cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

369
Views
2
Helpful
2
Replies
Highlighted
Beginner

Migration from ACS 5.x to ISE for TACACS

Good afternoon,

I'm working on a migration of TACACS+ from ACS 5.x to ISE2.x

There are over 25k devices in the network.

The current deployment of ACS has 1 primary to manage all the cluster and 6 secondary.

All logs are sent directly from the secondaries to Splunk.

Questions on ISE vs ACS behaviour?

1- are the accounting logs in the same format?

2- is it possible to send the logs from the PSN to Splunk bypassing the MnT node? The MnT function is not used anyway.

thanks

R.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Migration from ACS 5.x to ISE for TACACS

Hi Raffaello,

To answer your question,

1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.

For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,

Thanks

Krishnan

2 REPLIES 2
Cisco Employee

Re: Migration from ACS 5.x to ISE for TACACS

Hi Raffaello,

To answer your question,

1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.

For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,

Thanks

Krishnan

Beginner

Re: Migration from ACS 5.x to ISE for TACACS

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.


2 reasons

  1. This is a global deployment and the PSN will be in different continent, the customer has separate SPLUNK clusters on a per GEO basis and it makes sense to send say the US logs to the US splunk etc etx
  2. They are creating all sorts of services with the data coming from the logs, if the MNS is the node in charge of forwarding everything to splunk, then it becomes a single point of failure - one more thing to look after for the customer.