Cisco Identity Services Engine, Release 1.2 Migration Tool Guide
Cisco Secure ACS 5.3 to Cisco ISE 1.2 Migration Overview
Downloads: This chapterpdf (PDF - 251.0KB) The complete bookPDF (PDF - 3.05MB) | Feedback

Cisco Secure ACS to Cisco ISE Data Migration

Table Of Contents

Cisco Secure ACS to Cisco ISE Data Migration

Supported Data Migration from Cisco Secure ACS to Cisco ISE

Cisco Secure ACS 5.3 and Cisco ISE, Release 1.2 Policy Models

Cisco Secure ACS 5.3 and Cisco ISE Policy Model Differences

Cisco ISE and Cisco Secure ACS Deployment Models

Migration Features

Exporting Data

Data Persistency

Importing Data

Object Scalability

High Availability

Reporting

UTF-8 Support

FIPS Support for ISE 802.1X Services

Cisco Secure ACS/Cisco ISE Version Validation


Cisco Secure ACS to Cisco ISE Data Migration


Data migration from Cisco Secure Access Control System (ACS), Release 5.3, to Cisco Identity Services Engine (ISE), Release 1.2, requires minimum user interaction, and the full set of configuration data.

This chapter covers the following topics:

Supported Data Migration from Cisco Secure ACS to Cisco ISE

Cisco Secure ACS 5.3 and Cisco ISE, Release 1.2 Policy Models

Cisco ISE and Cisco Secure ACS Deployment Models

Migration Features

Supported Data Migration from Cisco Secure ACS to Cisco ISE

Data migration is supported from Cisco Secure ACS, Release 5.3 to Cisco ISE, Release 1.2, with the Cisco Secure ACS to Cisco ISE Migration Tool. If you are running an earlier release of Cisco Secure ACS, Release 3.x or 4.x, see "Migration from Earlier Cisco Secure ACS Releases" section.


Note Not all Cisco Secure ACS data can be migrated into Cisco ISE due to the functional gap that is dynamically changing with each Cisco Secure ACS or Cisco ISE release. The Cisco Secure ACS to Cisco ISE Migration Tool provides you a complete list of unsupported objects. For more information, see Figure 4-1.


When you migrate from Cisco Secure ACS, Release 5.3 database to Cisco ISE, Release 1.2, data migration supports the following:

Provides support for new features of Cisco Secure ACS, Release 5.3 in Cisco ISE, Release, 1.2.

Provides support for new features in Cisco ISE, Release 1.2, when data is migrated from Cisco Secure ACS, Release 5.3.

Minimizes the configuration gap between Cisco Secure ACS, Release 5.3 to Cisco ISE, Release 1.2, which means that data migration supports Cisco Secure ACS features that were not supported before in Cisco ISE.

Table 1-1 Cisco Secure ACS Releases to Cisco ISE Release Supported Migration 

 
Cisco Secure ACS 3.x, 4.x, and 5.0
Cisco Secure ACS 5.1
Cisco Secure ACS 5.2
Cisco Secure ACS 5.3

Cisco ISE 1.0

Not Supported

Supported

Not Supported

Not Supported

Cisco ISE 1.1

Not Supported

Supported

Supported

Not Supported

Cisco ISE 1.2

Not Supported

Not Supported

Not Supported

Supported


Related Topics

For information on migrating data from Cisco Secure ACS, Release 5.3, see Chapter 3 "Migrating Data from Cisco Secure ACS 5.3 to Cisco ISE, Release 1.2."

Cisco Secure ACS 5.3 and Cisco ISE, Release 1.2 Policy Models

Authentication and authorization polices are migrated from Cisco Secure ACS, Release 5.3 to Cisco ISE, Release 1.2. Cisco Secure ACS and Cisco ISE have both simple and rule-based authentication paradigms, but Cisco Secure ACS and Cisco ISE are based on different policy models and that makes migrating from Cisco Secure ACS policies to Cisco ISE a bit complex.

