Migration Guide for the Cisco Secure Access Control System 5.0
Migrating Data from ACS 4.x to ACS 5.0
Downloads: This chapterpdf (PDF - 1.41MB) The complete bookPDF (PDF - 3.44MB) | Feedback

Migrating Data from ACS 4.x to ACS 5.0

Table Of Contents

Migrating Data from ACS 4.x to ACS 5.0

Introduction

Running the Migration Utility

Migration Script Sections

Analyzing the ACS 4.x Data

Consolidating Data

Exporting the ACS 4.x Data

Importing the ACS 4.x Data to ACS 5.0

Printing Reports and Report Types

Extract and Analyze Summary Report

Extract and Analyze Full Report

Export Summary Report

Export Full Report

Import Summary Report

Import Full Report

Validating Import

Summary Report

Confirming the Migration

Command Shell Migration

Command Set Migration

NDG Migration

Network Device Migration

DACL Migration

MAB Migration


Migrating Data from ACS 4.x to ACS 5.0


This chapter describes how to migrate data from ACS 4.x to ACS 5.0 and contains:

Introduction

Running the Migration Utility

Migration Script Sections

Analyzing the ACS 4.x Data

Exporting the ACS 4.x Data

Importing the ACS 4.x Data to ACS 5.0

Printing Reports and Report Types

Confirming the Migration.

Introduction

This document contains information for migrating data from ACS 4.x to ACS 5.0. Before you begin, you must follow the setup, backup, and installation instructions in Chapter 3, "Migration Setup and Installation."


Note Before you begin migration, ensure that you have enabled the migration interface on the ACS 5.0 server.

From the command line interface, enter:

acs migration-interface enable

To verify that the migration interface is enabled on the ACS 5.0 server, from the command line interface, enter:

show acs-migration-interface

Refer to the Command Line Interface Reference Guide for the Cisco Secure Access Control System 5.0 for more information.


Running the Migration Utility

To run the Migration Utility:


Step 1 Open a command prompt and change directory to C:\Migration Utility\migration\bin


Note You can specify any directory in which to install the Migration Utility. This example uses the Migration Utility as the root directory.


Step 2 At the command prompt, type migration.bat.

Step 3 Select 2 - UserInput. Example 4-1 shows the prompts that appear if you decide to change the user preferences.

Step 4 Select 1 - UseDefaults. Example 4-2 shows the prompts that appear if you previously ran the Migration Utility from option 2 and saved the values.


Example 4-1 Migration Script (UserInput)

---------------------------------------------------------------------------------------
This utility migrates data from ACS 4.x to ACS 5.0.You can migrate directly from the 
following ACS versions:

1. ACS 4.1.1.23
2. ACS 4.1.1.24
3. ACS 4.1.3
4. ACS 4.1.4
5. ACS 4.2.0.124

The migration utility analyzes the ACS 4.x  data, exports the data from ACS 4.x that can 
be migrated automatically, and imports the data into ACS 5.0.
You can manually consolidate and resolve data according to the analysis report, before the 
import stage, to maximize the amount of data that the utility can migrate.
After migration, use the imported data to recreate your policies in ACS 5.0.
---------------------------------------------------------------------------------------

1 - UseDefaults
2 - UserInput
2
Make sure that the database is running.
Enter ACS 5.0 IP address:[nn.nn.nnn.nnn]
Enter ACS 5.0 Administrator username:[test]
Enter ACS 5.0 password:
Change user preferences?[no]
yes

User Groups
--------------------------------------------------------------------------------
Existing user groups will be migrated to the Identity Group
Enter the name of new Root:[Migrated Group]

Network Device Groups
--------------------------------------------------------------------------------

Existing network device groups will be migrated to the Network Device Group.
	Enter the name of new Root:[Migrated NDGs]

Users
--------------------------------------------------------------------------------
ACS 5.0 supports authentication for internal users against the internal database only.
ACS 4.x users that were configured to use an external database for authentication are 
migrated with a default authentication password.
Specify the default password.

Configure these users as disabled in ACS 5.0, or ask for a change of password on first 
access by the user to ACS 5.0.
Select the option:
1 - DisableExternalUser
2 - SetPasswordChange
Selected option:[2]
2

Network Devices
--------------------------------------------------------------------------------
TACACS+ and RADIUS network devices with same IP will be unified.
Select the name to be used for unified devices.
1 - RADIUSName
2 - TACACSName
3 - CombinedName
Selected option:[3]

Users Command Set
--------------------------------------------------------------------------------
Extracted command sets are migrated to a shared named object with an optional 
prefix/suffix.
Choose naming convention.
1 - AddPrefix
2 - AddSuffix
3 - UserNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Consolidated - Users Command Set
--------------------------------------------------------------------------------
Identical objects found within these objects are consolidated into one.
Enter the prefix to be added to such a consolidated object:[]

Groups Command Set
--------------------------------------------------------------------------------
Extracted command sets  will be given the group name with an optional prefix/suffix.
Choose naming convention.
1 - AddPrefix
2 - AddSuffix
3 - GroupNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Consolidated - Groups Command Set
-------------------------------------------------------------------------------

Identical objects found within these objects are consolidated into one.
Enter the prefix to be added to such a consolidated object:[]

Groups Shell Exec
--------------------------------------------------------------------------------
Extracted shell profile will be given the group name with an optional prefix/suffix.
Choose naming convention.
1 - AddPrefix
2 - AddSuffix
3 - GroupNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Consolidated - Groups Shell Exec
--------------------------------------------------------------------------------
Identical objects found within these objects are consolidated into one.
Enter the prefix to be added to such a consolidated object:[]

Shared Downloadable ACL
--------------------------------------------------------------------------------
Existing downloadable acl will be migrated.
Select the name to be used for the migrated DACL
1 - DaclName_AclName
2 - AclName
Selected option:[1]
1

DACL prefix/suffix
--------------------------------------------------------------------------------
Extracted downloadable acl will be given the name with optional prefix/suffix.
Choose naming convention.
1 - AddPrefix
2 - AddSuffix
3 - SpecifiedNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Show full report also on screen?[yes]

Save Settings?[yes]
--------------------------------------------------------------------------------
Select a ACS 4.x Configuration groups to be migrated:
1 - ALLObjects
2 - AllUsersObjects
3 - AllDevicesObjects
4 - SharedCommandSet
5 - SharedDACLObject
6 - GroupTCommandSetAndShellExec
7 - MasterKeys
--------------------------------------------------------------------------------

The following object types will be extracted:
--------------------------------------------------------------------------------

User Attributes
User Attribute Values
Network Device Groups
User Groups
Groups Shell Exec
Groups Command Set
Users Shell Exec
Users Command Set
Shared Command Sets
Network Devices
Users
Shared Downloadable ACL
EAP FAST - Master Keys
Mab
--------------------------------------------------------------------------------

Execute one of the following
1 - ExtractAndAnalyze
2 - Export
3 - Import
4 - CreateReportFiles
5 - Exit
--------------------------------------------------------------------------------

Example 4-2 Migration Script (UseDefaults)

-------------------------------------------------------
Select a ACS 4.x Configuration groups to be migrated:
1 - ALLObjects
2 - AllUsersObjects
3 - AllDevicesObjects
4 - SharedCommandSet
5 - SharedDACLObject
6 - GroupTCommandSetAndShellExec
7 - MasterKeys
-------------------------------------------------------
1
-------------------------------------------------------
The following object types will be extracted:
-------------------------------------------------------
User Attributes
User Attribute Values
Network Device Groups
User Groups
Groups Shell Exec
Groups Command Set
Users Shell Exec
Users Command Set
Shared Command Sets
Network Devices
Users
Shared Downloadable ACL
EAP FAST - Master Keys
Mab
-------------------------------------------------------
Execute one of the following
1 - ExtractAndAnalyze
2 - Export
3 - Import
4 - CreateReportFiles
5 - Exit
-------------------------------------------------------

Migration Script Sections

The migration script contains the following sections:

Migration environment information. Refer to Table 4-1.

Migration User Preferences. Refer to Table 4-2.

Migration Groups. Refer to Table 4-3.

Migration Phases. Refer to Table 4-4.

Table 4-1 Migration Script Environment Information 

Script Element
Description
1 - UseDefaults
2 - UserInput

UseDefaultsChoose option 1 to use the following user-defined values. You must enter values the first time you run the Migration Utility.

ACS 5.0 IP address

ACS 5.0 username

ACS 5.0 password

UserInputChoose option 2. You are prompted to use default values or enter values:

Enter ACS 5.0 IP address

Enter ACS 5.0 administrative username

Enter ACS 5.0 password

Enter yes to change user preferences

Make sure that the database is running.

Informational message. Ensure that:

ACS 4.x services are active.

You back up the database on the ACS 4.x source machine.

You have IP address connectivity.

You can access the ACS 5.0 target machine from the ACS 4.x migration machine. Access the web interface to verify that the ACS 5.0 machine is available.

Enter ACS 5.0 IP address:[nn.nn.nnn.nnn]

Enter the IP address for the ACS 5.0 target machine. You migrate ACS 4.x data to the ACS 5.0 target machine.

Note Cisco recommends that you create a migration user with all administrative privileges and remove the migration user once migration completes.

Enter ACS 5.0 administrative username:[test]

Enter the username for the ACS 5.0 target machine.

Enter ACS 5.0 password:

Enter the password for the ACS 5.0 target machine.

Change user preferences?[no]
yes

The default value is no. Enter no to retain the defined values. These become the UseDefaults values when you rerun the Migration Utility. Enter yes to change the user preferences.


Table 4-2 Migration Script User Preferences 

Script Element
Description
User Groups
Existing user groups will be migrated to the 
Identity Group
Enter the name of new Root:[Migrated Group]

The default name for the Identity Group is Migrated Group. For example, user acs_3 is in the following Identity Group: All Groups:Migrated Group:ACS_Migrate 2. Type a new name and press Enter to change the default name.

Network Device Groups
Existing network device groups will be migrated to 
the Network Device Group.
Enter the name of new Root:[Migrated NDGs]

The default name for a Network Device Group (NDG) is Migrated NDGs. Type a new name and press Enter to change the default name.

Users
ACS 5.0 supports authentication for internal users 
against the internal database only.
ACS 4.x users that were configured to use an 
external database for authentication are migrated 
with a default authentication password.
Specify the default password.

The default password for external users for the User object. Type a new password and press Enter to change the default password.

ACS 5.0 supports authentication for internal users against the internal database only. ACS 4.x users who were configured to use an external database for authentication are migrated with a default authentication password.

You can configure the default password in ACS 5.0.

Configure these users as disabled in ACS 5.0, or 
ask for a change of password on first access by 
the user to ACS 5.0.
Select the option:
1 - DisableExternalUser
2 - SetPasswordChange
Selected option:[2]

ACS 4.x users authenticated on an external database are migrated as internal users with a static password.

Select option 1 to disable the external user.

Select option 2 to change the password for the migrated external user.

Network Devices
TACACS+ and RADIUS network devices with same IP 
will be unified.
Select the name to be used for unified devices.
1 - RADIUSName
2 - TACACSName
3 - CombinedName
Selected option:[3]

Combines the TACACS+ and RADIUS network devices with the same the IP address into one name. For example, if the TACACS+ network device name is MyTacacsDev and the RADIUS network device is MyRadiusDev, choose option 3 to create the combined name MyTacacsDev_MyRadiusDev.

Users Command Set
Extracted command sets are migrated to a shared 
named object with an optional prefix/suffix.
Choose naming convention.
1 - AddPrefix
2 - AddSuffix
3 - UserNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Construct the command set name with the option that you chose. For example, if the command set name is myuser_command set, choose option 1 to create the MIG_myuser_command set.

Consolidated - Users Command Set
Identical objects found within these objects are 
consolidated into one.
Enter the prefix to be added to such a 
consolidated object:[]

Enter a prefix for the common user objects in a user command set. For example, if the:

User command set name is myuser_command set.

Prefix name is MIG.

Consolidated prefix is defined as CONS_, the name is CONS_MIG_myuser_command set.

Groups Command Set
Extracted command sets  will be given the group 
name with an optional prefix/suffix.
Select preferred option for name creation.
1 - AddPrefix
2 - AddSuffix
3 - GroupNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Consolidate the group command set name with the option you chose. For example, if the group command set name is myuser_group command set, choose option 1 to create MIG_myuser_group command set.

Consolidated - Groups Command Set

Identical objects found within these objects are consolidated into one.

Enter the prefix to be added to such a consolidated object:[]

Enter a prefix for the common group command set objects within a group command set. For example, if the:

Group command set name is myuser_group command set.

Prefix name is MIG.

Consolidated prefix is defined as CONS_, the name is CONS_MIG_myuser_group command set.

Groups Shell Exec
Extracted shell profile will be given the group 
name with an optional prefix/suffix.
Select preferred option for name creation.
1 - AddPrefix
2 - AddSuffix
3 - GroupNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Consolidate the group shell exec name with the option you chose. For example, if the group shell exec name is myuser_group shell exec, choose option 1 to create MIG_myuser_group shell exec.

Consolidated - Groups Shell Exec
Identical objects found within these objects are 
consolidated into one.
Enter the prefix to be added to such a 
consolidated object:[]

Enter a prefix for the common group shell exec objects within a group shell exec. For example, if the:

Group shell exec name is myuser_group shell exec.

Prefix name is MIG.

Consolidated prefix is defined as CONS_, the name is CONS_MIG_myuser_group shell exec.

Shared Downloadable ACL
Existing downloadable acl will be migrated.
Select the name to be used for the migrated DACL
1 - DaclName_AclName
2 - AclName
Selected option:[1]
1

Select a naming convention to be used for the migrated ACS 4.x DACL:

1 - Dacl_AclName

2 - AclName

DACL prefix/suffix
Extracted downloadable acl will be given the name 
with optional prefix/suffix.
Select preferred option for name creation.
1 - AddPrefix
2 - AddSuffix
3 - SpecifiedNameOnly
Selected option:[1]

Enter text for prefix/suffix:[MIG]

Consolidate the downloadable access control list (ACL) name with the option you chose. For example, if the DACL name is mydacl_acl_test, choose option 1 to create MIG_mydacl_acl_acs_test.

Show full report also on screen?[yes]

The default value is yes. Enter yes to view the log information on screen.

Save Settings?[yes]

The default value is yes. Enter yes to preserve the setting you used in this session.


Table 4-3 Migration Script Object Groups 

Script Element
Description
Select a ACS 4.x Configuration groups to be 
migrated:
1 - ALLObjects
2 - AllUsersObjects
3 - AllDevicesObjects
4 - SharedCommandSet
5 - SharedDACLObject
6 - GroupTCommandSetAndShellExec
7 - MasterKeys

The following object types will be extracted:

User Attributes
User Attribute Values
Network Device Groups
User Groups
Groups Shell Exec
Groups Command Set
Users Shell Exec
Users Command Set
Shared Command Sets
Network Devices
Users
Shared Downloadable ACL
EAP FAST - Master Keys
Mab

The ACS elements to be migrated. Choose one of the following options to run each phase against the ACS 4.x elements to be migrated:

1 - ALLObjects. You can run each migration phase against the supported ACS objects.

2 - UsersObjects. You can run each migration phase against the User object.

3 - Devices. You can run each migration phase against the Device object.

4 - SharedCommandSet. You can run each migration phase against the Shared Command Set object.

5 - SharedDACLObject. You can run each migration phase against the SharedDACL object.

6 - GroupTCommandSetAndShellExec. You can run each migration phase against the Group TACACS+, Command Set, and Shell Exec.

7 - Master Keys. You can run each migration phase against the master key object.


Table 4-4 Migration Script Phases 

Script Element
Description
Execute one of the following
1 - ExtractAndAnalyze
2 - Export
3 - Import
4 - CreateReportFiles
5 - Exit

Migration Utility options:

ExtractAndAnalyzeChoose option 1 to extract and analyze the ACS 4.x data. This is an iterative process. You can analyze the data, make corrections, and rerun the Analysis phase to see the results. If data passes the Analysis phase, it can be later exported and imported to ACS 5.0. Refer to Analyzing the ACS 4.x Data.

ExportChoose option 2 to export the ACS 4.x data. The export process migrates a selected set of objects from the ACS 4.x data to a data file that the Import phase can process. Refer to Exporting the ACS 4.x Data.


Note Ensure that you back up your ACS 5.0 database.


ImportChoose option 3 to import the ACS 4.x data from the external data file. Once the migration process creates the data export file, the data is imported into ACS 5.0. Refer to Importing the ACS 4.x Data to ACS 5.0.

CreateReportFilesChoose option 4 to create a comma-separated value (CSV) file containing a full and summary report for each phase. You can upload the CSV file to an Excel spreadsheet or any other editor that supports CSV files. The config folder in the migration directory contains the full and summary reports. Refer to Printing Reports and Report Types.

ExitChoose option 5 to exit the Migration Utility.


Analyzing the ACS 4.x Data

Choose option 1 to run ExtractAndAnalyze. The Analysis phase runs on the ACS 4.x migration machine by using data restored from a backup of the ACS 4.x source machine. The Analysis Summary report lists the total number of:

Detected objects.

Reported issues for each object.

Objects that can be migrated.

The specific Analysis report shows:

Information on issues for each object.

Data to be consolidated. Refer to Consolidating Data.

The Analysis phase can be run multiple times to make configuration changes between the analysis cycles. For example, you might have overlapping IP addresses for network devices. You can use the ACS 4.x application to correct this issue. Once you correct the issue, you can rerun the ExtractAndAnalyze phase and proceed to the Export phase. Refer to Overlapping IP Addresses, page B-3. Example 4-3 shows a sample summary and specific Analysis reports for the ExtractAndAnalysis phase. In this example, the reports are for 1 - ALLObjects.

This phase generates two reports:

Example 4-3 shows the Extract Summary Report.

Example 4-4 shows the Analysis Report.

Example 4-3 Extract Summary Report

------------------------------------------------------------------------------
        Summary  Report for phase Extracted
------------------------------------------------------------------------------
User Attribute Values
------------------------------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
------------------------------------------------------------------------------
Network Device Groups
------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
------------------------------------------------------------------------------
User Groups
------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
------------------------------------------------------------------------------
Groups Shell Exec
------------------------------------------------------------------------------
Total:1         Successful:1    Reported  issues:0
------------------------------------------------------------------------------
Groups Command Set
------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
------------------------------------------------------------------------------
Users Shell Exec
------------------------------------------------------------------------------
Total:1         Successful:0    Reported  issues:0
------------------------------------------------------------------------------
Users Command Set
------------------------------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
------------------------------------------------------------------------------
Shared Command Sets
------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
------------------------------------------------------------------------------
Network Devices
------------------------------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
------------------------------------------------------------------------------
Users
------------------------------------------------------------------------------
Total:7         Successful:7    Reported  issues:0
------------------------------------------------------------------------------
Shared Downloadable ACL
------------------------------------------------------------------------------
Total:7         Successful:7    Reported  issues:0
------------------------------------------------------------------------------
EAP FAST - Master Keys
------------------------------------------------------------------------------
Total:7         Successful:7    Reported  issues:0
------------------------------------------------------------------------------
Mab
------------------------------------------------------------------------------
Total:7         Successful:7    Reported  issues:0
------------------------------------------------------------------------------

Example 4-4 Analysis Report

------------------------------------------------------------------------------
Summary  Report for phase Analyzed
------------------------------------------------------------------------------
Network Device Groups
------------------------------------------------------------------------------
Total:2         Successful:0    Reported  issues:2
------------------------------------------------------------------------------
User Groups
------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
------------------------------------------------------------------------------
Groups Shell Exec
------------------------------------------------------------------------------
Total:1         Successful:1    Reported  issues:0
------------------------------------------------------------------------------
Groups Command Set
------------------------------------------------------------------------------
Total:2         Successful:1    Reported  issues:1
------------------------------------------------------------------------------
Users Shell Exec
------------------------------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
------------------------------------------------------------------------------
Users Command Set
------------------------------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
------------------------------------------------------------------------------
Shared Command Sets
------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
------------------------------------------------------------------------------
Network Devices
------------------------------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
------------------------------------------------------------------------------
Users
------------------------------------------------------------------------------
Total:7         Successful:5    Reported  issues:2
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Shared Downloadable ACL
------------------------------------------------------------------------------
Total:7         Successful:5    Reported  issues:2
------------------------------------------------------------------------------
------------------------------------------------------------------------------
EAP FAST - Master Keys
------------------------------------------------------------------------------
Total:7         Successful:5    Reported  issues:2
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Mab
------------------------------------------------------------------------------
Total:7         Successful:5    Reported  issues:2
------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        Analysis Report
------------------------------------------------------------------------------------
        User Attributes
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        User Attribute Values
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        Network Device Groups
------------------------------------------------------------------------------------

The following objects are password_included
------------------------------------------------------------------------------------
1.  Name: Migration_Test         Comment:  NDG has shared key password
2.  Name: Migration_Test2        Comment:  NDG has shared key password
------------------------------------------------------------------------------------
        User Groups
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        Groups Shell Exec
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        Groups Command Set
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Users Shell Exec
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Users Command Set
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Shared Command Sets
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Network Devices
------------------------------------------------------------------------------------
The following objects are unsupported
------------------------------------------------------------------------------------
1.  Name: ACS_Migrate_Priv       Comment: Network Devices name should not contain double 
quotes.
2.  Name: ACS_Migrate_Test        Comment: Network Devices name should not contain double 
quotes.
------------------------------------------------------------------------------------
        User Shell Exec
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        User Command Set
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        Shared Command Set
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
        User
------------------------------------------------------------------------------------
        Network Device
------------------------------------------------------------------------------------
The following objects are unified
------------------------------------------------------------------------------------
1. Name: rad_12 Comment: Network Device Group: Migration Test is unified with nd6 from 
Network Device Group Migration Test1
------------------------------------------------------------------------------------
Users
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Shared Downloadable ACL
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
EAP FAST - Master Keys
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
Mab
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------

This example shows the results of the Analysis phase:

Network Device Group: Migration Test is unified with nd6 from Network Device Group 
Migration Test1

The NDG passed the analysis phase, but the comment indicates that ACS 5.0 does not support the shared key password attribute for the NDG. However, the shared key password is migrated to all the network devices that belong to the NDG.

rad_12 and nd6 will be migrated as a unified network device.

Refer to Appendix A, "ACS 5.0 Attribute Migration Support," for a list of the attributes that are not migrated.

Consolidating Data

The consolidation process occurs in the analysis phase and:

Analyzes the created shared objects.

Identifies the objects that are identical.

Ensures that duplicate ACS 4.x objects are collapsed to a single object. In the Export phase, you migrate the single objects to ACS 5.0. These objects can then be referenced by ACS 5.0 policies. For example, the Analysis report might show multiple command sets that appear to be different, but are actually the same command set. This might be because of command set shortcuts, such as show or sho. In ACS 5.0, you can define polices so that they incorporate the migrated command set information. Refer to the User Guide for Cisco Secure Access Control System 5.0 for details on ACS 5.0 policies.

Consolidates the following:

User's and user group's command set into a command set profile.

Group Shell Exec into a shell profile.

Exporting the ACS 4.x Data

Choose option 2 to run Export. Only data that has passed the analysis phase can be exported. The Export phase details migration issues together with any recommendations for resolution. In this phase, you export data to an external data file, which is imported into ACS 5.0.

This phase generates two reports:

Example 4-5 shows the Export Summary Report.

Example 4-6 shows the Export Report.

Example 4-5 Export Summary Report

-----------------------------------------------------------
        Summary  Report for phase Exported
-----------------------------------------------------------
User Attributes
-----------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
-----------------------------------------------------------
User Attribute Values
-----------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
-----------------------------------------------------------
Network Device Groups
-----------------------------------------------------------
Total:3         Successful:3    Reported  issues:0
-----------------------------------------------------------
User Groups
-----------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
-----------------------------------------------------------
Groups Shell Exec
-----------------------------------------------------------
Total:1         Successful:1    Reported  issues:0
-----------------------------------------------------------
Groups Command Set
-----------------------------------------------------------
Total:2         Successful:1    Reported  issues:1
-----------------------------------------------------------
Users Shell Exec
-----------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
-----------------------------------------------------------
Users Command Set
-----------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
-----------------------------------------------------------
Shared Command Sets
-----------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
-----------------------------------------------------------
Network Devices
-----------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
-----------------------------------------------------------
Users
-----------------------------------------------------------
Total:7         Successful:6    Reported  issues:1
-----------------------------------------------------------
Shared Downloadable ACL
-----------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
-----------------------------------------------------------
EAP FAST - Master Keys
-----------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
-----------------------------------------------------------
Mab
-----------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
-----------------------------------------------------------

Example 4-6 Export Report

------------------------------------------------------------------------------------------
         Export Report
------------------------------------------------------------------------------------------
The following User Attributes cannot be exported:
------------------------------------------------------------------------------------------
The following User Attribute Values cannot be exported:
------------------------------------------------------------------------------------------
The following Network Device Groups cannot be exported:
------------------------------------------------------------------------------------------
The following User Groups cannot be exported:
------------------------------------------------------------------------------------------
The following Groups Shell Exec cannot be exported:
------------------------------------------------------------------------------------------
The following Groups Command Set cannot be exported:
------------------------------------------------------------------------------------------
1.  Name: ACS_Migrate_Priv       Comment: T+ cmd set to use network device.
------------------------------------------------------------------------------------------
The following Users Shell Exec cannot be exported:
------------------------------------------------------------------------------------------
The following Users Command Set cannot be exported:
------------------------------------------------------------------------------------------
The following Shared Command Sets cannot be exported:
------------------------------------------------------------------------------------------
The following Network Devices cannot be exported:
------------------------------------------------------------------------------------------
The following Users cannot be exported:
------------------------------------------------------------------------------------------
1.  Name: nd6    Comment: Network Device Group: Migration Test network device IP is 
overlapping with other device.
------------------------------------------------------------------------------------------
The following Shared Downloadable ACL cannot be Exported:
------------------------------------------------------------------------------------------
The following EAP FAST - Master Keys cannot be Exported:
------------------------------------------------------------------------------------------
The following Mab cannot be Exported:
------------------------------------------------------------------------------------------

This example shows the results of the Export phase:

T+ cmd set to use network device.

Use the ACS 4.x application on the migration machine to reconfigure the TACACS + command set.

Network Device Group: Migration Test network device IP is overlapping with other device.

Use the ACS 4.x application on the migration machine to resolve the IP address conflict.

Importing the ACS 4.x Data to ACS 5.0

Choose option 3 to run Import. This phase imports the ACS 4.x data export file created in the Export phase.


Note The import process can take a long time if you migrate data from a large database.



Note Restore your ACS 5.0 database if the ACS 5.0 import fails.


Example 4-7 shows sample report progress from the Import phase. This phase generates three reports:

Example 4-7 shows the progress of the Import phase.

