbat file. The attribute to set the heap size in config.bat is: _Xms = 64 and _Xmx = 1024 (The memoryis 64 and 1024 megabytes, respectively).


Migration Tool InstallationSystem Requirements

• If the Cisco Secure ACS and Cisco ISE softwares are installed on different appliances, download themigration tool files.

Step 1 You can download the migTool.zip file:

• By entering the following URL on the Cisco ISE user interface address bar:

https://<hostname-or-hostipaddress>/admin/migTool.zip

• Or, navigating to theWork Centers > Device Administration > Overview page, and click themigration tool inthe Prepare section to launch the migration tool.

Step 2 Extract the contents of the .zip file. The extracted contents of the .zip file creates a directory structure that holds theconfig.bat andmigration.bat files.

Step 3 Edit the config.bat file to set the initial amount of memory allocated for the java Heap Sizes.Step 4 Click Save.

Initializing the Cisco Secure ACS to Cisco ISE Migration ToolBefore You Begin

You should run the migration tool only after a fresh Cisco ISE installation or after you have reset the CiscoISE application configuration and cleared the Cisco ISE database using the application reset-config command.Therefore, the Cisco ISE FIPS mode should not be enabled before the migration process is complete.

When the migration tool is initialized, it pops up a message box asking if you want to view the unsupportedlist. The migration tool can migrate only a subset of Cisco Secure ACS objects into Cisco ISE. The toolsupplies a list of unsupported (or partially supported) objects that it cannot migrate. You can also view thelist of unsupported objects by selecting Help > Unsupported Object Details from the Cisco Secure ACS toCisco ISE Migration Tool interface.

Step 1 Click migration.bat to launch the migration process.Step 2 Click Yes to display a list of unsupported and partially supported objects.Step 3 Click Close.


Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool


Migration Tool InstallationInitializing the Cisco Secure ACS to Cisco ISE Migration Tool

C H A P T E R 5Persistent Data Transfer Procedure

This chapter describes exporting and importing Cisco Secure ACS, Release 5.5 or 5.6 data into Cisco ISE,Release 2.0 system using the migration tool.

• Exporting Data from Cisco Secure ACS, page 31

• Analyzing Policy Gap between Cisco ISE and Cisco Secure ACS, page 32

• Importing Data in to Cisco ISE, page 34

• Migrated Data Verification in Cisco ISE, page 34

Exporting Data from Cisco Secure ACSAfter starting the migration tool, complete the following steps to export data from Cisco Secure ACS to themigration tool.

Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Settings to display the list of data objects availablefor migration.

Step 2 (Optional) You are not required to configure the dependency handling in order to perform migration. Check the checkboxes of the data objects you want to export in case their dependency data is missed and click Save.

Step 3 In the Cisco Secure ACS to Cisco ISE Migration Tool window, clickMigration and then click Export From ACS.Step 4 Enter the Cisco Secure ACS host name, user name, and password for the Cisco Secure ACS, Release 5.5 or 5.6 system

and click Connect in the ACS5 Credentials window.Step 5 Monitor the migration process in the Cisco Secure ACS to Cisco ISEMigration Tool window, which displays the current

count of successful object exports and lists any objects that triggered warnings or errors.Step 6 To get more information about a warning or an error that occurred during the export process, click any underlined numbers

in the Warnings or Errors column on the Migrations tab. The Object Errors and Warnings Details window displays the


result of a warning or an error during export. It provides the object group, the type, and the date and time of a warningor an error.

Step 7 Scroll to display the details of the selected object error, and then click Close.Step 8 When the data export process is completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays the

status of export that Exporting finished.Step 9 Click Export Report(s) to view the contents of the export report. Each export report contains header information with

the operation type, date and time, and system IP address or host name. Each object group details the types and relatedinformation. Reports end with a summary of the start and end date, the time, and the duration of the operation.

Step 10 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.

