The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This appendix provides information about the data objects that are migrated, partially migrated, and not migrated from Cisco Secure ACS, Release 5.5 or later to Cisco ISE, Release 2.2.
Data structure mapping is the process by which data objects are analyzed and validated in the migration tool during the export phase.
Following are the data objects supported for migrating from Cisco Secure ACS 4.2 to Cisco ISE 2.2
Users
User Groups
User Attributes
Network Devices
Network Device Group (NDG) Nodes
NDG Root type
The following data objects are migrated from Cisco Secure ACS, Release 5.5 or later to Cisco ISE, Release 2.2:
Network device ranges (in last octet) (partial support)
External TACACS+ servers
TACACS+ server sequence
TACACS+ settings
Stateless session resume capability settings
Internal users with enable password change
Internal users with password type configured as external Identity store
Disable user account if date exceeds
Global option for disabling user account after n days of inactivity
Common Name and Distinguished name for Group Name attribute in LDAP Identity Store
Date and time conditions (Partial support, see Unsupported Rule Elements)
Network conditions (end station filters, device filters, device port filters)
Maximum user sessions
RADIUS attribute and vendor-specific attributes (VSA) values
TACACS+ Profiles
Authentication, Authorization, and Authorization exception polices for TACACS+ (for policy objects)
TACACS+ Command Sets
TACACS+ proxy service
Dial-in attributes
Crypto binding attributes
Weak ciphers support for allowed protocols
Additional attributes available in policy conditions—AuthenticationIdentityStore
Additional string operators—Start with, Ends with, Contains, Not contains
Length included flag (L-bit) in EAP-MD5, EAP-TLS, LEAP, PEAP and EAP-FAST authentication
Host attributes that are of type IP address and Date are not migrated.
RSA sdopts.rec file and secondary information are not migrated.
Multi-Active Directory domain (only Active Directory domain joined to the primary) is migrated.
LDAP configuration defined for primary ACS instance is migrated. Secondary ACS instance specific configurations are not migrated.
The following data objects are not migrated from Cisco Secure ACS, Release 5.5 or later to Cisco ISE, Release 2.2:
This section provides tables that list the data information that is mapped during the export process. The tables include object categories from Cisco Secure ACS, Release 5.5 or later and its equivalent in Cisco ISE, Release 2.2. The data-mapping tables in this section list the status of valid or not valid data objects mapped when migrating data during the export stage of the migration process.
Note | If you try to migrate NDGs with more than 101 character limit, the migration tool displays an error message stating the export process failure. |
No specific property is associated with this property because this value is entered only as part of the NDG hierarchy name. (In addition, the NDG type is the prefix for this object name). |
TACACS+ Shared Secret |
Shared Secret |
TACACS+ Single Connect Device |
Enable Single Connect Mode |
Legacy TACACS+ Single Connect Support |
Legacy Cisco Device |
TACACS+ Draft Compliant Single Connect Support |
TACACS+ Draft Compliance Single Connect Support |
No need to migrate this property. (This property does not exist in Cisco ISE) |
|
Password |
|
Not migrated |
|
User attributes are imported from the Cisco ISE and are associated with users |
|
Expiry days |
Supported |
Migration is done manually (using the Cisco Secure ACS to Cisco ISE migration tool). |
Note | Only the LDAP configuration defined for the primary ACS instance is migrated. |
Multiple domain support |
Only domains joined to primary ACS instance migrated |
Binary certificate comparison with certificate from LDAP or AD |
Binary certificate comparison with certificate from LDAP or AD. |
Common Task Attributes | |
Maximum Privilege (Static) |
Maximum Privilege (0 to 15) |
Access Control List (Static and Dynamic) |
Access Control List (Static and Dynamic) |
Auto Command (Static and Dynamic) |
Auto Command (Static and Dynamic) |
No Callback Verify (Static and Dynamic) |
— |
No Escape (Static and Dynamic) |
No Escape (True or False) |
No Hang up (Static and Dynamic) |
— |
Timeout (Static and Dynamic) |
Timeout (Static and Dynamic) |
Idle Time (Static and Dynamic) |
Idle Time (Static and Dynamic) |
Callback Line (Static and Dynamic) |
— |
Callback Rotary (Static and Dynamic) |
— |
Custom Attributes | |
Attribute |
Name |
Requirement (Mandatory and Optional) |
Type (Mandatory and Optional) |
Value (Static and Dynamic) |
Value (Static and Dynamic) |
Grant (Permit, Deny, Deny Always) |
Grant (Permit, Deny, Deny Always) |
Command |
Command |
Arguments |
Arguments |
Note | The migration tool supports migration of vendor and its attributes based on the ID of the vendor and its attributes. If the vendor name is user-defined in Cisco Secure ACS and predefined in Cisco ISE and their IDs are different, the export process succeeds but the import process fails. If the vendor name is predefined in Cisco Secure ACS and Cisco ISE and their IDs are same, you will receive a warning message. If the vendor name is user-defined in Cisco Secure ACS and predefined in Cisco ISE and their IDs are same, the export process fails. |
No specific property associated with this because this value is entered only as part of the NDG hierarchy name (NDG type is the prefix for this object name). |
|
Note | Only the user-defined RADIUS attributes that are not part of a Cisco Secure ACS, Release 5.5 or later installation are required to be migrated. |
Dictionary (Set with the value “InternalUser” if it is a user identity attribute, or “InternalEndpoint” if it is a host identity attribute.) |
|
Connection Port |
Connection Port |
Network Timeout |
Timeout |