Using the Cisco Secure ACS-Cisco ISE Migration Tool
This chapter describes how to use the Cisco Secure Access Control System (ACS)-Cisco Identity Services Engine (ISE) Migration Tool to migrate data from a Cisco Secure ACS 5.1/5.2 database to a Cisco ISE 1.1 appliance, and includes procedures for running the migration process in the following topics:
•Logging In and Using the Migration Tool
•Verifying the Import Process
•Providing Report Files
Logging In and Using the Migration Tool
After you have started the migration tool, log into the Cisco Secure ACS 5.1/5.2 system from which you will be exporting data. To start using the migration tool, complete the following steps:
Step 1 In the Cisco Secure ACS-Cisco ISE Migration Tool main window, click Settings to display the list of data objects you want to migrate.
Step 2 Click to select the check box(es) for those data objects you want to export in case their dependency data is missed, and click Save.
Step 3 In the main window of the Cisco Secure ACS-Cisco ISE Migration Tool, click Migration and click Export from ACS.
The Login window for the Cisco Secure ACS 5.1/5.2 system is displayed.
Step 4 Enter the IP address (or hostname) and the password for the Cisco Secure ACS 5.1/5.2 system into the ACS Credentials window, and click Connect.
The data migration process begins.
Step 5 Check the progress of the migration of the Cisco Secure ACS 5.1/5.2 data by viewing the main window of the Cisco Secure ACS-Cisco ISE Migration Tool.
The main window of the Cisco Secure ACS-Cisco ISE Migration Tool displays the current count of successful objects exports, and also lists any objects that triggered warnings or errors.
Step 6 To get more information about a warning or error that occurred during the export process, click any listed Warnings or Errors in the table. The following example shows the result returned result from choosing an error to display.
The Object Errors and Warnings Details window is displayed, which provides the object group, the type, and a date and time that this error occurred.
Step 7 Scroll to the right to display the complete set of details, and click Close to close this window.
When the data export process from the Cisco Secure ACS 5.1/5.2 system has completed (Exporting finished...), the main window of the Cisco Secure ACS-Cisco ISE Migration Tool displays this status.
Step 8 Click Export Report(s) to view the contents of the report, which summarizes the export operation as shown in the following example.
Each export report contains header information with the operation type, date and time, and system IP address or host name. Each object group details the types and related information for the objects in that group. Each report ends with an report that summarizes the start and end date and time, and the duration of the operation.
Step 9 To start importing this data into the Cisco ISE appliance, click Import to ISE in the main window of the Cisco Secure ACS-Cisco ISE Migration Tool.
You are prompted to add attributes to the LDAP identity stores before they are imported into Cisco ISE.
Step 10 Click OK to start the attribute add process for your LDAP identity stores.
Step 11 In the LDAP Identity Store drop-down list, select the identity store to which you want to add attributes.
Step 12 Enter a name in the Attribute Name field, choose an attribute type from the Attribute Type drop-down list, enter a value in the Default Value field, and click Save & Exit.
Step 13 After you have completed the attribute addition, click Import to ISE to proceed with the importing process, and log into the Cisco ISE system using the ISE Credentials window.
Step 14 Enter the ISE IP address (or hostname), ISE Username, and ISE Password as required, and click Connect to start importing data into the Cisco ISE appliance.
Step 15 At any point in the import or export process, click View Log Console to display a real-time look at the current status of the import or export operation.
Step 16 To get more information about any warning or error that occurred during the import process, click Warnings or Errors in the table where it is listed (see Step 6), and view any details.
When the data import operation is complete, this status is displayed in the main window of the Cisco Secure ACS-Cisco ISE Migration Tool.
Step 17 To view the complete report on the data that is imported into the Cisco ISE 1.1 appliance, click Import Report(s). The report is displayed.
Step 18 To analyze the policy gap between the Cisco Secure ACS and the Cisco ISE click Policy Gap Analysis Report. The report is displayed.
Verifying the Import Process
To verify that the import process has completed, complete the following steps:
Step 1 Log into the Cisco ISE 1.1 appliance:
•Enter a valid Username and Password.
Step 2 In the Cisco ISE main window, for example, navigate to Administration > Identity Management > External Identity Source > LDAP to display the LDAP Identity source window to verify if any ACS-based LDAP Identity sources were imported.
You can perform the same sort of verification for users or any other attribute to check whether the import was successful.
This concludes the import/export operations by use of the Cisco Secure ACS-Cisco ISE Migration Tool.
Providing Report Files
If you decide to share the report files with anyone, or to save them in another location, you can find the following report files in the Reports folder of the migration tool directory: