This chapter provides guidelines on
how to install the Cisco Secure ACS to Cisco ISE Migration Tool.
Ensure that your environment is ready for migration. In addition to a Cisco Secure ACS, Release 4.2 or 5.5 or later Windows or Linux source machine, you must deploy a secure external system with a database for dual-appliance (migrating data in a distributed deployment) migration and have a Cisco ISE, Release
2.2, appliance as a target system.
Ensure that you have configured the Cisco Secure ACS, Release 4.2 or 5.5 or later source machine with a single IP address. The migration tool may fail during migration if each interface has multiple IP address aliases.
Ensure that you have a backup of ACS configuration data if the
migration from Cisco Secure ACS to Cisco ISE is performed on the same
Ensure that you have completed these tasks:
If this is a dual-appliance migration, you have installed the Cisco ISE, Release
2.2 software on the target machine.
If this is a single-appliance migration, you have the Cisco ISE, Release
2.2 software available to re-image the appliance or virtual machine.
Have all the appropriate Cisco Secure ACS, Release 4.2 or 5.5 or later and Cisco ISE, Release
2.2 credentials and passwords.
Ensure that you can establish network connections between the
source machine and the secure external system.
The export phase of the migration process creates a data file
that is used as the input for the import process. The content of the data file
is encrypted and cannot be read directly.
You need to know the Cisco Secure ACS, Release 5.5 or later and Cisco ISE, Release
2.2 administrator usernames and passwords to export the Cisco Secure ACS data and import it successfully into the Cisco ISE appliance. You should use a reserved username so that records created by the import utility can be identified in an audit log.
You must enter the
hostname of the primary
Cisco Secure ACS server and the Cisco ISE server, along with the administrator
credentials. After you have been authenticated, the migration tool proceeds to
migrate the full set of configured data items in a form similar to an upgrade.
Make sure that you have enabled the PI interface on the ACS server and the ACS
migration interface on the ISE server before running the migration tool.
It is recommended to provide the hostname of the ACS 4.2 machine in the ACS4 Hostname field.
||Go to the
Download Software web
page. You may need to provide login credentials.
You can also
view the download link for the migration tool in the
section in the Cisco ISE GUI by navigating to the
Control and Policy >
Identity Services Engine >
Identity Services Engine Software.
||In the left
pane, choose the version.
Download Software page displays the list of software available for the selected
||Click Download corresponding to the migration tool software package to download the ACS-MigrationApplication-2.2.0.x.zip file. |
||Extract the contents of the .zip file. The extracted contents of
the .zip file creates a directory structure that holds the config.bat and
config.bat file to set the initial amount of memory
allocated for the java Heap Sizes.
Before You Begin
When the migration tool is initialized, it pops up a message
box providing you the option to migrate configuration of all the supported
objects or RADIUS configurations such as authentication profile, access
services of type network access and others or TACACS configurations such as
command sets, shell profile, access services of type device admin and others.
The tool supplies a list of unsupported (or partially supported) objects that
it cannot migrate, and the object-level dependencies list. You can also view
the list of unsupported objects by selecting Help > Unsupported Object
Details & Object-level dependencies list from the Cisco Secure ACS to
Cisco ISE Migration Tool interface.
Migration can be
performed on a fresh Cisco ISE setup or an existing Cisco ISE setup. If the
object already exists in Cisco ISE, you will receive a warning message and the
objects will be skipped for migration, or else, the object will be created in
migration.bat batch file to launch the migration tool.
Migration selection options window appears.
||From the list of
migration options, click the radio button corresponding to the migration option
that you want to choose.
- Configuration of all
supported objects—Displays all the supported objects.
- RADIUS configurations such as
authentication profile, access services of type network access and
others—Displays only the RADIUS related objects and the common objects.
- TACACS configurations such
as command sets, shell profile, access services of type device admin and
others—Displays only TACACS related objects and the common objects.
||In the pop-up window, click Yes to display
the list of unsupported and partially supported objects and object-level