The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides detailed information about the Cisco Secure ACS to Cisco ISE Migration Tool that is used for data migration from Cisco Secure ACS to Cisco ISE.
The migration tool migrates the configuration data from the following Cisco Secure ACS versions to Cisco ISE 2.2:
Cisco Secure ACS 5.5 or later—Select the ACS 5.x Supported Objects option in the migration tool to migrate all data objects.
The migration tool migrates the data objects to Cisco ISE initially followed by the corresponding policy configuration when you migrate the data objects from Cisco Secure ACS 5.5 or later.
Cisco Secure ACS 4.2—Select the ACS 4.x Supported Objects option in the migration tool to migrate data objects from Cisco Secure ACS 4.2.
The migration tool provides limited support for migration of data objects from Cisco Secure ACS 4.2. The migration tool supports migration of a subset of data objects such as users and devices from Cisco Secure ACS 4.2 to Cisco ISE2.2. You must manually create the required configuration objects and relevant policy configurations after the completion of the migration process.
The differences in Cisco Secure ACS 5.x and Cisco ISE platforms, operating systems, databases, and information models, mandate a migration application that reads data from Cisco Secure ACS and creates the corresponding data in Cisco ISE. The migration application is a utility that Cisco provides to extract the configuration from Cisco Secure ACS and import it to Cisco ISE. The migration administrator can view the current progress as well as the detailed logs related to the ACS configuration during the entire migration process for troubleshooting purposes. Error messages are displayed for objects, attributes, and policies that are not migrated. After migration, we strongly recommend you to verify the accuracy of the migrated configurations. Please ensure that you understand the semantics and structure of the policy sets in Cisco ISE and verify them against the access policies in Cisco Secure ACS.
Note | It is possible to leverage the migration application to extract data from Cisco Secure ACS even before installing Cisco ISE. In this manner, the migration application can be leveraged to determine the readiness for migration from Cisco Secure ACS to Cisco ISE. |
How To Migrate from ACS 5.x to ISE 2.x ACS to ISE Migration (links to videos are available in the following pages):
|
Before you migrate the existing Cisco Secure ACS, Release 4.2 and 5.5 or later data to a Cisco ISE, Release 2.2, VM or appliance, ensure that you have read and understood all setup, backup, and installation instructions.
We recommend that you fully understand the related data structure and schema differences between Cisco Secure ACS, Release 4.2 and 5.5 or later and Cisco ISE, Release 2.2 systems before you attempt to migrate existing Cisco Secure ACS, Release 4.2 and 5.5 or later data.
Note | Due to the differences in the Cisco ISE and Cisco Secure ACS data related to the naming convention, policy hierarchy, pre-defined objects, and so on, the migration tool may not support all objects. However, it displays warnings and errors for objects that are not migrated to facilitate corrective measures. |
The migration tool helps you to migrate the data from Cisco Secure ACS, Release 4.2 and 5.5 or later to Cisco ISE, Release 2.2 system. The design of the tool addresses the inherent migration problems that result from differences in the underlying hardware platforms and systems, databases, and data schemes.
The migration tool runs on Linux-based and Windows-based systems. The migration tool works by exporting the Cisco Secure ACS data files, analyzing the data, and making the required data modifications that are necessary for importing the data into a format that is usable by the Cisco ISE, Release 2.2 system.
The migration tool requires minimum user interaction, and full set of configuration data.
The migration tool provides you a complete list of unsupported objects.
The Cisco Secure ACS, Release 4.2 and 5.5 or later and Cisco ISE, Release 2.2 applications may or may not run on the same type of physical hardware. The migration tool uses the Cisco Secure ACS Programmatic Interface (PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). The Cisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and Cisco ISE applications to run on supported hardware platforms or VMware servers. You cannot directly run the migration tool on a Cisco Secure ACS appliance. The Cisco Secure ACS PI reads and returns the configuration data in a normalized form. The Cisco ISE REST APIs perform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by Cisco ISE software.
Note | For information about the migration process from earlier releases of Cisco secure ACS to Cisco ISE 2.2, see Migrate from Earlier Releases of Cisco Secure ACS to Cisco ISE. |
Platform |
Requirements |
---|---|
Cisco Secure ACS, Release 4.2 |
Ensure that you have configured the Cisco Secure ACS source machine to have a single IP address. |
Cisco Secure ACS, Release 5.5 or later |
Ensure that you have configured the Cisco Secure ACS source machine to have a single IP address. |
Cisco ISE, Release 2.2 |
Ensure that the Cisco ISE target machine has at least 2 GB of RAM. |
Migration machine—Ensure that the migration machine has a minimum of 2 GB of RAM. |
|
64-Bit Windows and Linux |
Install Java JRE, version 1.8 or higher 64 Bit. The migration tool will not run if you do not install Java JRE on the migration machines. |
32-Bit Windows and Linux |
Install Java JRE, version 1.8 or higher 32 Bit. The migration tool will not run if you do not install Java JRE on the migration machines. |
The migration tool provides options to migrate ACS 4.x and ACS 5.x supported objects. The migration tool lists the data objects based on the selected version. The migration tool supports migration of users, identity groups, network devices, network device groups, user-defined attributes from ACS 4.2 to Cisco ISE.
The migration tool supports:
Migration of RADIUS or TACACS based configurations—The migration tool allows you to choose the migration of objects specific to either RADIUS or TACACS. You can choose these options if your Cisco Secure ACS deployment includes only TACACS or RADIUS configurations.
RADIUS Configuration—Migrates all the configurations except TACACS specific configuration such as shell profile, command sets, and access services (Device admin).
TACACS Configuration—Migrates all the configurations except RADIUS specific configurations such as authorization profile and access services (network access).
Note | Regardless of the selected TACACS or RADIUS migration option, the migration tool migrates some TACACS and RADIUS objects to Cisco ISE. |
When migration is performed in the existing Cisco ISE installation or from different deployment of Cisco Secure ACS to the same Cisco ISE server,
The object is created if the object with same name does not exist in Cisco ISE.
The migration tool displays a warning message "object already exists/resource already exists" with the details of the object name if the data object with same name exists in Cisco ISE.
Protocol settings are updated if the network device with the same name exists in Cisco ISE in case of TACACS or RADIUS based migration.
Selective object migration—The migration tool allows you to select the high-level configuration components such as predefined reference data, global operations, dictionaries, external servers, users and identity stores, devices, policy elements, and access policies, to be migrated from Cisco Secure ACS to Cisco ISE. It is recommended to refer the object level dependency list before performing selective object migration. Based on your requirement, you can migrate all the supported configuration components or select some of the high-level configuration components from the list of configuration components. This selective object migration can be performed based on the export and policy gap analysis reports.
Special characters in object names—If the name of the data objects in Cisco Secure ACS contains any special characters which are not supported by Cisco ISE, the migration tool converts the unsupported special characters to underscore (_) and migrates the data objects to Cisco ISE. The auto-converted data objects are displayed as warnings in the export report. However, if LDAP and AD attributes, RSA, RSA realm prompts, internal user, and all predefined reference data contain Cisco ISE unsupported special characters, the export process fails.
Migration of network devices with IP address ranges in the last octet—The migration tools enables migration of network devices configured with IP address ranges in last octet .
Enhanced help—In the migration tool UI, you can navigate to Help > Migration Tool Usage to view the details of the options available in the migration tool.