Installing the Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool
This chapter provides information about installing the Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool, describes important migration tool installation considerations, and describes the migration process in the following topics:
Migration Tool Installation Guidelines
Before you begin the installation, observe the following guidelines:
-
Ensure that your environment is ready for migration. In addition to your Cisco Secure ACS 5.1/5.2 Windows or Linux source machine, you must deploy a secure external system with a database for either the single- or dual-appliance migration, and a Cisco ISE 1.0 appliance as your target system.
-
Ensure that you have configured the Cisco Secure ACS 5.1/5.2 source machine with a single IP address. The migration tool may fail during migration if each interface has multiple IP address aliases.
-
Ensure that you have:
– Installed Cisco ISE 1.0 on the target machine (if this is a dual-appliance migration).
– Have the Cisco ISE 1.0 software available to reimage the CSACS-1121 appliance (if this is single-appliance migration).
– Have all the proper Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.0 credentials and passwords.
-
Be able to establish network connections between the source machine and secure external system with a database.
System Requirements
Your Cisco Secure ACS machines must meet the system requirements described in
Table 3-1
. All documents are available on Cisco.com.
Security Considerations
The export phase of the migration process creates a data file that is used as the input for the import process. The content of the data file is encrypted and cannot be read directly.
You need to know the Cisco Secure ACS 5.1/5.2 and Cisco ISE 1.0 administrator usernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISE appliance. You should use a reserved username so that records created by the import utility can be identified in the audit log.
Data Migration and Deployment Scenarios
The Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool is designed to migrate Cisco Secure ACS 5.1/5.2 data objects to Cisco ISE 1.0. The process of data migration in a single appliance differs from that of appliances in a distributed environment and the following sections address these topics:
Guidelines for Data Migration from a Single Cisco Secure ACS Appliance
If you have a single Cisco Secure ACS appliance in your environment (or several Cisco Secure ACS appliances, but not in a distributed setup), run the Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool against the Cisco Secure ACS appliance as described in Logging In and Using the Migration Tool.
Guidelines for Data Migration in a Distributed Environment
You might run Cisco Secure ACS in a distributed environment. For example, if you have one primary Cisco Secure ACS appliance and one or more secondary Cisco Secure ACS appliances that interoperate with the primary appliance. If you run Cisco Secure ACS in a distributed environment, you must:
Step 1 Back up the primary Cisco Secure ACS appliance and restore it on the migration machine.
Step 2 Run the Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool against the primary Cisco Secure ACS appliance.
Note If you have a large internal database, Cisco recommends that you run the migration from a standalone primary appliance and not to a primary appliance that is connected to several secondary appliances. After the completion of the migration process, you can register all the secondary appliances.
Note The Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool may run for approximately 20 hours to migrate 10,000 devices, 25,000 users, 100,000 hosts, 100 identity group, 420 DACL, 320 authorization profile, 6 devices hierarchies, and 20 NDGs.
Note When you are ready to start migrating Cisco Secure ACS 5.1/5.2 data to a Cisco ISE appliance, make sure that it is to a standalone Cisco ISE node. Only after migration has been successfully completed should you begin the any deployment configuration (such as setting up Administrator ISE and Policy Service ISE personas). It is a requirement that the migration import phase be performed on a “clean” new installation of the Cisco ISE software on a supported hardware appliance.
Installing and Initializing the ACS 5.1/5.2-ISE 1.0 Migration Tool
You can download the Cisco Secure ACS 5.1/5.2-ISE 1.0 Migration Tool files using the Cisco ISE user interface.
To download and run the Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool software, complete the following steps:
Step 1 Download the migration tool files by entering the following command on the Cisco ISE user interface address bar:
https://<hostname-or-hostipaddress>/admin/migTool.zip
Step 2 Extract the content of the .zip file. Figure 3-1 illustrates the directory structure of the Cisco ACS 5.1/5.2-ISE 1.0 Migration Tool software.
Figure 3-1 Directory Structure of the Cisco ACS 5.1/5.2-Cisco ISE 1.0 Migration Tool
Step 3 Edit the config.bat file and allocate the initial amount of memory for the Java heap sizes for the migration process (see Figure 3-2). The memory is 64 and 512 megabytes, respectively.
Figure 3-2 Setting Java Heap Size
Step 4 Click Save to preserve your heap size configuration.
Step 5 Click migration.bat to launch the migration process.
The initializing screen is displayed (see Figure 3-3).
Figure 3-3 Initializing Screen
After the migration tool is initialized, unsupported Cisco Secure ACS objects still need to be migrated, and the following message is displayed (see Figure 3-4).
Figure 3-4 Message Displayed for Unsupported Objects
Step 6 Click
Yes
to display a list of unsupported and partially supported objects (see Figure 3-5).
Figure 3-5 List of Unsupported and Partially Supported Objects
Step 7 Click
Close
.
You can also view the list of unsupported objects by selecting
Help > Unsupported Object Details
.
To run the migration tool, see Chapter 4, “Using the Cisco Secure ACS 5.1/5.2-Cisco ISE 1.0 Migration Tool”.