Analyzing Policy Gap between Cisco ISE and Cisco Secure ACSAfter exporting the data, administrator should analyze the export report and the policy gap report, fix the listederrors in the ACS configuration and address the warnings and other issues.

The following gaps are observed for a configuration set that is migrated from Cisco Secure ACS to CiscoISE. Reconciliation is possible for some of these gaps.

• Identity Groups

◦Internal User Issues

◦Parity gap between Cisco Secure ACS and Cisco ISE

◦Password type

◦Password change on next login

◦Password change

◦Naming constraints

◦External Identity Stores are migrated successfully. You have to verify the names.

• Network Devices or Network Device Groups

◦Network device migration caveats for Cisco ISE 2.1

◦IP ranges that are not supported in Cisco ISE

◦Exclusion is for overlapping IPs

◦IPV4 only

◦Default Device must have RADIUS enabled

◦Reconciliation flow for migration tool

◦If the device does not exist in Cisco ISE (defined by no overlap of IP configuration), thenthe device will be added during migration.


Persistent Data Transfer ProcedureAnalyzing Policy Gap between Cisco ISE and Cisco Secure ACS

◦If the device exists (IP or subnet matches exactly and name matches exactly), then themigration tool adds the TACACS+ elements

◦If the device exists (IP/subnet matches exactly or name matches exactly), then the migrationtool reports error

• Authorization ResultsCommand Sets and Shell Profiles are migrated successfully. Inconsistency would be with object names.

◦Cisco ISE strictly adheres to names

◦Policy results namespace shared with Network Access users

◦Recommendation is to use a prefix for Device admin authorization results

• Policies

◦Cisco Secure ACS 5.x Access Service separated from Selection Policy

◦Can have services that are not engaged

◦Can have services selected by different Service Selection rules

◦Cisco Secure ACS 5.x Group map

◦Transition of group map from Cisco Secure ACS 4.x

◦Group map content must be migrated to authorization Policy in Cisco ISE

◦Authentication allowed Protocols

◦Part of Service configuration in Cisco Secure ACS 5.x

◦Part of Policy Results in Cisco ISE

After addressing the errors or warnings, perform the export process again. For the procedure of exporting datafrom Cisco Secure ACS, see Exporting Data from Cisco Secure ACS, on page 31.


Persistent Data Transfer ProcedureAnalyzing Policy Gap between Cisco ISE and Cisco Secure ACS

Importing Data in to Cisco ISE

Step 1 In the Cisco Secure ACS to Cisco ISE Migration Tool window, click Import To ISE.Step 2 ClickOK when you are prompted to add attributes to the LDAP identity stores before they are imported into Cisco ISE.Step 3 From the LDAP Identity Store drop-down list, choose the identity store to which you want to add attributes, and click

Add Attribute.Step 4 Enter a name in the Attribute Name field, choose an attribute type from the Attribute Type drop-down list, enter a

value in the Default Value field, and click Save & Exit.Step 5 After adding attributes, click Import To ISE, enter the Cisco ISE Fully Qualified Domain Name (FQDN), username,

and password in the ISE Credentials window and clickConnect. The migration tool ensures that this matches the FQDNin the SSL certificate.

Step 6 When the data import process is completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays thestatus of import as Importing finished.

Step 7 To view a complete report on the imported data, click Import Report(s).Step 8 To get more information about a warning or an error that occurred during the import process, click any underlined

numbers in the Warnings or Errors column on theMigrations tab.Step 9 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.Step 10 Click View Log Console to display the real-time view of the export or import operations.

Migrated Data Verification in Cisco ISETo verify that the Cisco Secure ACS data is migrated into Cisco ISE, log into the Cisco ISE and check thatthe various Cisco Secure ACS objects can be viewed.


Persistent Data Transfer ProcedureImporting Data in to Cisco ISE

A P P E N D I X AData Structure Mapping

This appendix provides information about the data objects that are migrated, partially migrated, and notmigrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0.

• Data Structure Mapping, page 35

• Migrated Data Objects, page 35

• Data Objects Not Migrated, page 37

• Partially Migrated Data Objects, page 38

• Supported Attributes and Data Types, page 38

• Data Information Mapping, page 40

Data Structure MappingData structure mapping from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0, is the processby which data objects are analyzed and validated in the migration tool during the export phase.

Migrated Data ObjectsThe following data objects are migrated from Cisco Secure ACS to Cisco ISE:

• Network device group (NDG) types and hierarchies

• Network devices

• Default network device

• External RADIUS servers

• External TACACS+ servers

• TACACS+ server sequence

• TACACS+ settings

• Identity groups


• Internal users

• Internal users with enable password

• Internal endpoints (hosts)

• Lightweight Directory Access Protocol (LDAP)

• Microsoft Active Directory (AD)

• RSA (Partial support, see Table A-19)

• RADIUS token (See Table A-18)

• Certificate authentication profiles

• Date and time conditions (Partial support, see Unsupported Rule Elements)

• RADIUS attribute and vendor-specific attributes (VSA) values (see Table A-5 and Table A-6)

• RADIUS vendor dictionaries (see Notes for Table A-5 and Table A-6.)

• Internal users attributes (see Table A-1 and Table A-2)

• Internal endpoint attributes

• TACACS+ Profiles

• Downloadable access control lists (DACLs)

• Identity (authentication) policies

• Authentication, Authorization, and Authorization exception polices for TACACS+ (for policy objects)

• TACACS+ Command Sets

• Authorization exception policies (for network access)

• Service selection policies (for network access)

• RADIUS proxy service

• TACACS+ proxy service

• User password complexity

• Identity sequence and RSA prompts

• UTF-8 data (see UTF-8 Support page)

• EAP authentication protocol—PEAP-TLS

• User check attributes

• Identity sequence advanced option

• Additional attributes available in policy conditions—AuthenticationIdentityStore

• Additional string operators—Start with, Ends with, Contains, Not contains

• RADIUS identity server attributes


Data Structure MappingMigrated Data Objects

Data Objects Not MigratedThe following data objects are not migrated from Cisco Secure ACS to Cisco ISE, Release 2.0:

• Monitoring reports

• Scheduled backups

• Repositories

• Administrators, roles, and administrators settings

• Customer/debug log configurations

• Deployment information (secondary nodes)

• Certificates (certificate authorities and local certificates)

• Security Group Access Control Lists (SGACLs)

• Security Groups (SGs)

• AAA servers for supported Security Group Access (SGA) devices

• Security Group mapping

• SGA egress matrix

• SGA data within network devices

• Security Group Tag (SGT) in SGA authorization policy results

• Network conditions (end station filters, device filters, device port filters)

• Dial-in attribute support

• Display RSA node missing secret

• Maximum user sessions

• Account disablement

• Users password type

• Internal users configured with Password Type as External Identity Store

• Additional attribute available in a policy condition—NumberOfHoursSinceUserCreation

•Wildcards for hosts

• Network device ranges

• OCSP service

• Syslog messages over SSL/TCP

• Configurable copyright banner

• Internal user expiry days

• IP address exclusion


Data Structure MappingData Objects Not Migrated

Partially Migrated Data ObjectsThe following data objects are partially migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE,Release 2.0:

• Identity and host attributes that are of type date are not migrated.

• RSA sdopts.rec file and secondary information are not migrated.

• Multi-Active Directory domain (only Active Directory domain joined to the primary) is migrated.

• LDAP configuration defined for primary ACS instance is migrated.

Supported Attributes and Data Types

User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE 2.0

Target Data Type in Cisco ISE, Release 2.0Supported User Attributes in Cisco Secure ACS,Release 5.5 or 5.6

StringString

Not supportedUI32

Not supportedIPv4

SupportedBoolean

Not supportedDate

SupportedEnum

User Attribute: Association to the UserCisco ISE, Release 2.0Attributes Associated to Users in Cisco Secure ACS,

Release 5.5 or 5.6

SupportedString

Not SupportedUI32

Not SupportedIPv4

Not SupportedBoolean


Data Structure MappingPartially Migrated Data Objects

Cisco ISE, Release 2.0Attributes Associated to Users in Cisco Secure ACS,Release 5.5 or 5.6

Not SupportedDate

Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 2.0

Target Data Type in Cisco ISE, Release 2.0Supported Host Attributes in Cisco Secure ACS,Release 5.5 or 5.6

StringString

UI32UI32

IPv4IPv4

BooleanBoolean

Not supportedDate

Integers with allowed valuesEnum

Host Attribute: Association to the HostCisco ISE, Release 2.0Attributes Associated to Hosts in Cisco Secure ACS,

Release 5.5 or 5.6

SupportedString

Supported (Value is converted to String)UI32

Supported (Value is converted to String)IPv4

Supported (Value is converted to String)Boolean

Supported (Value is converted to String)Date

Supported (Value is converted to String)Enum


Data Structure MappingHosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0

RADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to CiscoISE, Release 2.0

Target Data Type in Cisco ISE, Release 2.0Supported RADIUS Attributes in Cisco Secure ACS,Release 5.5 or 5.6

UI32UI32

UI64UI64

IPv4IPv4

Octect StringHex String

StringString

Integers with allowed valuesEnum

RADIUS Attribute: Association to RADIUS ServerCisco ISE, Release 2.0Attributes Associated to RADIUS Servers in Cisco

Secure ACS, Release 5.5 or 5.6

SupportedUI32

SupportedUI64

SupportedIPv4

Supported (Hex Strings are converted to OctetsStrings)

Hex String

SupportedString

Supported (Enums are integers with allowed values)Enum

Data Information MappingThis section provides tables that list the data information that is mapped during the export process. The tablesinclude object categories from Cisco Secure ACS, Release 5.5 or 5.6 and its equivalent in Cisco ISE, Release2.0. The data-mapping tables in this section list the status of valid or not valid data objects mapped whenmigrating data during the export stage of the migration process.


Data Structure MappingRADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 2.0

Network Device MappingCisco ISE PropertiesCisco Secure ACS Properties

Migrates as isName

Migrates as isDescription

Migrates as isNetwork device group

Migrates as isSingle IP address

Migrates as isSingle IP and subnet address

Not SupportedCollection of IP and subnet addresses

Not SupportedExclude IP address

Migrates as isTACACS information

Migrates as isRADIUS shared secret

Migrates as isTACACS+ shared secret

Migrates as isCTS

SNMP data is available only in Cisco ISE; therefore, there isno SNMP information for migrated devices.

SNMP

This property is available only in Cisco ISE (and its value isthe default, which is “unknown”).

Model name

This property is available only in Cisco ISE (and its value isthe default, which is “unknown”).

Software version

Migrates as isEnable password

Active Directory MappingCisco ISE PropertiesCisco Secure ACS Properties

Migrates as isDomain name

Migrates as isUser name

Migrates as isPassword


Data Structure MappingNetwork Device Mapping

Cisco ISE PropertiesCisco Secure ACS Properties

Migrates as isAllow password change

Migrates as isAllow machine access restrictions

Migrates as isAging time

Migrates as isUser attributes

Migrates as isGroups

Only domains joined to primary ACS instancemigrated

Multiple domain support

External RADIUS Server MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName

DescriptionDescription

HostnameServer IP address

Shared secretShared secret

Authentication portAuthentication port

Accounting portAccounting port

Server timeoutServer timeout

Connection attemptsConnection attempts

Hosts (Endpoints) MappingCisco ISE PropertiesCisco Secure ACS

Properties

Migrates as isMAC address

Not migratedStatus

Migrates as isDescription


Data Structure MappingExternal RADIUS Server Mapping

Cisco ISE PropertiesCisco Secure ACSProperties

Migrates the association to an endpoint group.Identity group

Endpoint attribute is migrated.Attribute

This is a property available only in Cisco ISE (and its value is a fixed value,“Authenticated”).

Authentication state

This is a property available only in Cisco ISE (and its value is a fixed value,“TBD”).

Class name

This is a property available only in Cisco ISE (and its value is a fixed value,“Unknown”).

Endpoint policy


Matched policy

This is a property available only in Cisco ISE (and its value is a fixed value, “0”).Matched value

This is a property available only in Cisco ISE (and its value is a fixed value,“0.0.0.0”).

NAS IP address

This is a property available only in Cisco ISE (and its value is a fixed value,“TBD”).

OUI


Posture status

This is a property available only in Cisco ISE (and its value is a fixed value,“False”).

Static assignment

Identity Dictionary MappingCisco ISE PropertiesCisco Secure ACS

Properties

Attribute nameAttribute


Internal nameInternal name

Data typeAttribute type

Not migratedMaximum length


Data Structure MappingIdentity Dictionary Mapping

Cisco ISE PropertiesCisco Secure ACSProperties

Not migratedDefault value

Not migratedMandatory fields

The dictionary property accepts this value (“user”).User

Identity Group MappingCisco ISE PropertiesCisco Secure ACS

Properties

NameName


This property is migrated as part of the hierarchy details.Parent

Cisco ISE, Release 2.0 contains user and endpoint identity groups. Identity groups in Cisco Secure ACS,Release 5.5 or 5.6 are migrated to Cisco ISE, Release 2.0 as user and endpoint identity groups because auser needs to be assigned to a user identity group and an endpoint needs to be assigned to an endpointidentity group.

Note

LDAP MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Migrates as is. (Server Connection tab; see Figure A-1 on page A-10.).

Server connection information

Migrates as is. (Directory Organization tab; see Figure A-2 on pageA-10 .).

Directory organization information

Migrates as isDirectory groups


Data Structure MappingIdentity Group Mapping


Migration is done manually (using the Cisco Secure ACS to Cisco ISEmigration tool).

Directory attributes

Only the LDAP configuration defined for the primary ACS instance is migrated.Note

NDG Types MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Cisco Secure ACS, Release 5.5 or 5.6 can support more than one network device group (NDG) with thesame name. Cisco ISE, Release 2.0 does not support this naming scheme. Therefore, only the first NDGtype with any defined name is migrated.

Note

NDG Hierarchy MappingCisco ISE PropertiesCisco Secure ACS

Properties

NameName


No specific property is associated with this property because this value is enteredonly as part of the NDG hierarchy name. (In addition, the NDG type is the prefixfor this object name).

Parent

Any NDGs that contain a root name with a colon (:) are not migrated because Cisco ISE, Release 2.0 doesnot recognize the colon as a valid character.

Note


Data Structure MappingNDG Types Mapping

RADIUS Dictionary (Vendors) MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Vendor IDVendor ID

No need to migrate this property.Attribute prefix

Vendor attribute type field length.Vendor length field size

Vendor attribute size field length.Vendor type field size

Only RADIUS vendors that are not part of a Cisco Secure ACS, Release 5.5 or 5.6 installation are requiredto be migrated. This affects only user-defined vendors.

Note

RADIUS Dictionary (Attributes) MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


No specific property associated with this because this value is enteredonly as part of the NDG hierarchy name (NDG type is the prefix forthis object name).

Attribute ID

Not supported in Cisco ISEDirection

Not supported in Cisco ISEMultiple allowed

Migrates as isAttribute type

Not supported in Cisco ISEAdd policy condition

Not supported in Cisco ISEPolicy condition display name


Data Structure MappingRADIUS Dictionary (Vendors) Mapping

Only the user-defined RADIUS attributes that are not part of a Cisco Secure ACS, Release 5.5 or 5.6installation are required to be migrated (only the user-defined attributes need to be migrated).

Note

User MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


No need to migrate this property. (This property does not exist in CiscoISE)

Status

Migrates to identity groups in Cisco ISEIdentity group

PasswordPassword

PasswordEnable password

No need to migrate this propertyChange password on next login

User attributes are imported from the Cisco ISE and are associated withusers

User attributes list

Not supportedExpiry days

Certificate Authentication Profile MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Principle user name (X.509 attribute).Principle user name (X.509 attribute)

Binary certificate comparison with certificate from LDAP orAD.

Binary certificate comparisonwith certificatefrom LDAP or AD

AD or LDAP name for certificate fetching.AD or LDAP name for certificate fetching


Data Structure MappingUser Mapping

Authorization Profile MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Migrates as isDACLID (downloadable ACL ID)

• Migrates as is if static attribute.

• Migrated as is, if dynamic attribute, except DynamicVLAN.

Attribute type (static and dynamic)

RADIUS attributes.Attributes (filtered for static type only)

Downloadable ACL MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


DACL contentDACL content

External RADIUS Server MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


HostnameServer IP address


Authentication portAuthentication port

Accounting portAccounting port


Data Structure MappingAuthorization Profile Mapping


Server timeoutServer timeout

Connection attemptsConnection attempts

External TACACS+ Server MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Host IPIP address

Connection PortConnection Port

TimeoutNetwork Timeout


Command Sets Attributes MappingCisco ISECisco Secure ACS

NameName


Permit any command that is not listed belowPermit any command that is not in the tablebelow

Grant (Permit, Deny, Deny Always)Grant (Permit, Deny, Deny Always)

CommandCommand

ArgumentsArguments


Data Structure MappingExternal TACACS+ Server Mapping

Shell Profile Attributes MappingCisco ISECisco Secure ACS

Common Task Attributes

NameName


Default Privilege (0 to 15)Default Privilege (Static and Dynamic)

Maximum Privilege (0 to 15)Maximum Privilege (Static)

Access Control List (Static and Dynamic)Access Control List (Static and Dynamic)

Auto Command (Static and Dynamic)Auto Command (Static and Dynamic)

—No Callback Verify (Static and Dynamic)

No Escape (True or False)No Escape (Static and Dynamic)

—No Hang up (Static and Dynamic)

Timeout (Static and Dynamic)Timeout (Static and Dynamic)

Idle Time (Static and Dynamic)Idle Time (Static and Dynamic)

—Callback Line (Static and Dynamic)

—Callback Rotary (Static and Dynamic)

Custom Attributes

NameAttribute

Type (Mandatory and Optional)Requirement (Mandatory and Optional)

Value (Static and Dynamic)Value (Static and Dynamic)

Identity Attributes Dictionary MappingCisco ISE PropertiesCisco Secure ACS Properties

Attribute nameAttribute

Internal nameDescription


Data Structure MappingShell Profile Attributes Mapping


Migrates as isName

Data typeAttribute type

Dictionary (Set with the value “InternalUser” if it is a user identityattribute, or “InternalEndpoint” if it is a host identity attribute.)

No such property

Allowed value = display nameNot exported or extracted yet fromthe Cisco Secure ACS

Allowed value = internal nameNot exported or extracted yet fromthe Cisco Secure ACS

Allowed value is defaultNot exported or extracted yet fromthe Cisco Secure ACS

NoneMaximum length

NoneDefault value

NoneMandatory field

NoneAdd policy condition

NonePolicy condition display name

RADIUS Token MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Safeword serverSafeword server

Enable secondary applianceEnable secondary appliance

Always access primary appliance firstAlways access primary appliance first

Fallback to primary appliance in minutesFallback to primary appliance in minutes

Primary appliance IP addressPrimary appliance IP address

Primary shared secretPrimary shared secret


Data Structure MappingRADIUS Token Mapping


Primary authentication portPrimary authentication port

Primary appliance TOPrimary appliance TO (timeout)

Primary connection attemptsPrimary connection attempts

Secondary appliance IP addressSecondary appliance IP address

Secondary shared secretSecondary shared secret

Secondary authentication portSecondary authentication port

Secondary appliance TOSecondary appliance TO

Secondary connection attemptsSecondary connection attempts

Advanced > treat reject as authentication flag fail.Advanced > treat reject as authenticationflag fail

Advanced > treat rejects as user not found flag.Advanced > treat rejects as user not foundflag

Advanced > enable identity caching and aging value.Advanced > enable identity caching andaging value

Authentication > promptShell > prompt

Authorization > attribute name (In cases where the dictionaryattribute lists in Cisco Secure ACS includes the attribute“CiscoSecure-Group-Id,” it is migrated to this attribute;otherwise, the default value is “CiscoSecure-Group-Id”.)

Directory attributes

RSA MappingCisco ISE PropertiesCisco Secure ACS Properties

Name is always RSAName

Not migratedDescription

Realm configuration fileRealm configuration file

Server TOServer TO

Reauthenticate on change to PINReauthenticate on change to PIN


Data Structure MappingRSA Mapping


Not migratedRSA instance file

Treat rejects as authentication failTreat rejects as authentication fail

Treat rejects as user not foundTreat rejects as user not found

Enable identity cachingEnable identity caching

Identity caching aging timeIdentity caching aging time

RSA Prompts MappingCisco ISE PropertiesCisco Secure ACS Properties

Passcode promptPasscode prompt

Next Token promptNext Token prompt

PIN Type promptPIN Type prompt

Accept System PIN promptAccept System PIN prompt

Alphanumeric PIN promptAlphanumeric PIN prompt

Numeric PIN promptNumeric PIN prompt

Identity Store Sequences MappingCisco ISE PropertiesCisco Secure ACS Properties

NameName


Certificate based, certificate authentication profileCertificate based, certificate authenticationprofile

Authentication search listPassword based

Do not access other stores in the sequence and set the“AuthenticationStatus” attribute to “ProcessError.”

Advanced options > if access on currentIDStore fails than break sequence


Data Structure MappingRSA Prompts Mapping


Treated as “User Not Found” and proceed to the next store inthe sequence.

Advanced options > if access on currentIDStore fails then continue to next

Not supported (should be ignored)Attribute retrieval only > exit sequence andtreat as “User Not Found”

Default Network Devices MappingCisco ISE PropertiesCisco Secure ACS Properties

Default network device statusDefault network device status

Not migratedNetwork device group

Shared SecretTACACS+ Shared Secret

Enable Single Connect ModeTACACS+ Single Connect Device

Legacy Cisco DeviceLegacy TACACS+ Single Connect Support

TACACS+Draft Compliance Single Connect SupportTACACS+ Draft Compliant Single Connect Support

Shared SecretRADIUS - shared secret

Not migratedRADIUS - CoA port

Enable keywrapRADIUS - Enable keywrap

Key encryption keyRADIUS - Key encryption key

Message authenticator code keyRADIUS - Message authenticator code key

Key input formatRADIUS - Key input format


Data Structure MappingDefault Network Devices Mapping

A P P E N D I X BTroubleshooting the Cisco Secure ACS to CiscoISE Migration Tool

• Unable to Start the Migration Tool, page 55

• Troubleshooting Connection Issues in the Migration Tool, page 55

• Error Messages Displayed in Logs, page 56

• Default Folders, Files, and Reports are Not Created, page 57

• Migration Export Phase is Very Slow , page 57

• Reporting Issues to Cisco TAC, page 58

Unable to Start the Migration ToolCondition

Unable to start the migration tool.

Action

Verify that Java JRE, Version 1.7 or later, is installed on the migration machine and that it is correctlyconfigured in the system path and classpath.

Troubleshooting Connection Issues in the Migration ToolIf the migration tool fails to connect to Cisco Secure ACS or ISE, check the migration.log file to identify theproblem.

Error Message

The following error message: "UnknownHostException: hostname" is displayed if the Cisco Secure ACS orISE host name is not resolvable.


Action

• Ensure that the Cisco Secure ACS or ISE hostname is resolvable from the client machine where you runthe migration tool.