However, Cisco ISE, Release 1.2, supports a new policy model called Policy Set, which is similar to the Service Selection Policy (SSP) in Cisco Secure ACS, Release 5.3 and this has helped simplify the policy migration process.

Cisco Secure ACS 5.3 and Cisco ISE Policy Model Differences

Cisco Secure ACS, Release 5.3 Service Selection Policy (SSP) distributes requests to the appropriate services based on SSP rules whereas Cisco ISE policy set holds a rule, which contains entry criteria to the policy set. The order of the policy set is in the same order as the entry rules, which is similar to the order of the SSP rules.

You can define a policy service without requesting that service, which means that you can define a policy service inactive by a rule in the SSP in Cisco Secure ACS. But, you cannot have a policy set without an entry rule, which refers to the policy set in Cisco ISE.

You can define SSP rules as disabled or monitored in Cisco Secure ACS, and the equivalent entry rules of a policy set are always enabled in Cisco ISE. If SSP rules are disabled or monitored in Cisco Secure ACS, the policy services that are requested by SSP rules cannot be migrated to Cisco ISE.

Several SSP rules might request the same service or reuse of service in Cisco Secure ACS. However, each policy set carries its own entry condition, and, therefore, you cannot reuse the policy set in Cisco ISE. If you want to migrate a single service that is requested by several SSP rules, you must create multiple policy sets that are copies of that service, which means that you must create a policy set in Cisco ISE for each SSP rule that requests the same service in Cisco Secure ACS.

Cisco Secure ACS, Release 5.3 has an out-of-the-box DenyAccess service, which has neither policies nor allowed protocols for the default SSP rule in Cisco Secure ACS, which automatically denies all requests. There is no equivalent policy set for Cisco ISE.

Identity policy is a flat list of rules that results in identity source (identity source and identity store sequence) in Cisco Secure ACS, Release 5.3. An authentication policy holds two levels of rules, outer policy rules and inner policy rules. The outer policy rules results in allowed protocols, and are the entry criteria to the set of inner policy rules. The inner policy rules results in identity source.

Allowed protocols are attached to the entire service (not to a specific policy) that is not conditioned (except the condition in the SSP that points to the entire service) in Cisco Secure ACS, Release 5.3. Allowed protocols refers only to the authentication policies as a result of a conditioned outer rule in Cisco ISE.

Both Cisco Secure ACS, Release 5.3 and Cisco ISE, Release 1.2, includes an optional exception policy attached to each authorization policy. Cisco ISE, Release 1.2 provides an optional Global Exception Policy in addition to the exception policy that affects all authorization policies. There is no equivalent to the Global Exception Policy in Cisco Secure ACS, Release 5.3. The local exception policy is first processed followed by the Global Exception Policy and authorization policy for authorization.

Cisco ISE and Cisco Secure ACS Deployment Models

The Cisco Identity Services Engine (ISE) deployment model consists of one primary node with multiple secondary nodes. Each Cisco ISE node in a deployment can take one or more of the following personas: Administration, Policy Service, and Monitoring. After you install Cisco ISE, all the nodes will be in the standalone state. You must define one of the Cisco ISE nodes to be the primary running as an Administration persona. After you have defined the primary node, you can configure other Cisco ISE node personas for the network with Policy Service and Monitoring personas. You can then register other secondary nodes with the primary node and define specific roles for each of them. When you register Cisco ISE node as a secondary node, Cisco ISE immediately creates a database link from the primary to the secondary node and begins the process of replication. All configuration changes are made on the primary Administration ISE node and are replicated to the secondary nodes. The Monitoring ISE node acts as the log collector.

The Cisco Secure Access Control System (ACS) deployment model consists of one primary and multiple secondary Cisco Secure ACS servers, where configuration changes are made on the primary Cisco Secure ACS server. These configurations are replicated to the secondary Cisco Secure ACS servers. All primary and secondary Cisco Secure ACS servers can process AAA requests. The primary Cisco Secure ACS server is also the default log collector for the Monitoring and Report Viewer, although you can configure any Cisco Secure ACS server to be the log collector.

