Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x
Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Migration Overview
Downloads: This chapterpdf (PDF - 185.0KB) The complete bookPDF (PDF - 1.46MB) | Feedback

Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Migration Overview

Table Of Contents

Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Migration Overview

Overview

Supported Migration from the Cisco Secure ACS to the Cisco ISE

Software Requirements

Functional Description

Export

Data Persistency

Import

Scalability

High Availability

Reporting

UTF-8 Support

FIPS Support for ISE 802.1X Services

Cisco Secure ACS/Cisco ISE Version Validation


Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 Migration Overview


This chapter provides a brief overview of Cisco Identity Services Engine (ISE) and Cisco Secure Access Control System (ACS). The following topics are discussed in this chapter:

Overview

Supported Migration from the Cisco Secure ACS to the Cisco ISE

Software Requirements

Functional Description

Overview

The Cisco ISE deployment model consists of one primary node with multiple secondary nodes. Each Cisco ISE node in a deployment can take any one or more of the following personas: Administration, Policy Service, and Monitoring.

After you install Cisco ISE, all the nodes will be in the standalone state. You must define one of your Cisco ISE nodes to be the primary (running as an Administration persona). After you have defined the primary node, you can configure other Cisco ISE node personas such as Policy Service and Monitoring for the network. You can then register other secondary nodes with the primary node and define specific roles for each of them.

When you register an Cisco ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. All configuration changes are made on the primary Administration ISE node and are replicated to the secondary nodes. The Monitoring ISE node acts as the log collector.

Cisco Secure Access Control System (ACS) deployment model consists of a single primary and multiple secondary Cisco Secure ACS servers, where configuration changes are made on the primary Cisco Secure ACS server. These configurations are replicated to the secondary Cisco Secure ACS servers.

All primary and secondary Cisco Secure ACS servers can process AAA requests. The primary Cisco Secure ACS server is also the default log collector for the Monitoring and Report Viewer, although you can configure any Cisco Secure ACS server to be the log collector.

The Cisco Secure ACS and Cisco ISE may exist on different hardware platforms and have different operating system, database, and information model. Therefore, you cannot perform a standard upgrade from the Cisco Secure ACS to Cisco ISE.

Instead, a migration tool and procedure is available that reads the data from the Cisco Secure ACS and creates corresponding data in the Cisco ISE. You can also use this migration procedure in cases where Cisco Secure ACS and Cisco ISE use the same hardware; the CSACS-1121 appliance. The Cisco Secure ACS 5.1/5.2 to the Cisco ISE 1.1 migration process requires minimum user interaction, and the full set of configuration data is migrated from the Cisco Secure ACS to the Cisco ISE.

Supported Migration from the Cisco Secure ACS to the Cisco ISE

The Cisco ISE supports data migration from the Cisco Secure ACS 5.1 and 5.2 by using the Cisco Secure ACS-ISE 1.1 Migration Tool. If you are running Cisco Secure ACS 3.x or Cisco Secure ACS 4.x, you must first upgrade to Cisco Secure ACS 5.0.

After you reach the Cisco Secure ACS 5.0 level, you can then upgrade to Cisco Secure ACS 5.1 or 5.2. At this point, you can then migrate to Cisco ISE 1.1 by using the Cisco Secure ACS-ISE Migration Tool.


Note A direct upgrade is available from the Cisco Secure ACS 5.0 to the Cisco Secure ACS 5.1/5.2. You must first complete upgrading all previous Cisco Secure ACS releases to Cisco Secure ACS 5.1/5.2 before you attempt to migrate any Cisco Secure ACS data to Cisco ISE.


For information on migrating data from the Cisco Secure ACS 3.x or 4.x to the Cisco Secure ACS 5.0, see Chapter 5 "Migrating Data from the Cisco Secure ACS 3.x and 4.x to the ACS 5.1/5.2."

Software Requirements

Table 1-1 lists the minimum software requirements for migration in the Cisco ISE 1.1.

Table 1-1 Software Requirements for Migration in the Cisco ISE 1.1 

Operating System

The Cisco Secure ACS-Cisco ISE Migration Tool runs on Windows and Linux machines. The machine should have JAVA installed on it. For more details, see "System Requirements" section.

