topic Re: Migrate TACACS from ACS to a live ISE deployment in Network Access Control

Migrate TACACS from ACS to a live ISE deployment

tgraham — Thu, 28 Dec 2017 22:32:20 GMT

There is a lot of documentation about ACS -> ISE migration but my situation is that we have a live ISE to migrate to not a fresh standalone deployment. I only care about the TACACS part of the deployment and I am hitting some roadblocks.

1. I have the additional attributes problem the Krishnan kthiruve introduces in his very informative video series. He references some "hidden slides" that go into more detail. Does anyone know where the slide deck for the videos is so I can look over the hidden slides?

2. I run into the problem that there is already an AD defined in ISE so none of the ACS AD configuration comes over. I try to manually create the authenticate rule that I think should take care of this but when I go to choose the condition the little wheel comes up and spins indefinitely. I would like to at least get part of the rule so I can have a model to build from.

3. The main part of the additional attributes has to do with RSA SecurID. I have the RSA document for how to build the policy set but the way they do it puts it in "simple" mode which would wipe out the rest of the ISE configuration (currently ISE is used for dot1x authc/authz). So what is a RSA authorization rule supposed to look like in compound mode? (We authenticate to RSA and draw additional attributes, i.e. group membership, from AD) Does anyone know how to do a rule like this? I am sure if I just saw one I would be good to go.

Thanks for any advice, experience, links and pointers you may be able to share.

Re: Migrate TACACS from ACS to a live ISE deployment

Nidhi — Fri, 29 Dec 2017 12:16:38 GMT

All the tutorials and links are in the link here - ACS to ISE Migration

I will check with our SME regarding your other queries.

Thanks,

Nidhi

Re: Migrate TACACS from ACS to a live ISE deployment

tgraham — Fri, 29 Dec 2017 12:24:54 GMT

Thank you for your reply. I have gone through everything on the page your linked (bookmarked in fact). The third video has the mention of the "hidden slides" I am asking about.

All of this information assumes we are migrating to a clean standalone ISE deployment. My ISE has been doing dot1x for years so I need to learn how to "merge" more than "migrate".

Please let me know what you find out.

Thanks.

Re: Migrate TACACS from ACS to a live ISE deployment

Nidhi — Fri, 29 Dec 2017 12:32:11 GMT

you might want to look at how to document - How to Migrate ACS 5.x to ISE 2.x

This has detail steps for plan/prepare and Migrate (3rd step).

I will keep you posted as I hear anything for our SME.

Also, just to let you know, its year end shutdown in Cisco and response will be little slow.

Thanks,

Nidhi

Re: Migrate TACACS from ACS to a live ISE deployment

hslai — Mon, 01 Jan 2018 09:41:52 GMT

On 1, please provide the link to the particular video and the approximate timing in the video where Krishnan mentioned about the hidden slides.

On 2, are you having this issue only after running ACS migration? If so, please open a TAC case to troubleshoot.

On 3, you may either create a new policy set or configure the RSA rules under the default policy set. In case of ISE 2.3, please see the video on Cisco ISE 2.3 Policy User Interface Walkthrough @ What's New in ISE 2.3?

Re: Migrate TACACS from ACS to a live ISE deployment

tgraham — Tue, 02 Jan 2018 13:04:08 GMT

Thanks for the followup hslai

1. The reference to the hidden slides is at: 19:20 in

ACS to ISE Migration - Part III - Migration process and demonstrationv2-Chapter 2.mp4

You can find a link to video at ACS to ISE Migration - Part III - Migration Process and Demonstration

2. I am not sure I am creating the Policy Set correctly. The ISE/TACACS guide I have is for ISE 2.0 and I am using v2.1. The menus have changed. I am using How To: ISE TACACS+ Configuration for IOS Network Devices (DOC-68194). Is there a guide compatible with v2.1 (or just an example)

3. I am running v2.1 so I cannot use the ver 2.3 what's new. I am not sure how to configure/modify the policy set. I will look through the what's new to see if it gives me a clue how to do it in v2.1.

Thanks.

Re: Migrate TACACS from ACS to a live ISE deployment

hslai — Tue, 02 Jan 2018 20:44:17 GMT

On 2 and 3, the web UI in ISE 2.0 and 2.1 are not that much different. If you registered as a partner, you may take a look at [ISE Lab Guide] ISE Device Administration Services (TACACS+), which is based on ISE 2.1. ISE T+ is using policy sets since it added in ISE 2.0. ISE T+ Demos has some videos to show how to set things up.

On 1, are you referring to what Krishnan said about in-line conditions? If so, it's how ISE policy engine working differently from ACS one, such that ISE using the ID source sequence for authentications, and that, during authorization, ISE checks the attributes of the ID stores in the conditions, regardless they used in authentications. Unless pre-pending a condition using "Network Access:AuthenticationIdentityStore" to limit the queries.

Re: Migrate TACACS from ACS to a live ISE deployment

tgraham — Wed, 03 Jan 2018 13:35:53 GMT

hslai,

Regarding 2 and 3 - this is excellent! Thanks.

I needed pages 11 and 12 of the lab guide. I don't know how to find GOLD labs since they shut down the PEC.

I think this might be the information on the "hidden slides" that Krishnan mentioned in the video

I don't quite understand your information about #1 but maybe I am not ready for the answer.

I will come back to this one if need be.