Migration Features

The migration tool is responsible for transferring Cisco Secure ACS data to Cisco ISE and performs three major steps:

1. Exports data from Cisco Secure ACS.

2. Persists data in the migration tool.

3. Imports data into Cisco ISE.


The following are major features of the Cisco Secure ACS 5.3 to Cisco ISE, Release 1.2 migration process:

Exporting Data

Data Persistency

Importing Data

Object Scalability

High Availability

Reporting

UTF-8 Support

FIPS Support for ISE 802.1X Services

Cisco Secure ACS/Cisco ISE Version Validation

Exporting Data

The first stage in the migration process is to export Cisco Secure ACS data using the Cisco Secure ACS Programmatic Interface (PI). You have to log in to the Cisco Secure ACS, Release 5.3 system from which you will be exporting data and request to export the data into the migration application. The exported data is validated to verify if it can be imported into a Cisco ISE, Release 1.2, appliance successfully. In cases where the data is invalid, the status is logged in the Export Report.

Data Persistency

Cisco ISE does not support an upgrade from Cisco Secure ACS to Cisco ISE. Therefore, if you want to upgrade a Cisco Secure ACS appliance to Cisco ISE, you have to uninstall Cisco Secure ACS, Release 5.3 and reimage the appliance with the Cisco ISE,.Release 1.2 image. The migration tool persists the Cisco Secure ACS data before the reimage takes place and the importing stage begins. The persisted data is in an encrypted format.

Importing Data

At the import stage, the migration tool contains information from Cisco Secure ACS and is ready to import the data into Cisco ISE. If you use the same machine to install Cisco ISE, you have to reimage the Cisco Secure ACS machine with the Cisco ISE, Release 1.2 image and start the import operation. If you want to use a different machine for Cisco ISE, it should be a clean machine right after installation, without any configuration on it.

You can view the import progress through the Cisco Secure ACS-Cisco ISE Migration Tool user interface. You can see the object types that are being transferred and how many objects are pending for delivery. Any errors during this process are logged in the Import Report.

Object Scalability

The migration tool supports object scale as described in Table 1-2.

Table 1-2 Object Scalability for Migration from Cisco Secure ACS to Cisco ISE, Release 1.2 

Objects
Small Deployment
Medium Deployment
Large Deployment

Users (AD1 /LDAP2 /internal) - per deployment

1,000

10,000

25,000

Hosts/endpoints

1,000

10,000

100,000

Network devices

500

1,000

10,000

Identity groups

1

5

20

Authorization profiles

5

10

30

User dictionaries

2

5

20

User attributes

1

5

8

User groups

2

10

100

DACLs3 (each contain 1,600 entries)

5

20

50

1 AD is an acronym for Microsoft Windows Active Directory (see Active Directory in the ).

2 LDAP is an acronym for Lightweight Directory Access Protocol (see LDAP in the ).

3 DACL is an acronym for downloadable access control list (see DACL in the ).


High Availability

The Cisco Secure ACS to Cisco ISE Migration Tool maintains a checkpoint at each stage of the import or export operation. This means that if the process of importing or exporting fails, you do not have to restart the process from the beginning. You can start from the last checkpoint before the failure occurred.

If the migration process fails, the migration tool terminates the process. When you restart the migration tool after a failure, a dialog box is displayed that allows you to choose to resume the previous import/export or discard the previous process and start a new migration process. If you choose to resume the previous process, the migration process resumes from the last checkpoint. Resuming from a failure also resumes the report to run from the previous process.

Reporting

Three Cisco ISE reports are generated during Cisco Secure ACS 5.3 data migration. If you decide to share the report files with anyone, or want to save them to another location, you can find the files in the Reports folder of the migration tool directory:

import_report.txt

export_report.txt

policy_gap_report.txt

Export ReportIndicates specific information or errors that are encountered during the export of data from the Cisco Secure ACS database. It contains a data analysis section at the end of the report, which describes the functional gap between Cisco Secure ACS and Cisco ISE. The export report also includes error information for exported objects that will not be imported. See Table 1-3.

