Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
851
Views
0
Helpful
1
Replies

ACS 4.2 to ISE 2.3 migration using rest api

skeleton1
Level 1
Level 1

‎11-03-2017 08:43 AM - edited ‎02-21-2020 10:37 AM

Hi

 

We are looking at migrating from ACS 4.2 to ISE 2.3 TACACs solution.  We don't want to go with a straight migration what we want to do is extract, clean, transform the data and then built on ISE.

Looking through the rest api documentation I don't believe it is possible to create "Device Admin Policy Sets" but this document 

https://www.cisco.com/c/en/us/td/docs/security/ise/2-0/migration_guide/b_ise_MigrationGuide20/Cisco_Secure_ACS_to___Cisco_ISE_Migration_Tool.pdf

 suggests that the migration is done using the rest api.

 

"The Cisco Secure ACS, Release 5.5 or 5.6 and Cisco ISE, Release 2.0 applications may or may not run on the same type of physical hardware. The migration tool uses the Cisco Secure ACS Programmatic Interface (PI) and the Cisco ISE representational state transfer (REST) application programming interfaces (APIs). The Cisco Secure ACS PI and the Cisco ISE REST APIs allow the Cisco Secure ACS and Cisco ISE applications to run on supported hardware platforms or VMware servers. Because CiscoSecure ACSis considered a closed appliance, running the migration tool directly on a Cisco ACS appliance is not permitted. Instead, the Cisco Secure ACS PI reads and returns the configuration data in a normalized form. The Cisco ISE REST APIs perform validation and normalize the exported Cisco Secure ACS data to persist it in a form usable by Cisco ISE software "

 

Could someone give me a pointer at how these "Device Admin Policy Sets" are created via the rest interface please?

Labels:
0 Helpful
1 Reply 1

tgraham
Level 1
Level 1

‎12-18-2017 03:23 PM

I *think* our problem is that the REST calls that are used by the migration tool are not the same ones used by the documented REST.  #11 opens this channel for ACS migration

 

ise/admin# application configure ise
Selection ISE configuration option
[1]Reset M&T Session Database
[2]Rebuild M&T Unusable Indexes
[3]Purge M&T Operational Data
[4]Reset M&T Database
[5]Refresh Database Statistics
[6]Display Profiler Statistics
[7]Export Internal CA Store
[8]Import Internal CA Store
[9]Create Missing Config Indexes
[10]Create Missing M&T Indexes
[11]Enable/Disable ACS Migration
[12]Generate Daily KPM Stats
[13]Generate KPM Stats for last 8 Weeks
[14]Exit
... and you enable the ERS (REST) service from the GUI. I think they are two different beasts

 

0 Helpful
Customers Also Viewed These Support Documents