Minimum disk space

the minimum disk space required is 1 GB

This space is required not only for the installation of the migration tool, but also because the migration tool will store the migrated data and will generate reports and logs.

Minimum RAM

The minimum RAM required is 2 GB.

If you have about 300,000 users, 50,000 hosts, 50,000 network devices, then we recommend that you have a minimum of 2 GB of RAM.


Before running the Cisco Secure ACS-Cisco ISE Migration Tool, make sure that you have upgraded to Cisco ISE Release 1.1 and have installed the latest patches for ACS 5.1 and 5.2.

Functional Description

The migration tool is responsible for transferring the Cisco Secure ACS data into Cisco ISE and there are three major steps:

1. Export data from the Cisco Secure ACS.

2. Persist data in the migration tool.

3. Import data into the Cisco ISE 1.1.


The following are the major features of the Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 migration process:

Export

Data Persistency

Import

Scalability

High Availability

Reporting

UTF-8 Support

FIPS Support for ISE 802.1X Services

Cisco Secure ACS/Cisco ISE Version Validation

Export

The first stage in the migration process is to export ACS data using the Cisco Secure ACS Programmatic Interface (PI). You have to provide the credentials to connect with the Cisco Secure ACS and request to export the Cisco Secure ACS data into the migration application. During this time the exported data must be validated to verify if it can be imported into a Cisco ISE 1.1 appliance successfully. In cases where the data is invalid, this status is logged in the migration report.

Data Persistency

The Cisco ISE does not support an upgrade from the Cisco Secure ACS to the Cisco ISE 1.1. Therefore, if you want to upgrade your Cisco Secure ACS appliance to the Cisco ISE, you have to uninstall the Cisco Secure ACS and reimage the appliance with the Cisco ISE 1.1 image. The migration tool persists the Cisco Secure ACS data before the reimage takes place and before the next stage (import) begins. The persisted data is in an encrypted format.

Import

At the import stage, the migration tool contains information from the Cisco Secure ACS and is ready to import the data into the Cisco ISE 1.1. If you use the same machine to install Cisco ISE, you have to reimage the Cisco Secure ACS machine with the Cisco ISE 1.1 image and start the import operation. If you want to use a different machine for the Cisco ISE, it should be a clean machine right after installation and without any configuration on it.

You can view the import progress through the Cisco Secure ACS-Cisco ISE Migration Tool user interface. You can see the object types that are being transferred and how many objects are pending for delivery. Any errors during this process are logged in the migration report.

Scalability

The migration application supports object scale as described in Table 1-2.

Table 1-2 Object Scalability for Migration in the Cisco ISE 1.1 

Objects
Small Deployment
Medium Deployment
Large Deployment

Users (AD1 /LDAP2 /internal) - per deployment

1,000

10,000

25,000

Hosts/endpoints

1,000

10,000

100,000

Network devices

500

1,000

10,000

Identity groups

1

5

20

Authorization profiles

5

10

30

User dictionaries

2

5

20

User attributes

1

5

8

User groups

2

10

100

DACLs3 (each contain 1,600 entries)

5

20

50

1 AD is an acronym for Microsoft Windows Active Directory (see Active Directory in the ).

2 LDAP is an acronym for Lightweight Directory Access Protocol (see LDAP in the ).

3 DACL is an acronym for downloadable access control list (see DACL in the ).


High Availability

The Cisco Secure ACS-Cisco ISE Migration Tool maintains the state at each stage of the import or export operation. This means that if the process of importing or exporting fails at any point due to import or export failure, you need not start from the beginning, but from the last checkpoint before the failure occurred.

If the migration process fails during the import or export phase, the migration tool terminates the process. If you restart the migration tool after a failure, a dialog box is displayed.

You can either choose to resume the previous import/export or discard the previous process and start a new migration process. If you choose to resume the previous process, the migration process resumes from the last object type. Resuming from a failure also resumes the report to run from the previous process.

Reporting

Three Cisco ISE reports are available while migrating the Cisco Secure ACS 5.1/5.2 data to the Cisco ISE appliance by using the Cisco Secure ACS-Cisco ISE Migration Tool:

Export Report: Indicates specific information or errors that are encountered during the export of data from the Cisco Secure ACS database. See Figure 1-1.

The export report includes error information for objects that are exported but will not be imported. It contains a data analysis section at the end of the report, which describes the functional gap analysis in the data between the Cisco Secure ACS and the Cisco ISE.

Import Report: Indicates specific information or errors that are encountered during the import of data into the Cisco ISE appliance. See Figure 1-2.

Policy Gap Analysis Report: Indicates specific information that is related to the policy gap between the Cisco Secure ACS and the Cisco ISE. See Figure 1-3.

The Cisco ISE 1.1 introduces this new report, which is available after the export completes. To view the report, click on the Policy Gap Analysis Report button in the user interface.

If any authentication or authorization policy is not migrated, it is listed in this report. This report lists all the incompatible rules and conditions that are related to policies. It describes data that cannot be migrated and the reason for a manual workaround.

Some conditions can be migrated by using the Cisco ISE terminology; for example, "Device Type In" is migrated as "Device Type Equals". In such cases, the condition is automatically migrated. If the condition is supported or can be automatically translated, it does not appear in the report. If one or more condition is found as "Not Supported" or "Partially supported," the whole policy is not imported, and such conditions appear in the report.

Table 1-3 describes the report type, the message type, and message contents in the import and export reports.

Table 1-3 Cisco Secure ACS 5.1/5.2-Cisco ISE Migration Tool Reports 

Report Type
Message Type
Message Description

Export

Informational

Lists the names of the data objects that were exported successfully.

Warning

Lists an error that is based on an export failure or an export not attempted because the data object is not supported by Cisco ISE 1.1 (for example, if it were a TACACS-based device).

Import

Informational

Lists the names of the data objects that were imported successfully.

Error

Identifies a data object error in which it cannot be imported because it already exists (duplicate).

Error

Identifies a data object error in which it cannot be imported because the name length exceeds the Cisco ISE character limit.

Error

Identifies a data object error in which it cannot be imported because the name includes special character that Cisco ISE does not support.

Error

Identifies a data object error in which it cannot be imported because the object includes data character that is not available or supported in Cisco ISE.


Figure 1-1 Example of Export Report

Figure 1-2 Example of Import Report

Figure 1-3 Example of Policy Gap Analysis Report

UTF-8 Support

The Cisco ISE 1.1 supports Universal Character Set Transformation Format 8 bit (UTF-8) for some administration configuration. The following configuration items are exported and imported with UTF-8 encoding:

Network Access user configuration

User name

Password and re-enter password

First name

Last name

Email

RSA: RSA prompts and messages are shown to the end user by the supplicant.

Messages

Prompts

RADIUS Token: RADIUS token prompt is presented on the end-user supplicant.

Authentication Tab > Prompts

Administrator Configuration

Administrator username and password

Configure administrator by using UTF-8

Policies:

Authentication > Value for AV expression

Authorization > Other Conditions > Value for AV expression

Attribute-value conditions

Authentication > Simple Condition/compound Condition > Value for AV expression

Authorization > Simple Condition/compound Condition > Value for AV expression

FIPS Support for ISE 802.1X Services

In order to support Federal Information Processing Standard (FIPS), the Cisco Secure ACS-Cisco ISE Migration Tool migrates the default network device keywrap data.


Note The Cisco ISE FIPS mode should not be enabled before the migration process is complete.


FIPS-compliant and supported protocols:

Process Host Lookup

Extensible Authentication Protocol-Translation Layer Security (EAP-TLS)

Protected Extensible Authentication Protocol (PEAP)

EAP-Flexible Authentication via Secure Tunneling (FAST)

FIPS-noncompliant and unsupported protocols:

EAP-Message Digest 5 (MD5)

Password Authentication Protocol and ASCII

Challenge Handshake Authentication Protocol (CHAP)

Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)

Lightweight Extensible Authentication Protocol (LEAP)

Cisco Secure ACS/Cisco ISE Version Validation

The Cisco Secure ACS-Cisco ISE Migration tool identifies the Cisco Secure ACS version before the export phase begins. The migration process will not start if the Cisco Secure ACS version is lower than 5.1 or higher than 5.2. In addition, before importing the data to the Cisco ISE, the tool verifies that the Cisco ISE version is 1.1.