The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides necessary information to plan your migration. Planning your migration carefully can ensure that your migration proceeds smoothly and it decreases any risk of migration failure.
This section provides information on the prerequisites to perform the migration process.
Before you can begin the migration process, you must enable the interfaces used for the data migration on the Cisco Secure ACS and Cisco ISE servers. It is recommended to disable the migration interfaces on both the servers after the migration process is completed.
Note | Disable the migration interface on the Cisco Secure ACS machine using the following command: acs config-web-interface migration disable, after the migration process is completed. |
Note | Disable the migration interface on the Cisco ISE server after the migration process is completed. |
To enable the export of data from the Cisco Secure ACS server to the migration tool , you can either trust the Cisco Secure ACS CA certificate or the Cisco Secure ACS management certificate.
Note | It is not necessary to add the Cisco Secure ACS CA certificate or Cisco Secure ACS management certificate to export the data objects from ACS if you select the migration of ACS 4.x supported objects. |
To enable the import of data from the migration tool to the Cisco ISE server, you can either trust the Cisco ISE CA certificate or the Cisco ISE management certificate.
In Cisco Secure ACS, ensure that the server certificate is in the
page. The Common Name (CN attribute in the Subject field) or DNS Name (in the Subject Alternative Name field) in the certificate is used in the ACS5 Credentials dialog box to establish the connection and export data from Cisco Secure ACS.In Cisco ISE, ensure that the server certificate is in the
page. The Common Name (CN attribute in the Subject field) or DNS Name (in the Subject Alternative Name field) is used in the ISE Credentials dialog box to establish the connection and import data from the migration tool to Cisco ISE.
Note | Ensure that the Cisco Secure ACS and Cisco ISE hostnames are resolvable to IP addresses. |
The migration tool may run for approximately 5 hours to migrate the following configurations:
We recommend that you do not change to Simple mode after a successful migration from Cisco Secure ACS. Because, you might lose all the migrated policies in Cisco ISE. You cannot retrieve those migrated polices, but you can switch to Policy Set mode from Simple mode.
You must consider the following before you start migrating Cisco Secure ACS data to Cisco ISE:
Migrate Cisco Secure ACS, Release 5.5 or later data only in the Policy Set mode in Cisco ISE, Release 2.2.
Generate one policy set per enabled rule in the Service Selection Policy (SSP) and order them according to the order of the SSP rules.
You must check the following to ensure policy services migration from Cisco Secure ACS to Cisco ISE:
Service Selection Policies (SSP) contain SSP rules that are disabled or monitored in Cisco Secure ACS, Release 5.5 or later, they are not migrated to Cisco ISE.
Service Selection Policy (SSP) contains a SSP rule that is enabled in Cisco Secure ACS, Release 5.5 or later
that requests a service, which contains a Group Mapping policy, it is not migrated to Cisco ISE. (Cisco ISE does not support Group Mapping Policy).
If a particular access service contains group mapping, the migration tool displays it as a warning in the policy gap analysis report and migrates the authorization rules related to that access service.
that requests a service and its identity policy contains rules, which result in RADIUS Identity Server, it is not migrated to Cisco ISE. (Cisco ISE differs to use RADIUS Identity Servers for authentication).
that requests a service, which has policies that use attributes or policy elements that are not supported by Cisco ISE, it is not migrated to Cisco ISE.
When rules cannot be migrated, the policy model as a whole cannot be migrated due to security aspects as well as data integrity. You can view details of problematic rules in the Policy Gap Analysis Report. If you do not modify or delete an unsupported rule, the policy is not migrated to Cisco ISE.
In general, you must consider these rules while migrating data from Cisco Secure ACS, Release 5.5 or later to Cisco ISE, Release 2.2: