Understanding the Cisco Secure ACS-Cisco ISE Migration Tool
This chapter provides information about the Cisco Secure Access Control System (ACS)-Cisco Identity Services Engine (ISE) Migration Tool that is used to migrate data from a Cisco Secure ACS Release 5.1/5.2 database to the Cisco ISE Release 1.1 appliance. The following topics describe what you should know about the Cisco Secure ACS-Cisco ISE Migration Tool before using it to migrate data:
•Overview: Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1
•Cisco Secure ACS-Cisco ISE Migration Tool
Overview: Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1
The Cisco Secure ACS-Cisco ISE Migration Tool is designed to provide users that have an existing installed Cisco Secure ACS 5.1/5.2 database with a method for transporting that data to a Cisco ISE 1.1 appliance. The design of the tool addresses the inherent migration problems that result from differences in the underlying hardware platforms and systems, databases, and data schemes. There are three steps in the migration process by using the Cisco Secure ACS-Cisco ISE Migration Tool include:
•Exporting the Cisco Secure ACS 5.1/5.2 data from its database
•Persisting this data by using the migration tool
•Importing the persisted data into the Cisco ISE 1.1 appliance
The Cisco Secure ACS-Cisco ISE Migration Tool supports the migration of only Cisco Secure ACS 5.1/5.2 data to a Cisco ISE 1.1 appliance. For example, you can use the Cisco Secure ACS-Cisco ISE Migration Tool to perform the following data migration steps:
1. Export the Cisco Secure ACS 5.1/5.2 data from the Cisco Secure ACS-1121 hardware appliance to a secure external server with a database.
2. Back up the Cisco Secure ACS data.
3. Reimage the Cisco Secure ACS-1121 hardware appliance, which is the same physical hardware as the Cisco ISE 3315 appliance, with the Cisco ISE 1.1 software.
4. Import the converted Cisco Secure ACS Release 5.1/5.2 data from the secure external server into the Cisco ISE 1.1 appliance.
The only supported direct migration process that uses Cisco Secure ACS-Cisco ISE Migration Tool is from a Cisco Secure ACS 5.1/5.2 system to a Cisco ISE 1.1 appliance. However, you upgrade earlier versions of Cisco Secure ACS data to a Cisco Secure ACS 5.1/5.2 state by using the options that are listed in Table 2-1.
The Cisco Secure ACS-Cisco ISE Migration Tool migrates data from a Cisco Secure ACS 5.1/5.2 system to a Cisco ISE 1.1 appliance, which is a different process from an upgrade that is used for earlier versions of Cisco Secure ACS 3.x to 4.x.
Note For information and documentation links about migrating Cisco Secure ACS 3.x and 4.x to 5.0 to Cisco Secure ACS 5.1/5.2, see Chapter 5 "Migrating Data from the Cisco Secure ACS 3.x and 4.x to the ACS 5.1/5.2." Chapter 5 also provides information and documentation links about migrating Cisco Secure ACS 5.0 to Cisco Secure ACS 5.1/5.2.
Cisco Secure ACS-Cisco ISE Migration Tool
This section describes:
•Migration Tool Components
•Data Structure Mapping
The Cisco Secure ACS-Cisco ISE Migration Tool runs on Windows-based systems, and it works by importing the Cisco Secure ACS data files, analyzing the data, and making required data modifications that are necessary for importing the data into a format that is usable by the Cisco ISE 1.1 system.
The Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 applications may or may not run on the same type of physical hardware. The Cisco Secure ACS-Cisco ISE Migration Tool uses the Cisco Secure ACS Programmatic Interface (PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). The Cisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and ISE applications to run on any of the supported hardware platforms or VMware servers.
Because the Cisco Secure ACS is considered a closed appliance, running the migration tool directly on the Cisco Secure ACS-1121 appliance is not permitted. Instead, the Cisco Secure ACS PI reads and returns the ACS configuration data in a normalized form. The Cisco ISE REST APIs perform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by Cisco ISE software.
Note You should run the migration tool only after a fresh Cisco ISE installation or after you have reset the Cisco ISE application configuration and clear the Cisco ISE database using the application reset-config command. Therefore, the Cisco ISE FIPS mode should not be enabled before the migration process is complete.
Figure 2-1 explains the deployment scenario when Cisco Secure ACS and Cisco ISE are installed on different appliances (dual-appliance deployment).
Figure 2-1 Cisco Secure ACS and Cisco ISE Installed on Different Appliances
Figure 2-2 shows the deployment scenario when Cisco Secure ACS is installed on the same appliance upon which the Cisco ISE software will be installed (single-appliance deployment). In a single-appliance deployment, complete the following steps:
Step 1 Install the Cisco Secure ACS-Cisco ISE Migration Tool on a standalone Windows machine.
Step 2 Export the Cisco Secure ACS 5.1/5.2 data from the Cisco Secure ACS appliance.
Step 3 Back up the Cisco Secure ACS data.
Step 4 Reimage the appliance with the Cisco ISE 1.1 software.
Step 5 Import the Cisco Secure ACS 5.1/5.2 data into the Cisco ISE 1.1 appliance.
Note When you are ready to start migrating Cisco Secure ACS 5.1/5.2 data to a Cisco ISE appliance, make sure that it is to a standalone Cisco ISE node. Only after migration has been successfully completed should you begin the any deployment configuration (such as setting up Administrator ISE and Policy Service ISE personas). It is a requirement that the migration import phase be performed on a "clean" new installation of the Cisco ISE software on a supported hardware appliance. See the Cisco Identity Services Engine Hardware Installation Guide, Release 1.1, for the list of supported hardware appliance.
Figure 2-2 Cisco Secure ACS and Cisco ISE Installed on a Single Appliance
Migration Tool Components
The migration application consists of the following components:
•Export and Import
A minimal set of configuration data is needed as input at the beginning of the migration process and the application then proceeds to migrate the full set of configuration items. You must enter the IP address (or hostname) of the primary Cisco Secure ACS server and the Cisco ISE server, along with the administrator credentials. After you have been authenticated, the Cisco Secure ACS-Cisco ISE Migration Tool proceeds to migrate the full set of configured data items in a form similar to an upgrade.
Usually no additional operator intervention is required after the migration process starts. However, as the migration progresses, some data may not be mapped automatically between the two applications. The administrator handling the migration is notified of this type of data, which must be resolved before the migration is complete.
As the migration proceeds, you can monitor the real-time migration status along with the progress of that activity. In case of troubleshooting, detailed logs are available and accessible within the migration tool.
Export and Import
You can perform import and export operations as discrete operations or in sequence. These steps may take a long time, depending upon the amount of data being migrated. So the migration tool periodically displays the checkpoints with the status of the activity being performed. These checkpoints allow you to restart the migration process from the checkpoint in case of any failure.
Export and Data Persistence
The export component is active during the migration phase when Cisco Secure ACS data is exported from the Cisco Secure ACS 5.1/5.2 database using the Cisco Secure ACS PI. You can start the export process after you connect with the Cisco Secure ACS system, request that data be exported, and are authenticated.
A direct upgrade from the Cisco Secure ACS to the Cisco ISE is not supported. The Cisco Secure ACS-Cisco ISE Migration Tool assists you if you want to uninstall the Cisco Secure ACS5.1/5.2 software and reimage the physical hardware with the Cisco ISE 1.1 software. The migration tool persists the Cisco Secure ACS data while the reimage process is completing and before the import stage begins.
Data Analysis and Import
During the export phase, the Cisco Secure ACS-Cisco ISE Migration Tool reads and analyzes the data from the Cisco Secure ACS to confirm that it can be created correspondingly on the Cisco ISE appliance. Since the Cisco Secure ACS and Cisco ISE Policy model are not same, some of the ACS data might not be supported by ISE. The tool reports any issue with the data, which may require administrator intervention at the end of the export phase.
Data Structure Mapping
Data structure mapping from the Cisco Secure ACS 5.1/5.2 to Cisco ISE 1.1 is the process by which each of the data objects are analyzed and validated during the export phase by the Cisco Secure ACS-Cisco ISE Migration Tool. For a complete list of the data information mapping that takes place during export, see the table in "Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 Data Structure Mapping".