Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x
Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 Data Object Mapping
Downloads: This chapterpdf (PDF - 233.0KB) The complete bookPDF (PDF - 1.46MB) | Feedback

Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 Data Structure Mapping

Table Of Contents

Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 Data Structure Mapping

Data Objects That Are Migrated

Data Objects That Are Not Migrated

Data Objects That Are Partially Migrated

General Migration Rules

Migrating Policies

Supported Attributes and Data Types

Data Information Mapping


Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 Data Structure Mapping


This appendix provides information about the following migration-related topics:

Data Objects That Are Migrated

Data Objects That Are Not Migrated

Data Objects That Are Partially Migrated

General Migration Rules

Migrating Policies

Supported Attributes and Data Types

Data Information Mapping

Data Objects That Are Migrated

The following data objects are migrated from the Cisco Secure Access Control System (ACS) 5.1/5.2 to the Cisco Identity Services Engine (ISE) 1.1:

Network device group (NDG) types and hierarchies

Network devices

Default network device

External RADIUS servers

Identity group

Internal users

Internal endpoints (hosts)

Lightweight Directory Access Protocol (LDAP)

Microsoft Windows Active Directory (AD)

RSA (partial support, see Table A-25)

RADIUS token (see Table A-24)

Certificate authentication profile

Date and time condition (partial support, see Migrating Policies)

RADIUS attribute and vendor-specific attributes (VSA) values (seeTable A-5 and Table A-6)

RADIUS vendor dictionaries (see Notes for Table A-5 and Table A-6)

Internal users attributes (see Table A-1 and Table A-2)

Internal endpoint attributes (see General Migration Rules)

Authorization profile

Downloadable access control list (DACL)

Identity (authentication) policy

Authorization policy (for network access)

Authorization exception policy (for network access)

Service selection policy (for network access)

RADIUS proxy service

User password complexity

Identity sequence and RSA prompts

UTF-8 data (see UTF-8 Support)

Data Objects That Are Not Migrated

The following data objects are not migrated from the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1:

Monitoring reports

Scheduled backups

Repositories

Administrators, roles, and administrators setting

Customer/debug log configuration

Deployment information (secondary nodes)

Certificates (certificate authorities and local certificates)

Security Group Access Control Lists (SGACL)

Security Group (SG)

AAA servers for supported Security Group Access (SGA) devices

SG mapping

Network Device Admission Control (NDAC) policy

SGA egress matrix (SGA)

SGA data within network devices

Security Group Tag (SGT) in SGA authorization policy results

Network condition (end station filters, device filters, device port filters)

Device administration authentication and authorization policies

Data Objects That Are Partially Migrated

The following data objects are migrated partially from the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1:

Identity and host attributes that are of type date are not migrated.

RSA sdopts.rec file and secondary information are not migrated.

RADIUS identity server attributes (only the attribute CiscoSecure-Group-Id is migrated).

General Migration Rules

Consider these migration rules while migrating data from the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1:

Objects with special characters are not migrated.

Attributes (RADIUS, VSA, identity, and host) of type enum are migrated as integers with allowed values.

All endpoint attributes (no matter what is the attribute data type) are migrated as String data type.

You cannot filter RADIUS attributes and VSA values to be added into ISE logs.

Migrating Policies

Authentication and authorization polices are migrated from the Cisco Secure ACS to the Cisco ISE. ACS and ISE have both simple and rule-based authentication paradigms, but ACS and ISE are based on different policy models. As result of the differences between the ACS to ISE policy model, not all ACS policies and rules can be migrated. These are the main reasons:

Unsupported attributes used by the policy

Unsupported and/or condition structure (mainly, once complex conditions are configured)

Unsupported operators (such as "begin with")

In case a rule cannot be migrated, the policy as a whole is not migrated and the reason and details are listed in the Policy Gap Analysis report. You can view the report and either delete or modify the problematic rules. See "Reporting" section for more details on the Policy Gap Analysis report.


Note If you do not modify or delete the unsupported rule, no policy is migrated to the Cisco ISE.


This list describes the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1 migration policies guidelines:

Rules with conditions that include user attributes with a data type other than the "string" data type are not migrated.

Authentication fails in case the condition refers to host attributes.

Authorization policies that include a condition that has host (endpoint) attributes are not migrated to Cisco ISE authorization policies.

Date and time conditions in an authorization policy that has a recurrence weekly setting is not migrated to the Cisco ISE. As a result, the rule is also not migrated.

Date and time conditions in an authentication policy are not migrated to the Cisco ISE. As a result, the rule is also not migrated.

The following operands are not supported in conditions:

String: start with, end with, contains, not contains

Date and time: not in

Identity group: not in

Rules that use these operands in their conditions are also not migrated.

Authentication policies that include compound conditions that have different logical expressions other than a || b || c || ... and/or a && b && c && ... such as (a || b) && c are not migrated. Authorization policies that include compound conditions that have different local expressions other than a && b && c && are not migrated as part of the rule condition. As a workaround, you can manually use library compound conditions for some advanced logical expressions.

Rules that include network conditions only are not migrated. In case the condition includes network conditions and other supported conditions, the network conditions are ignored and are not migrated as part of the rule condition.

The Cisco ISE does not support TACACS, so any ACS rule that uses a TACACS attribute is not migrated.


Note If during the export phase, the Cisco ACS 5.1/5.2-ISE 1.1 Migration Tool identifies a gap within the authentication and authorization policies (matching any of the migration guidelines that are noted in this section), it is listed in the Policy Gap Analysis report. If this gap identification occurs, it is the responsibility of the administrator who is performing the migration to modify or delete such rules. If such rules are not modified or deleted, no policy is migrated to the Cisco ISE.


Supported Attributes and Data Types

The following tables list the supported attributes that are migrated and their target data type.

Table A-1 User Attributes Migrated from the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1

Cisco Secure ACS 5.1/5.2
Cisco ISE 1.1

String

String

UI32

Not supported

IPv4

Not supported

Boolean

Not supported

Date

Not supported

Enum

Not supported


Table A-2 User Attribute: Association to the User 

Cisco Secure ACS 5.1/5.2
Cisco ISE 1.1

String

Supported

UI32

IPv4

Boolean

Date


Table A-3 Hosts Attributes Migrated from the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1

Cisco Secure ACS 5.1/5.2
Cisco ISE 1.1

String

String

UI32

UI32

IPv4

IPv4

Boolean

Boolean

Date

Not supported

Enum

Integers with allowed values


Table A-4 Host Attribute: Association to the Host 

Cisco Secure ACS 5.1/5.2
Cisco ISE 1.1

String

Supported

UI32

Supported (Value is converted to String)

IPv4

Supported (Value is converted to String)

Boolean

Supported (Value is converted to String)

Date

Supported (Value is converted to String)

Enum

Supported (Value is converted to String)


Table A-5 RADIUS Attributes Migrated from the Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1

Cisco Secure ACS 5.1/5.2
Cisco ISE 1.1

UI32

UI32

UI64

UI64

IPv4

IPv4

Hex String

Octect String

String

String

Enum

Integers with allowed values


Table A-6 RADIUS Attribute: Association to RADIUS Server

Cisco Secure ACS 5.1/5.2
Cisco ISE 1.1

UI32

Supported

UI64

Supported

IPv4

Supported

Hex String

Supported (Hex strings are converted to octets string)

String

Supported

Enum

Supported (Enums are integers with allowed values)


Data Information Mapping

This section provides series of tables that list the data information that is mapped during export, which includes categories from the Cisco Secure ACS 5.1/5.2 and its equivalent in the Cisco ISE 1.1 for each object. The data mapping tables in this section list the status of what is or is not a valid data object mapped during the data migration during the export stage of the migration process:

Table A-7 (network device property mapping)

Table A-8 (Active Directory property mapping)

Table A-9 (external RADIUS server property mapping)

Table A-10 (hosts/endpoints property mapping)

Table A-11 (identity dictionary property mapping)

Table A-12 (identity group property mapping)

Table A-13 (LDAP property mapping)

Table A-14 (NDG types mapping)

Table A-15 (NDG hierarchy mapping)

Table A-16 (RADIUS dictionary vendors mapping)

Table A-17 (RADIUS dictionary attributes mapping)

Table A-18 (users mapping)

Table A-19 (certificate authentication profile)

Table A-20 (authorization profile mapping)

Table A-21 (DACL mapping)

Table A-22 (external RADIUS server mapping))

Table A-23 (identity attributes dictionary mapping)

Table A-24 (RADIUS token mapping)

Table A-25 (RSA mapping)

Table A-26 (RSA Prompts)

Table A-27 (Identity Store Sequences)

Table A-28 (Default Network Device)


Note The export and import reports include informational, warning, and error messages that serve as validation of the import and export process.


Table A-7 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Network Device Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Migrate as is

Description

Migrate as is

Network device group

Migrate as is

Single IP address

Migrate as is

Single IP and subnet address

Migrate as is

Collection of IP and subnet addresses

Migrate as is

TACACS information

Not migrated because the TACACS is unsupported in the Cisco ISE 1.1.

RADIUS shared secret

Migrate as is

CTS

Migrate as is

SNMP

SNMP data is available only in Cisco ISE; therefore, there is no SNMP information for migrated devices.

Model name

This is a property available only in Cisco ISE (and its value is the default, "unknown").

Software version

This is a property available only in Cisco ISE (and its value is the default, "unknown").



Note Any network devices that are set only as TACACS are not supported for migration and these are listed as non-migrated devices.


Table A-8 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Active Directory Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Domain name

Migrate as is

User name

Migrate as is

Password

Migrate as is

Allow password change

Migrate as is

Allow machine access restrictions

Migrate as is

Aging time

Migrate as is

User attributes

Migrate as is

Groups

Migrate as is



Note The Cisco Secure ACS-Cisco ISE Migration Tool issues a join command after the Active Directory data has been migrated. This "join" operation can fail if the domain name, user name, and password are incorrect. In addition, it is important that the Cisco ISE appliance be properly synchronized with the AD server time, or this can also cause a failure during the "join" operation.


Table A-9 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 External RADIUS Server Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Migrate as is

Description

Migrate as is

Server IP address

Migrate as is

Shared secret

Migrate as is

Authentication port

Migrate as is

Accounting port

Migrate as is

Server timeout

Migrate as is

Connection attempts

Migrate as is


Table A-10 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Hosts (Endpoints) Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

MAC address

Migrate as is

Status

Not migrated

Description

Migrate as is

Identity group

Migrate the association to an endpoint group.

Attribute

Endpoint attribute is migrated.

Authentication state

This is a property available only in Cisco ISE (and its value is a fixed value, "Authenticated").

Class name

This is a property available only in Cisco ISE (and its value is a fixed value, "TBD").

Endpoint policy

This is a property available only in Cisco ISE (and its value is a fixed value, "Unknown").

Matched policy

This is a property available only in Cisco ISE (and its value is a fixed value, "Unknown").

Matched value

This is a property available only in Cisco ISE (and its value is a fixed value, "0").

NAS IP address

This is a property available only in Cisco ISE (and its value is a fixed value, "0.0.0.0").

OUI

This is a property available only in Cisco ISE (and its value is a fixed value, "TBD").

Posture status

This is a property available only in Cisco ISE (and its value is a fixed value, "Unknown").

Static assignment

This is a property available only in Cisco ISE (and its value is a fixed value, "False").


Table A-11 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Identity Dictionary Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Attribute

Attribute name

Description

Description

Internal name

Internal name

Attribute type

Data type

Maximum length

Not migrated

Default value

Not migrated

Mandatory fields

Not migrated

User

The dictionary property accepts this value ("user").


Table A-12 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Identity Group Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Parent

This property is migrated as part of the hierarchy details.



Note Cisco ISE contains endpoint and identity groups. Identity groups in Cisco Secure ACS 5.1/5.2 are migrated to Cisco ISE as endpoint groups and as identity groups because a user needs to be assigned to an identity group and an endpoint needs to be assigned to an endpoint group.


Table A-13 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 LDAP Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Server connection information

Migrate as is. (Server Connection tab; see Figure A-1.).

Directory organization information

Migrate as is. (Directory Organization tab; see Figure A-2.).

Directory groups

Migrate as is

Directory attributes

Migration is done manually (using the Cisco Secure ACS-Cisco ISE Migration Tool).


Figure A-1 Server Connection Tab

Figure A-2 Directory Organization Tab

Table A-14 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 NDG Types Mapping 

Cisco Secure ACS 5.1/5.2 Properties
Cisco ISE 1.1 Properties

Name

Name

Description

Description



Note Cisco Secure ACS 5.1/5.2 can support having more than one network device group (NDG) with the same name. Cisco ISE does not support this naming scheme. Therefore, only the first NDG type with any defined name is migrated.


Table A-15 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 NDG Hierarchy Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Parent

No specific property is associated with this property because this value is entered only as part of the NDG hierarchy name. (In addition, the NDG type is the prefix for this object name).



Note Any NDGs that contain a root name with a colon (:) currently are not migrated because the Cisco ISE 1.1 does not recognized the colon as a valid character.


Table A-16 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 RADIUS Dictionary (Vendors) Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Vendor ID

Vendor ID

Attribute prefix

No need to migrate this property.

Vendor length field size

Vendor attribute type field length.

Vendor type field size

Vendor attribute size field length.



Note Only those RADIUS vendors that are not part of a Cisco Secure ACS 5.1/5.2 installation are required to be migrated (this affects only the user-defined vendors).


Table A-17 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 RADIUS Dictionary (Attributes) Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Attribute ID

No specific property associated with this because this value is entered only as part of the NDG hierarchy name. (In addition, the NDG type is the prefix for this object name).

Direction

Not supported in the Cisco ISE

Multiple allowed

Not supported in the Cisco ISE

Attribute type

Migrate as is

Add policy condition

Not supported in the Cisco ISE

Policy condition display name

Not supported in the Cisco ISE



Note Only those RADIUS attributes that are not part of a Cisco Secure ACS 5.1/5.2 installation are required to be migrated (only the user-defined attributes need to be migrated).


Table A-18 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 User Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Status

No need to migrate this property. (This property does not exist in the Cisco ISE).

Identity group

Migrate to identity groups in the Cisco ISE.

Password

Password.

Enable password

No need to migrate this property. (This property does not exist in the Cisco ISE).

Change password on next login

No need to migrate this property.

User attributes list

User attributes are imported from the Cisco ISE and are associated with the users.


Table A-19 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Certificate Authentication Profile Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Principle user name (X.509 attribute)

Principle user name (X.509 attribute).

Binary certificate comparison with certificate from LDAP or AD

Binary certificate comparison with certificate from LDAP or AD.

AD - LDAP name for certificate fetching

AD - LDAP name for certificate fetching.


Table A-20 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Authorization Profile Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

DACLID (downloadable ACL ID)

Migrate as is

Attribute type (static and dynamic)

Migrate as is if static attribute.

Migrated as is, if dynamic attribute, except Dynamic VLAN.

Attributes (filtered for static type only)

RADIUS attributes.


Table A-21 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Downloadable ACL Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

DACL content

DACL content


Table A-22 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 External RADIUS Server Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Server IP address

Hostname

Shared secret

Shared secret

Authentication port

Authentication port

Accounting port

Accounting port

Server timeout

Server timeout

Connection attempts

Connection attempts


Table A-23 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Identity Attributes Dictionary Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Attribute

Attribute name

Description

Internal name

Name

Migrate as is

Attribute type

Data type

No such property

Dictionary (Set with the value "InternalUser" if it is a user identity attribute, or "InternalEndpoint" if it is a host identity attribute.)

Not exported or extracted yet from the Cisco Secure ACS

Allowed value = display name

Not exported or extracted yet from the Cisco Secure ACS

Allowed value = internal name

Not exported or extracted yet from the Cisco Secure ACS

Allowed value is default

Maximum length

None

Default value

None

Mandatory field

None

Add policy condition

None

Policy condition display name

None


Table A-24 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 RADIUS Token Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Safeword server

Safeword server

Enable secondary appliance

Enable secondary appliance

Always access primary appliance first

Always access primary appliance first

Fallback to primary appliance in minutes

Fallback to primary appliance in minutes

Primary appliance IP address

Primary appliance IP address

Primary shared secret

Primary shared secret

Primary authentication port

Primary authentication port

Primary appliance TO (timeout)

Primary appliance TO

Primary connection attempts

Primary connection attempts

Secondary appliance IP address

Secondary appliance IP address

Secondary shared secret

Secondary shared secret

Secondary authentication port

Secondary authentication port

Secondary appliance TO

Secondary appliance TO

Secondary connection attempts

Secondary connection attempts

Advanced > treat reject as authentication flag fail

Advanced > treat reject as authentication flag fail.

Advanced > treat rejects as user not found flag

Advanced > treat rejects as user not found flag.

Advanced > enable identity caching and aging value

Advanced > enable identity caching and aging value.

Shell > prompt

Authentication > prompt

Directory attributes

Authorization > attribute name (In cases where the dictionary attribute lists in Cisco Secure ACS includes the attribute "CiscoSecure-Group-Id," it is migrated to this attribute; otherwise, the default value is "CiscoSecure-Group-Id".)


Table A-25 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 RSA Mapping 

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name is always RSA

Description

Not migrated

Realm configuration file

Realm configuration file

Server TO

Server TO

Reauthenticate on change to PIN

Reauthenticate on change to PIN

RSA instance file

Not migrated

Treat rejects as authentication fail

Treat rejects as authentication fail

Treat rejects as user not found

Treat rejects as user not found

Enable identity caching

Enable identity caching

Identity caching aging time

Identity caching aging time


Table A-26 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 RSA Prompts

Cisco Secure ACS Properties
Cisco ISE Properties

Passcode prompt

Passcode prompt

Next Token prompt

Next Token prompt

PIN Type prompt

PIN Type prompt

Accept System PIN prompt

Accept System PIN prompt

Alphanumeric PIN prompt

Alphanumeric PIN prompt

Numeric PIN prompt

Numeric PIN prompt


Table A-27 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Identity Store Sequences

Cisco Secure ACS Properties
Cisco ISE Properties

Name

Name

Description

Description

Certificate based, certificate authentication profile

Certificate based, certificate authentication profile

Password based

Authentication search list

Advanced options > if access on current IDStore fails than break sequence

Do not access other stores in the sequence and set the "AuthenticationStatus" attribute to "ProcessError."

Advanced options > if access on current IDStore fails then continue to next

Treated as "User Not Found" and proceed to the next store in the sequence.

Attribute retrieval only > exit sequence and treat as "User Not Found"

Not supported (should be ignored)


Table A-28 Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Default Network Devices

Cisco Secure ACS Properties
Cisco ISE Properties

Default network device status

Default network device status

Network device group

Not migrated

Authentication Options - Tacacs+

Not migrated

RADIUS - shared secret

Shared Secret

RADIUS - CoA port

Not migrated

RADIUS - Enable keywrap

Enable keywrap

RADIUS - Key encryption key

Key encryption key

RADIUS - Message authenticator code key

Message authenticator code key

RADIUS - Key input format

Key input format