Table 1-3 Cisco Secure ACS to Cisco ISE Migration Tool Export Report 

Report Type
Message Type
Message Description

Export

Informational

Lists the names of the data objects that were exported successfully.

Warning

Lists export failures or exports that were not attempted because the data object is not supported by Cisco ISE, Release 1.2 (for example, if it were a TACACS-based device).


Import Report—Indicates specific information or errors that are encountered during the import of data into the Cisco ISE appliance. See Table 1-4.

Table 1-4 Cisco Secure ACS to Cisco ISE Migration Tool Import Report 

Report Type
Message Type
Message Description

Import

Informational

Lists the names of the data objects that were imported successfully.

Error

Identifies a data object error due to:

Object exists already

Object name exceeds the character limit

Object name contains unsupported special characters

Object contains unsupported data characters


Policy Gap Analysis Report—Lists specific information related to the policy gap between Cisco Secure ACS and Cisco ISE and is available after the export completes by clicking the Policy Gap Analysis Report button in the migration tool user interface. See Figure 1-1.

During the export phase, the migration tool identifies gaps in the authentication and authorization policies. If any policy is not migrated, it is listed in the Policy Gap Analysis report. The report lists all the incompatible rules and conditions that are related to policies. It describes data that cannot be migrated and the reason for a manual workaround.

Some conditions can be automatically migrated by using the appropriate Cisco ISE terminology, for example, a condition named Device Type In is migrated as Device Type Equals. If a condition is supported or can be automatically translated, it does not appear in the report. If a condition is found as "Not Supported" or "Partially supported," the policy is not imported and the conditions appear in the report. It is the responsibility of the administrator who is performing the migration to modify or delete such conditions. If they are not modified or deleted, policies are not migrated to Cisco ISE.

Figure 1-1 Example of Policy Gap Analysis Report

UTF-8 Support

Cisco ISE, Release 1.2, supports 8 bit Unicode Transformation Format (UTF-8) for some administration configurations. The following configuration items are exported and imported with UTF-8 encoding:

Network Access user configuration

Username

Password and re-enter password

First name

Last name

Email

RSA: RSA prompts and messages are shown to the end-user by the supplicant.

Messages

Prompts

RADIUS Token: RADIUS token prompt is presented on the end-user supplicant.

Authentication Tab > Prompts

Administrator Configuration

Administrator username and password

Configure administrator by using UTF-8

Policies:

Authentication > Value for AV expression

Authorization > Other Conditions > Value for AV expression

Attribute-value conditions

Authentication > Simple Condition/compound Condition > Value for AV expression

Authorization > Simple Condition/compound Condition > Value for AV expression

FIPS Support for ISE 802.1X Services

In order to support Federal Information Processing Standard (FIPS), the Cisco Secure ACS-Cisco ISE Migration Tool migrates the default network device keywrap data.


Note The Cisco ISE FIPS mode should not be enabled before the migration process is complete.


FIPS-compliant and supported protocols:

Process Host Lookup

Extensible Authentication Protocol-Translation Layer Security (EAP-TLS)

Protected Extensible Authentication Protocol (PEAP)

EAP-Flexible Authentication via Secure Tunneling (FAST)

FIPS-noncompliant and unsupported protocols:

EAP-Message Digest 5 (MD5)

Password Authentication Protocol and ASCII

Challenge Handshake Authentication Protocol (CHAP)

Microsoft Challenge Handshake Authentication Protocol version 1 (MS-CHAPv1)

Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2)

Lightweight Extensible Authentication Protocol (LEAP)

Cisco Secure ACS/Cisco ISE Version Validation

The Cisco Secure ACS to Cisco ISE Migration Tool identifies the Cisco Secure ACS release version before the export phase begins. The migration process will not start if the Cisco Secure ACS version is lower or higher than 5.3. In addition, before importing the data to Cisco ISE, the tool verifies that the Cisco ISE release version is 1.2.