Example 4-8 shows the Import Summary Report.

Example 4-9 shows the Import Report.

Example 4-7 Sample Progress Report for the Import Phase

3
Tue Jul 20 14:56:57 EST 2007 User Attribute 1 / 2 (50%) complete.
Tue Jul 20 14:56:57 EST 2007 User Attribute 2 / 2 (100%) complete.
Imported 2 items of type: User Attribute
Imported 5 items of type: User Attribute Value
Tue Jul 20 14:57:00 EST 2007 Network Device Group 1 / 3 (33%) complete.
Tue Jul 20 14:57:00 EST 2007 Network Device Group 2 / 3 (66%) complete.
Tue Jul 20 14:57:00 EST 2007 Network Device Group 3 / 3 (100%) complete.
Imported 3 items of type: Network Device Group
Imported 2 items of type: User Group
Tue Jul 20 14:57:02 EST 2007 Group Shell Exec 1 / 1 (100%) complete.
Imported 1 items of type: Group Shell Exec
Tue Jul 20 14:57:03 EST 2007 Group Command Set 1 / 1 (100%) complete.
Imported 1 items of type: Group Command Set
Imported 0 items of type: User Shell Exec
Imported 0 items of type: User Command Set
Tue Jul 20 14:57:06 EST 2007 Shared Command Set 1 / 2 (50%) complete.
Tue Jul 20 14:57:24 EST 2007 Shared Command Set 2 / 2 (100%) complete.
Imported 2 items of type: Shared Command Set
Tue Jul 20 14:57:25 EST 2007 User 1 / 5 (20%) complete.
Tue Jul 20 14:57:25 EST 2007 User 2 / 5 (40%) complete.
Tue Jul 20 14:57:25 EST 2007 User 3 / 5 (60%) complete.
Tue Jul 20 14:57:25 EST 2007 User 4 / 5 (80%) complete.
Tue Jul 20 14:57:26 EST 2007 User 5 / 5 (100%) complete.
Imported 5 items of type: User
Tue Jul 20 14:57:26 EST 2007 Network Device 1 / 6 (16%) complete.
Tue Jul 20 14:57:27 EST 2007 Network Device 2 / 6 (33%) complete.
Tue Jul 20 14:57:28 EST 2007 Network Device 3 / 6 (50%) complete.
Tue Jul 20 14:57:28 EST 2007 Network Device 4 / 6 (66%) complete.
Tue Jul 20 14:57:29 EST 2007 Network Device 5 / 6 (83%) complete.
Tue Jul 20 14:57:29 EST 2007 Network Device 6 / 6 (100%) complete.

Example 4-8 Import Summary Report

--------------------------------------------------------------------------------
        Summary  Report for phase imported
--------------------------------------------------------------------------------
User Attributes
--------------------------------------------------------------------------------
Total:2         Successful:0    Reported  issues:2
--------------------------------------------------------------------------------
User Attribute Values
--------------------------------------------------------------------------------
Total:10        Successful:0    Reported  issues:10
--------------------------------------------------------------------------------
Network Device Groups
--------------------------------------------------------------------------------
Total:3         Successful:2    Reported  issues:1
--------------------------------------------------------------------------------
Groups Shell Exec
--------------------------------------------------------------------------------
Total:1         Successful:0    Reported  issues:1
--------------------------------------------------------------------------------
Groups Command Set
--------------------------------------------------------------------------------
Total:1         Successful:1    Reported  issues:0
--------------------------------------------------------------------------------
Users Shell Exec
--------------------------------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
--------------------------------------------------------------------------------
Users Command Set
--------------------------------------------------------------------------------
Total:0         Successful:0    Reported  issues:0
--------------------------------------------------------------------------------
Shared Command Sets
--------------------------------------------------------------------------------
Total:2         Successful:2    Reported  issues:0
--------------------------------------------------------------------------------
Network Devices
--------------------------------------------------------------------------------
Total:5         Successful:5    Reported  issues:0
--------------------------------------------------------------------------------
Users
--------------------------------------------------------------------------------
Total:6         Successful:6    Reported  issues:0
--------------------------------------------------------------------------------
Shared Downloadable ACL
--------------------------------------------------------------------------------
Total:6         Successful:6    Reported  issues:0
--------------------------------------------------------------------------------
EAP FAST - Master Keys
--------------------------------------------------------------------------------
Total:6         Successful:6    Reported  issues:0
--------------------------------------------------------------------------------
Mab
--------------------------------------------------------------------------------
Total:6         Successful:6    Reported  issues:0
--------------------------------------------------------------------------------

Example 4-9 Import Report

---------------------------------------------------------------------------------------
        Import Report
---------------------------------------------------------------------------------------
The following User Attributes were not imported:
---------------------------------------------------------------------------------------
1.  Name: Real Name      Comment: Attribute cannot be added.
2.  Name: Description    Comment: Attribute cannot be added.
The following User Attribute Values were not imported:
---------------------------------------------------------------------------------------
1.  Name: acs_1  Comment: Attribute value not imported because of ACS 4.x name conflict.
2.  Name: acs_1  Comment: Attribute value not imported because of ACS 4.x name conflict.
3.  Name: asc_2  Comment: Attribute value not imported because of ACS 4.x name conflict.
4.  Name: asc_2  Comment: Attribute value not imported because of ACS 4.x name conflict.
5.  Name: acs_3  Comment: Attribute value not imported because of ACS 4.x name conflict.
6.  Name: acs_3  Comment: Attribute value not imported because of ACS 4.x name conflict.
7.  Name: acs_4  Comment: Attribute value not imported because of ACS 4.x name conflict.
8.  Name: acs_4  Comment: Attribute value not imported because of ACS 4.x name conflict.
9.  Name: acs_5  Comment: Attribute value not imported because of ACS 4.x name conflict.
10.  Name: acs_5 Comment: Attribute value not imported because of ACS 4.x name conflict.
The following Network Device Groups were not imported:
---------------------------------------------------------------------------------------
1.  Name: Not Assigned   Comment: Error 1: Failure to add object: Migrated NDGs:All 
Migrated NDGs:Not Assigned in function: createGroup

The following User Groups were not imported:
---------------------------------------------------------------------------------------
1.  Name: IdentityGroup:All Groups:Migrated Group        Comment: Failure to add object: 
IdentityGroup:All Groups:Migrated Group in function: createGroup

The following Group Shell Exec were not imported:
---------------------------------------------------------------------------------------
1.  Name: ACS_Migrate_Priv Comment: customError CRUDex002 Object already exist exception
The following Group Command Set failed on import:
---------------------------------------------------------------------------------------
The following User Shell Exec were not imported:
---------------------------------------------------------------------------------------
The following User Command Set were not imported:
---------------------------------------------------------------------------------------
The following Shared Command Set were not imported:
---------------------------------------------------------------------------------------
The following Network Devices were not imported:
---------------------------------------------------------------------------------------
The following Users were not imported:
---------------------------------------------------------------------------------------
The following Shared Downloadable ACL were not imported:
------------------------------------------------------------------------------------------
The following EAP FAST - Master Keys were not imported:
------------------------------------------------------------------------------------------
The following Mab were not imported:
------------------------------------------------------------------------------------------

Printing Reports and Report Types

Choose option 4 to print full reports and summary reports to a CSV file. The config folder in the migration directory contains the Migration Utility reports.

Table 4-5 lists the migration phases and the reports generated in each phase.

Table 4-5 Reports Generated During Migration

Migration Phase
Reports Generated

Extract and Analyze

ExtractAndAnalyzeSummary_report.csv

ExtractAndAnalyzefull_report.csv

Export

ExportSummary_report.csv

Exportfull_report.csv

Import

ImportSummary_report.csv

Importfull_report.csv


Table 4-6 describes the Migration Utility reports.

Table 4-6 Migration Utility Reports 

Migration Report
Description

ExtractAndAnalyzeSummary_report.csv

Summary report for the Extract and Analyze phase. Shows the total number of objects you can migrate and any related problems.

ExtractAndAnalyzefull_report.csv

Full report for the Extract and Analyze phase. Shows the total number of exported objects and includes descriptive comments for each object.

ExportSummary_report.csv

Summary report for the Export phase. Shows the total number of exported objects you can migrate and any related problems.

Exportfull_report.csv

Full report for the Export phase. Shows the total number of exported objects and includes descriptive comments for each object.

ImportSummary_report.csv

Summary report for the Import phase. Shows the total number of imported objects and any related problems.

Importfull_report.csv

Full report for the Import phase. Shows the total number of imported objects and includes descriptive comments for each object.

full_report.csv

Combines all the Migration Utility reports into one file.

Summary_report.csv

Shows summary information for all the migration phases.


Extract and Analyze Summary Report

Figure 4-1 shows the Extract and Analyze Summary Report. Table 4-7 contains the Extract and Analyze Summary Report column definitions.

Figure 4-1 Extract and Analyze Summary Report

Table 4-7 Extract and Analyze Summary Report Column Definitions  

Column
Description

Phase

The name of the migration phase.

Element Name

The name of the ACS object type to be migrated.

Total Elements

The total number of elements.

Total Migratable

The total number of elements that can be migrated.

Total with Issues

The total number of elements that have issues.

Comment

Message indicating the status of the ACS object.


Extract and Analyze Full Report

Figure 4-2 shows the Extract and Analyze Full Report. Table 4-8 contains the Extract and Analyze Full Report column definitions.

Figure 4-2 Extract and Analyze Full Report

Table 4-8 Extract and Analyze Full Report Column Definitions  

Column
Description

Element Name

The name of the extracted ACS object type.

Name

The name of the ACS object type to be migrated.

Operation

The status of the Extract and Analyze phase. Valid values are success, error, and info (informational message).

Sub Code

Code associated with the status of the operation.

Comment

Message indicating the status of the ACS object.


Export Summary Report

Figure 4-3 shows the Export Summary Report. Table 4-9 contains the Export Summary Report column definitions.

Figure 4-3 Export Summary Report

Table 4-9 Export Summary Report Column Definitions

Column
Description

Phase

The name of the migration phase.

Element Name

The name of the ACS object type to be migrated.

Total Elements

The total number of elements.

Total Migratable

The total number of elements that can be migrated.

Total with Issues

The total number of elements that have issues.

Comment

Message indicating the status of the ACS object.


Export Full Report

Figure 4-4 shows the Export Full Report. Table 4-10 contains the Export Full Report column definitions.

Figure 4-4 Export Full Report

Table 4-10 Export Full Report Column Definitions

Column
Description

Phase

The name of the migration phase.

Element Name

The name of the ACS object type to be migrated.

Name

The user-supplied name.

Operation

The status of the Export phase. Valid values are success, error, and info (informational message).

Sub Code

Code associated with the status of the operation.

Comment

Message indicating the status of the ACS object.


Import Summary Report

Figure 4-5 shows the Import Summary Report. Table 4-11 contains the Import Summary Report column definitions.

