Solved: Re: ACS 5.4 to ISE 2.2

Qingguo Zhang · ‎11-19-2017

My customer planned to migrate ACS 5.4 to ISE 2.2 . , so we created a config backup on the ACS 5.4 and load it in a new ACS 5.5 , started to migrate using the tool .

The ACS is running as device administration.

Authorization policy migration is not successful with below reason , Other elements is successful like ( devices, shell profile/command set etc ),

“Failed to create authorization policy of policy set Rule-2. Specified resource already exists

An error has occurred while migrating the policy configuration. The policy configuration has been reverted back to the version that existed prior to the migration processing.”

My customer is using external resource (one-time authentication server ) for most user authentication , does it affect all authentication policy ?

And internal user migration is not successful neither, not sure if we need to upgrade ACS 5.8 and do migration again.

Info Type: WARN

> 2017.11.19 21:33:11'313 : 'Description' :Specified resource already exists: InternalUser

Any comments is appreciated

thanks

Qingguo

kthiruve · ‎11-20-2017

We do support migration from ACS 5.5+ to ISE 2.1+.

The migration tool identifies the issues including name overlaps ete. Some of them are benign since if the name exists and the rules are the same in ISE you can ignore the issue.

Please take a look at the how to migrate from ACS to ISE guide where I have detailed tables that speaks about naming differences and what to do with it. I also have step by step instructions how to migrate.

http://cs.co/acstoise will have videos showing migration from ACS to ISE. You can use these resources for migration.

As Hsing said, if you encounter further issues please call TAC.

-Krishnan

View solution in original post

hslai · ‎11-19-2017

If the migration tool fails to copy certain rules or objects, then we would need configuring them manually, after the run. Please perform a sanity check afterwards.

How to Migrate ACS 5.x to ISE 2.x suggests

ACS 5.4ACS 5.6ACS 5.7 or ACS 5.8

Even though ACS 5.6 to 5.8 all supported to migrate to ISE 2.3, ACS to ISE migration shows ACS 5.8 doing it better.

For further help, please contact Cisco TAC.

kthiruve · ‎11-20-2017

We do support migration from ACS 5.5+ to ISE 2.1+.

The migration tool identifies the issues including name overlaps ete. Some of them are benign since if the name exists and the rules are the same in ISE you can ignore the issue.

Please take a look at the how to migrate from ACS to ISE guide where I have detailed tables that speaks about naming differences and what to do with it. I also have step by step instructions how to migrate.

http://cs.co/acstoise will have videos showing migration from ACS to ISE. You can use these resources for migration.

As Hsing said, if you encounter further issues please call TAC.

-Krishnan

csawest.dc · ‎04-23-2018

Hi Sir,

I am migrating cisco acs 5.8 to ISE 2.2 using migration tool.

My all objects gets migrated but only access policy is not getting migrating.

In policy gap report it is showing that Authorization policy is unsupported.

What would be the issue?

Can you please suggest here...

Regards,

Ravin L

kamwalke · ‎08-02-2018

I am having the same issue. I am migrating from ACS 5.8 to ISE 2.3 and my authorization policies did not migrate.

Damien Miller · ‎08-02-2018

In the migration tool folder, there will be a "migration.log" file. Confirm if "Authorization Policy Rule" lists that one of your authz rules was exported successfully and then search for the authz policy name and you should also see it imported.

I've done a few 5.8 to 2.3 migrations with the tool and it worked "ok" for me. The migrated authz rules logic have always required clean up and modification after.

kamwalke · ‎08-13-2018

My authorization policies are Device Admin Authorization Policies instead of Network Access does this make a difference? When migrating for the first time my TACACS Policies did not migrate I had to manually input them.