Cisco Identity Services Engine Migration Guide for Cisco Secure ACS 5.1 and 5.2, Release 1.1.x
Installing the Cisco Secure ACS to Cisco ISE Migration Tool
Download this chapter
Installing the Cisco Secure ACS to Cisco ISE Migration ToolInstalling the Cisco Secure ACS to Cisco ISE Migration Tool
Download the complete book
Book-Length PDFBook-Length PDF (PDF - 2 MB)
 Feedback

Table Of Contents

Installing the Cisco Secure ACS-Cisco ISE Migration Tool

Migration Tool Installation Guidelines

System Requirements

Security Considerations

Data Migration and Deployment Scenarios

Guidelines for Data Migration from a Single Cisco Secure ACS Appliance

Guidelines for Data Migration in a Distributed Environment

Installing and Initializing the Cisco Secure ACS-Cisco ISE Migration Tool


Installing the Cisco Secure ACS-Cisco ISE Migration Tool

This chapter provides information about installing the Cisco Secure Access Control System (ACS)-Cisco Identity Services Engine (ISE) Migration Tool, describes important migration tool installation considerations, and describes the migration process in the following topics:

Migration Tool Installation Guidelines

System Requirements

Security Considerations

Data Migration and Deployment Scenarios

Installing and Initializing the Cisco Secure ACS-Cisco ISE Migration Tool

Migration Tool Installation Guidelines

Before you begin the installation, observe the following guidelines:

Ensure that your environment is ready for migration. In addition to your Cisco Secure ACS 5.1/5.2 Windows or Linux source machine, you must deploy a secure external system with a database for either the single- or dual-appliance migration, and a Cisco ISE 1.1 appliance as your target system.

Ensure that you have configured the Cisco Secure ACS 5.1/5.2 source machine with a single IP address. The migration tool may fail during migration if each interface has multiple IP address aliases.

Ensure that you have a backup of ACS data in case the migration from ACS to ISE is performed on the same appliance.

Ensure that you have completed these tasks:

Installed Cisco ISE 1.1 on the target machine (if this is a dual-appliance migration).

Have the Cisco ISE 1.1 software available to reimage the CSACS-1121 appliance (if this is single-appliance migration).

Have all the proper Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 credentials and passwords.

Be able to establish network connections between the source machine and secure external system with a database.

System Requirements

Your Cisco Secure ACS machines must meet the system requirements described in Table 3-1. All documents are available on Cisco.com.

Table 3-1 System Requirements for Migration Machines 

Platform
Requirements

Cisco Secure ACS 5.1/5.2 source machine

Refer to the Installation Guide for Cisco Secure ACS for Windows 5.1. Ensure that you have configured the Cisco Secure ACS 5.1 source machine to have a single IP address.

Cisco ISE 1.1 target machine

Refer to the following documents:

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.

Cisco Identity Services Engine Hardware Installation Guide, Release 1.1.1.

This appliance must have at least 2 GB of RAM.

Linux, Windows XP

Install Java JRE, version 1.6 or higher 32 Bit. The migration tool will not run if you do not install Java JRE on the migration machine.

64 Bit Windows 7

Install Java JRE, version 1.6 or higher 64 Bit. The migration tool will not run if you do not install Java JRE on the migration machine.

32 Bit Windows 7

Install Java JRE, version 1.6 or higher 32 Bit. The migration tool will not run if you do not install Java JRE on the migration machine.


Security Considerations

The export phase of the migration process creates a data file that is used as the input for the import process. The content of the data file is encrypted and cannot be read directly.

You need to know the Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.1 administrator usernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISE appliance. You should use a reserved username so that records created by the import utility can be identified in the audit log.

Data Migration and Deployment Scenarios

The Cisco Secure ACS-ISE Migration Tool is designed to migrate Cisco Secure ACS 5.1/5.2 data objects to Cisco ISE 1.1. The process of data migration in a single appliance differs from that of appliances in a distributed environment and the following sections address these topics:

Guidelines for Data Migration from a Single Cisco Secure ACS Appliance

Guidelines for Data Migration in a Distributed Environment

Guidelines for Data Migration from a Single Cisco Secure ACS Appliance

If you have a single Cisco Secure ACS appliance in your environment (or several Cisco Secure ACS appliances, but not in a distributed setup), run the Cisco Secure ACS-Cisco ISE Migration Tool against the Cisco Secure ACS appliance as described in Logging In and Using the Migration Tool.

Guidelines for Data Migration in a Distributed Environment

You might run Cisco Secure ACS in a distributed environment. For example, if you have one primary Cisco Secure ACS appliance and one or more secondary Cisco Secure ACS appliances that interoperate with the primary appliance. If you run Cisco Secure ACS in a distributed environment, you must:

Step 1 Back up the primary Cisco Secure ACS appliance and restore it on the migration machine.

Step 2 Run the Cisco Secure ACS-Cisco ISE Migration Tool against the primary Cisco Secure ACS appliance.

Note If you have a large internal database, Cisco recommends that you run the migration from a standalone primary appliance and not to a primary appliance that is connected to several secondary appliances. After the completion of the migration process, you can register all the secondary appliances.

Note The Cisco Secure ACS-Cisco ISE Migration Tool may run for approximately 20 hours to migrate 10,000 devices, 25,000 users, 100,000 hosts, 100 identity groups, 420 downloadable access control lists (DACLs), 320 authorization profiles, 6 devices hierarchies, and 20 network device groups (NDGs).

Note When you are ready to start migrating Cisco Secure ACS 5.1/5.2 data to a Cisco ISE appliance, make sure that it is to a standalone Cisco ISE node. Only after migration has been successfully completed should you begin any deployment configuration (such as setting up Administrator ISE and Policy Service ISE personas). It is a requirement that the migration import phase be performed on a "clean" new installation of the Cisco ISE software on a supported hardware appliance.

Installing and Initializing the Cisco Secure ACS-Cisco ISE Migration Tool

Note You should run the migration tool only after a fresh Cisco ISE installation or after you have reset the Cisco ISE application configuration and clear the Cisco ISE database using the application reset-config command. Therefore, the Cisco ISE FIPS mode should not be enabled before the migration process is complete.

You can download the Cisco Secure ACS-Cisco ISE Migration Tool files using the Cisco ISE user interface.

To download and run the Cisco Secure ACS-Cisco ISE Migration Tool software, complete the following steps:

Step 1 If your Cisco Secure ACS and Cisco ISE softwares are installed on different appliances, download the migration tool files by entering the following command on the Cisco ISE user interface address bar:

https://<hostname-or-hostipaddress>/admin/migTool.zip

Note The only currently supported browser for downloading the migration tool files is Mozilla Firefox, versions 3.6, 6, 7, 8, 9, and, 10. Microsoft Windows Internet Explorer (IE8 and IE7) browsers are not currently supported in this release.

Step 2 If your Cisco Secure ACS and Cisco ISE softwares are installed on the same appliance, or if you are using a new Cisco ISE hardware appliance, download migTool.zip, the migration tool file from the following location:

http://www.cisco.com/cisco/software/release.html?mdfid=283801620&flowid=26081&softwareid=283802505&release=1.1&relind=AVAILABLE&rellifecycle=&reltype=latest

Step 3 Extract the content of the .zip file. Figure 3-1 illustrates the directory structure of the Cisco Secure ACS-Cisco ISE Migration Tool software.

Figure 3-1 Directory Structure of the Cisco ACS 5.1/5.2-Cisco ISE 1.1 Migration Tool

Step 4 Edit the config.bat file and allocate the initial amount of memory for the Java heap sizes for the migration process (see Figure 3-2). The memory is 64 and 512 megabytes, respectively.

Figure 3-2 Setting Java Heap Size

Step 5 Click Save to preserve your heap size configuration.

Step 6 Click migration.bat to launch the migration process.

The initializing screen is displayed (see Figure 3-3).

Figure 3-3 Initializing Screen

After the migration tool is initialized, unsupported Cisco Secure ACS objects still need to be migrated, and the following message is displayed (see Figure 3-4).

Figure 3-4 Message Displayed for Unsupported Objects

Step 7 Click Yes to display a list of unsupported and partially supported objects (see Figure 3-5).

Figure 3-5 List of Unsupported and Partially Supported Objects

Step 8 Click Close.

You can also view the list of unsupported objects by selecting Help > Unsupported Object Details.

To run the migration tool, see Chapter 4 "Using the Cisco Secure ACS-Cisco ISE Migration Tool".