Figure 4-5 Import Summary Report

Table 4-11 Import Summary Report Column Definitions  

Column
Description

Phase

The name of the migration phase.

Element Name

The name of the ACS object type to be migrated.

Total Elements

The total number of elements.

Total Migratable

The total number of elements that are migrated.

Total with Issues

The total number of elements that have issues.

Comment

Message indicating the status of the ACS object.


Import Full Report

Figure 4-6 shows the Import Full Report. Table 4-12 contains the Import Full Report column definitions.

Figure 4-6 Import Full Report

Table 4-12 Import Full Report Column Definitions  

Column
Description

Phase

The name of the migration phase.

Element Name

The name of the ACS object type to be migrated.

Name

The user-supplied name.

Operation

Indicates if the operation was a success or if an error occurred.

Sub Code

Code associated with the status of the operation.

Comment

Message indicating the status of the ACS object.


Validating Import

After the import phase is complete, you must manually analyze the Import Summary Report. This lists:

The total number of objects to be migrated.

The number of objects that successfully migrated.

The number of objects that failed to migrate.

You can check the Import Full Report for information on the objects that did not migrate. This lists:

The name of the objects.

The status of the objects.

The reason for the errors.

If any of the ACS 4.x objects are not migrated, you must:

1. Manually add the objects that are not migrated, or address these issues in the ACS 4.x application.

2. Rerun the Export phase.

3. Restore the ACS 5.0 database to its previous state (before import).

4. Rerun the Import phase.


Note To verify that migration is complete, analyze the Import Summary Report. If the report indicates that all objects have migrated successfully, migration is complete.


Summary Report

Figure 4-7 shows the Summary Report statistics for all migration phases. Table 4-13 contains the Summary Report column definitions.

Figure 4-7 Summary Report

Table 4-13 Summary Report Column Definitions  

Column
Description

Phase

The name of the migration phase.

Element Name

The name of the migrated ACS object.

Total Elements

The total number of ACS objects processed.

Total Migratable

The total number of ACS objects migrated.

Total with Issues

The total number of issues for each ACS object.

Comment

Message indicating the status of the ACS object.


Confirming the Migration

Log in to your ACS 5.0 target machine to confirm that you successfully migrated ACS 4.x elements. In the migration process, the following ACS elements that were defined in ACS 4.x are migrated to ACS 5.0:

User Attributes

User Attribute Values

Network Device Groups

User Groups

Groups Shell Exec

Groups Command Set

Users Shell Exec

Users Command Set

Shared Command Sets

Network Devices

Users

Shared DACL

EAP-FAST - Master Keys

MAB

To access the ACS 4.x objects, follow the instructions in the User Guide for Cisco Secure Access Control Server 4.2. To access the ACS 5.0 objects, follow the instructions in the User Guide for Cisco Secure Access Control System 5.0.

The following sections provide information on confirming:

Command Shell Migration

Command Set Migration

NDG Migration

Network Device Migration

DACL Migration

MAB Migration

Command Shell Migration

Figure 4-8 shows the command shell attributes in ACS 4.x, and Figure 4-9 shows the command shell attributes migrated to ACS 5.0. Choose Policy Elements > Device Administration > Shell Profiles and click Create to access the migrated command shell attributes.

Figure 4-8 Command Shell Attributes Defined in ACS 4.x

Figure 4-9 Command Shell Attributes Migrated to ACS 5.0


Note Figure 4-10 shows that the ACS 4.x Privilege Level attribute migrated to ACS 5.0. The attribute appears in the Enable Default Privilege field.


Figure 4-10 ACS 5.0 Command Shell Privilege Level

Command Set Migration

Figure 4-11 shows the command set in ACS 4.x, and Figure 4-12 shows the command set migrated to ACS 5.0. Choose Policy Elements > Device Administration > Command Sets to access the migrated command set attributes.

Figure 4-11 Command Set Defined in ACS 4.x

Figure 4-12 Command Set Migrated to ACS 5.0

NDG Migration

Figure 4-13 shows the Network Device Groups (NDGs) in ACS 4.x, and Figure 4-14 shows the NDGs migrated to ACS 5.0. Choose Network Resources > Network Device Groups to access the migrated NDGs.

Figure 4-13 Network Device Groups Defined in ACS 4.x

Figure 4-14 Network Device Groups Migrated to ACS 5.0

Network Device Migration

Figure 4-15 shows the network devices in ACS 4.x, and Figure 4-16 shows the network devices that are migrated to ACS 5.0. Choose Network Resources > Network Devices and AAA Clients to access the migrated network devices.

Figure 4-15 Network Devices Defined in ACS 4.x

Figure 4-16 Network Devices Migrated to ACS 5.0

DACL Migration

Figure 4-17 shows the downloadable access control list (DACL) in ACS 4.x, and Figure 4-18 shows the DACL migrated to ACS 5.0. Choose Policy Elements > Authorization and Permissions > Named Permission Objects > Downloadable ACLs to access the migrated DACLs.

Figure 4-17 DACL Defined in ACS 4.x

Figure 4-18 DACL Migrated to ACS 5.0

MAB Migration

Figure 4-19 shows MAC Authentication Bypass (MAB) defined in ACS 4.x, and Figure 4-20 shows MAB migrated to ACS 5.0. Choose Users and Identity Stores > Internal Identity Stores > Hosts and click Create to access the migrated MABs.

Figure 4-19 MAB Defined in ACS 4.x

Figure 4-20 MAB Migrated to ACS 5.0