This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a customer who is migrating over to ISE (2.3) from ACS (5.6) however they have A LOT of Internal Users. As part of the migration, the client requested rationalisation of their existing TACACS & RADIUS rules. As part of that process the device & user groups, rules etc will be changing. With that (and the various issues I have run into with ISE 2.3) the decision to not use the migration tool was made (also could not risk upgrading the production system with short timeframes, its very flaky and the customer has a very NO TOUCHING policy).
Anyway, I have translated all the rules but now have an issue with the ACS Internal Users. I cannot export the Users with their passwords! At this time I am assuming the cli "export-data user" does not include the passwords (If it does please let me know with a response). Is there any way to get the Internal User details & passwords without using the Migration Tool? I would have expected the GUI ! export would include the passwords when an encryption key is provided.
AFAIK the migration tool is the only way to get the internal users with the passwords.
Perhaps, you may perform the migration from ACS to an ISE in the lab and then export them in CSV.