The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides guidelines on how to install the Cisco Secure ACS to Cisco ISE Migration Tool.
Ensure that your environment is ready for migration. In addition to a Cisco Secure ACS, Release 5.5 or 5.6 Windows or Linux source machine, you must deploy a secure external system with a database for dual-appliance (migrating data in a distributed deployment) migration and have a Cisco ISE, Release 2.0, appliance as a target system.
Ensure that you have configured the Cisco Secure ACS, Release 5.5 or 5.6 source machine with a single IP address. The migration tool may fail during migration if each interface has multiple IP address aliases.
Ensure that you have a backup of ACS configuration data if the migration from Cisco Secure ACS to Cisco ISE is performed on the same appliance.
Ensure that you have completed these tasks:
If this is a dual-appliance migration, you have installed the Cisco ISE, Release 2.0 software on the target machine.
If this is a single-appliance migration, you have the Cisco ISE, Release 2.0 software available to re-image the appliance or virtual machine.
Have all the appropriate Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 credentials and passwords.
Ensure that you can establish network connections between the source machine and the secure external system.
|
Platform |
Requirements |
|---|---|
|
Cisco Secure ACS, Release 5.5 or 5.6 source machine |
Ensure that you have configured the Cisco Secure ACS source machine to have a single IP address. |
|
Cisco ISE, Release 2.0 target machine |
Ensure that the Cisco ISE target machine has at least 2 GB of RAM. |
|
Migration machine - Ensure that the migration machine has a minimum of 2 GB of RAM. |
|
|
64-Bit Windows and Linux |
Install Java JRE, version 1.7 or higher 64 Bit. The migration tool will not run if you do not install Java JRE on the migration machine. |
|
32-Bit Windows and Linux |
Install Java JRE, version 1.7 or higher 32 Bit. The migration tool will not run if you do not install Java JRE on the migration machine. |
The export phase of the migration process creates a data file that is used as the input for the import process. The content of the data file is encrypted and cannot be read directly.
You need to know the Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 administrator usernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISE appliance. You should use a reserved username so that records created by the import utility can be identified in an audit log.
You must enter the hostname of the primary Cisco Secure ACS server and the Cisco ISE server, along with the administrator credentials. After you have been authenticated, the migration tool proceeds to migrate the full set of configured data items in a form similar to an upgrade. Make sure that you have enabled the PI interface on the ACS server and the ACS migration interface on the ISE server before running the migration tool.
Set the initial amount of memory allocated for the java Heap Sizes for the migration process in the config bat file. The attribute to set the heap size in config.bat is: _Xms = 64 and _Xmx = 1024 (The memory is 64 and 1024 megabytes, respectively).
If the Cisco Secure ACS and Cisco ISE softwares are installed on different appliances, download the migration tool files.
You should run the migration tool only after a fresh Cisco ISE installation or after you have reset the Cisco ISE application configuration and cleared the Cisco ISE database using the application reset-config command. Therefore, the Cisco ISE FIPS mode should not be enabled before the migration process is complete.
When the migration tool is initialized, it pops up a message box asking if you want to view the unsupported list. The migration tool can migrate only a subset of Cisco Secure ACS objects into Cisco ISE. The tool supplies a list of unsupported (or partially supported) objects that it cannot migrate. You can also view the list of unsupported objects by selecting Help > Unsupported Object Details from the Cisco Secure ACS to Cisco ISE Migration Tool interface.
Feedback