• Check the DNS configuration and connectivity.

Error Message

The following error message: "hostname in certificate didn't match: <hostname> != </hostname_in_certificate>"is displayed if the Cisco Secure ACS or Cisco ISE hostname entered in the migration tool does not match thename in the certificate.

Action

Ensure that the certificate's Common Name in the Subject field or DNS name in Subject Alternate Name fieldin Cisco Secure ACS and Cisco ISE matches the Hostname provided in the migration tool.

Error Message

The following error message: "SSLHandshakeException: unable to find valid certification path to requestedtarget" is displayed if the Cisco Secure ACS and ISE certificates are not trusted by the migration tool.

Action

Ensure that Cisco Secure ACS and Cisco ISE certificates are trusted by adding the required certificates in theSettings > Trusted Certificates page in the Cisco Secure ACS to Cisco ISE Migration Tool.

Error Messages Displayed in Logs

Connection Error

Condition

The following error message is displayed in the log: “Hosts: Connection to https://hostname-or-ip refused:null”. And, the object is reported while migrating to Cisco ISE.

Action

• Make sure that the migration application machine is connected to the network and configured correctly.

• Make sure that the Cisco ISE appliance is connected to the network and that it is configured correctly.

• Make sure that the Cisco ISE appliance and the migration machine are able to connect to each otherover the network.

• Make sure that the hostname (if any) used in the Cisco ISE primary node is resolvable within the DNSwhen the migration tool connects to Cisco ISE.

• Make sure that the Cisco ISE appliance is up and running.

• Make sure that the Cisco ISE application server service is up and running.


Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolError Messages Displayed in Logs

I/O Exception Error

Condition

The following error message is displayed in the log:

“I/O exception (org.apache.http.NoHttpResponseException) caught when processing request: The target serverfailed to respond”.

Action

• Make sure that the Cisco ISE application server service is up and running.

• Make sure that the Cisco ISE web server thresholds have not been exceeded or that there are no memoryexceptions.

• Make sure that the Cisco ISE appliance CPU consumption is not 100 percent and that the CPU is active.

Out of Memory Error

Condition

The following error message is displayed in the log:

“OutofMemory”.

Action

Increase the Java heap size to at least 1 GB.

Default Folders, Files, and Reports are Not CreatedCondition

The migration tool fails to create default folders, log files, reports, and persistence data files.

Action

Make sure the user has file-system writing privileges and that there is enough disk space.

Migration Export Phase is Very SlowCondition

The export phase of the migration process is very slow.


Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolI/O Exception Error

Action

Restart the Cisco Secure ACS appliance before starting the migration process to free up memory space.

Reporting Issues to Cisco TACIf you cannot locate the source and potential resolution for a technical issue or problem, you can contact aCisco customer service representative for information on how to resolve the issue. For information about theCisco Technical Assistance Center (TAC), see the Cisco Information Packet publication that is shipped withyour appliance or visit the following website:

http://www.cisco.com/cisco/web/support/index.html

Before you contact Cisco TAC, make sure that you have the following information ready:

• The appliance chassis type and serial number.

• The maintenance agreement or warranty information (see Cisco Information Packet).

• The name, type of software, and version or release number (if applicable).

• The date you received the new appliance.

• A brief description of the problem or condition you experienced, the steps you have taken to isolate orre-create the problem, and a description of any steps you took to resolve the problem.

• Migration logfile (...migration/bin/migration.log).

• All the reports in the config folder (...migration/config).

• Cisco Secure ACS, Release 5.5 or 5.6 logfiles.

• Cisco Secure ACS, Release 5.5 or 5.6 build number.


Troubleshooting the Cisco Secure ACS to Cisco ISE Migration ToolReporting Issues to Cisco TAC

http://www.cisco.com/cisco/web/support/index.html

Date post:	01-Aug-2020
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Cisco Identity Services Engine, Release 2.0 Migration Tool ... · Cisco Identity Services Engine,...

Documents