cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1159
Views
2
Helpful
2
Replies

Migration from ACS 5.x to ISE for TACACS

rmartini
Level 1
Level 1

Good afternoon,

I'm working on a migration of TACACS+ from ACS 5.x to ISE2.x

There are over 25k devices in the network.

The current deployment of ACS has 1 primary to manage all the cluster and 6 secondary.

All logs are sent directly from the secondaries to Splunk.

Questions on ISE vs ACS behaviour?

1- are the accounting logs in the same format?

2- is it possible to send the logs from the PSN to Splunk bypassing the MnT node? The MnT function is not used anyway.

thanks

R.

1 Accepted Solution

Accepted Solutions

kthiruve
Cisco Employee
Cisco Employee

Hi Raffaello,

To answer your question,

1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.

For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,

Thanks

Krishnan

View solution in original post

2 Replies 2

kthiruve
Cisco Employee
Cisco Employee

Hi Raffaello,

To answer your question,

1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.

For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,

Thanks

Krishnan

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.


2 reasons

  1. This is a global deployment and the PSN will be in different continent, the customer has separate SPLUNK clusters on a per GEO basis and it makes sense to send say the US logs to the US splunk etc etx
  2. They are creating all sorts of services with the data coming from the logs, if the MNS is the node in charge of forwarding everything to splunk, then it becomes a single point of failure - one more thing to look after for the customer.


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: