Overview of ACS 4.x to 5.0 Migration
This chapter describes ACS 4.x to 5.0 migration and contains:
•About the Migration Utility
•Process for Migrating Data
ACS 5.0 introduces a new policy model that differs from ACS 4.x. The ACS 4.x policy and authentication information, such as command sets, are stored in the user and user group records. ACS 5.0 implements this data as policies.
The most efficient way to make optimal use of the new policy model is to rebuild policies by using the new policy model. This method entails creating appropriate Identity Groups, Network Device Groups (NDGs), conditions, authorization profiles, and rules.
Note The Migration Utility migrates data from an ACS 4.x Windows machine to an ACS 5.0 Linux machine. This process is different from the upgrade process for versions of ACS from 3.x to 4.x or for any 4.x upgrades. In the upgrade process, the ACS 4.x system works the same way without the need for administrative support. The migration process entails, in some cases, administrative support to consolidate and manually resolve data before you import the data to ACS 5.0.
About the Migration Utility
You use the Migration Utility to migrate the different types of data from ACS 4.x to ACS 5.0. In addition to your ACS 4.x Windows source machine, you must deploy an ACS 4.x migration machine and an ACS 5.0 target Linux machine.
The three phases of the Migration Utility are:
You run the Migration Utility on the ACS 4.x migration machine. The migration machine is a Windows platform running ACS 4.x. You can run the analysis and export phases independently, several times, to ensure that the data is appropriate for the import phase. You run the import phase after your data passes the analysis and export phases. Refer to the User Guide for the Cisco Secure Access Control System 5.0 for details on ACS 5.0 policies.
The Migration Utility supports a subset of the ACS 4.x data elements. For a complete list, see ACS Elements the Migration Process Supports in Table 2-1 on page 2-2.
Issues Resulting from the Analysis Phase
Not all data entities can migrate from ACS 4.x to ACS 5.0. The Analysis phase might reveal issues such as overlapping IP addresses for network devices. Another issue is that the ACS 4.x IP address network device definitions could include wildcards and ranges. ACS 5.0 uses a standard subnet mask representation. Therefore, the network device definitions might not be compatible. The Analysis reports detail these issues. You can address these issues in the ACS 4.x application and subsequently rerun the analysis. You can rerun this process as many times as required. After you complete analysis activities, you can export the data from ACS 4.x and subsequently import the data to the ACS 5.0 target machine.
Process for Migrating Data
The migration process exports data from a source ACS 4.x server and imports corresponding data entities to a target ACS 5.0 server. The export process does not run on the operational 4.x server. Instead you back up the database from the ACS 4.x source server and restore the data to an additional ACS 4.x migration machine where you run the Migration Utility.
To migrate data:
Step 1 Analyze the ACS 4.x data and review the Extracted Summary report and the Analysis report. Refer to Analyzing the ACS 4.x Data, page 4-10. In this phase, you identify:
•Issues for data that cannot be migrated. You also provide opportunities to rectify this data prior to migration.
•Issues to fix prior to migration.
•The data to consolidate.
Note You can rerun each migration phase independently. For example, after you run Analyze, the Analysis Summary Report can reveal migration issues and recommend manual changes to the data. You can use the ACS 4.x application to resolve the issues, rerun the Analyze component, and proceed to the Export phase.
Note Only data that passes the analysis phase can be exported and later imported to ACS 5.0.
Step 2 Export the ACS 4.x data and review the Export Report. Refer to Exporting the ACS 4.x Data, page 4-15.
a. Identify the data that was not exported and review manual migration considerations. Refer to Resolving Migration Issues, page B-3.
b. Identify the data to be exported and statistics.
c. Export the selected set of ACS 4.x data to an external data file to be used by the import process.
Note Only data that passes the export phase can be migrated.
Step 3 Back up the ACS 5.0 target machine database.
Step 4 Import the ACS 4.x data to ACS 5.0 and review the Import Summary Report. Refer to Importing the ACS 4.x Data to ACS 5.0, page 4-17.
Figure 1-1 illustrates the migration process.
Figure 1-1 Migration Process