Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
15
Helpful
6
Replies

ACS to CISCO ISE Migration

Wasif.B
Level 1
Level 1

‎11-11-2019 05:01 PM

Hello People,

Wondering if anyone recently migrated from ACS to ISE with the latest version of ACS and ISE? I need some help to understand the whole procedure. I have gone through some wonderful documentation on the forum. Would like listen to the recent real time migration challenges. One more question please, is it batter to migrate manually or use the migration Tool.

Thank you.

0 Helpful
6 Replies 6

Colby LeMaire
VIP Alumni
VIP Alumni

‎11-11-2019 06:19 PM

Personally, I prefer to migrate manually if possible.  Because it offers an opportunity to clean up policies, improve efficiency, and not transfer junk that isn't needed.  The only time I have had to use the migration tool was when my client had a ton of local user accounts in ACS and they just didn't want to have users create new passwords.  Their organization was very fractured with over 400 separate regions and each region having its own IT representative and unique settings for their users.  So we used the migration tool primarily to bring the user accounts and passwords over to the new environment.

The challenges that you will run into with the migration tool are things like password requirements not matching up between your ACS and ISE environments, naming conventions, etc.  The tool will give you a heads up on things that won't be able to be migrated and things that may need to be modified ahead of the migration.

Wasif.B
Level 1
Level 1
In response to Colby LeMaire

‎11-11-2019 07:03 PM

Thank you so much for sharing your experience Colby, very informative. Wondering if you can share or refer any document to learn the manual migration please.

0 Helpful

Colby LeMaire
VIP Alumni
VIP Alumni
In response to Wasif.B

‎11-11-2019 07:26 PM

When I say manual, I mean creating everything in ISE from scratch.  Some things like network devices, device groups, endpoints, users, etc. can be exported to CSV from ACS and imported into ISE but will require some massaging of the CSV to put it in the right format for ISE.  In each of those areas in ISE where you can import those things, there will be a link to generate the template.  Generate the template to see what fields are expected and in what order.  The policies and rules will have to be created manually.  It literally is a case of having the ACS interface open on one screen and the ISE interface on another and recreating everything in ISE that you see and still need from ACS.

bhattiwasif
Level 1
Level 1
In response to Colby LeMaire

‎11-11-2019 08:41 PM

I will try to export and make CSV files to be imported into ISE. Thank you so much for your time and reply. 

-Wasif

0 Helpful

cciesec2011
Level 3
Level 3
In response to Colby LeMaire

‎11-12-2019 05:50 AM

@Colby LeMaire wrote:

Personally, I prefer to migrate manually if possible.  Because it offers an opportunity to clean up policies, improve efficiency, and not transfer junk that isn't needed.  The only time I have had to use the migration tool was when my client had a ton of local user accounts in ACS and they just didn't want to have users create new passwords.  Their organization was very fractured with over 400 separate regions and each region having its own IT representative and unique settings for their users.  So we used the migration tool primarily to bring the user accounts and passwords over to the new environment.

The challenges that you will run into with the migration tool are things like password requirements not matching up between your ACS and ISE environments, naming conventions, etc.  The tool will give you a heads up on things that won't be able to be migrated and things that may need to be modified ahead of the migration.

One word of caution.  Look like there are lot of bugs in the ACS to ISE 2.6 migration.  Many of the custom tacacs+ and radius attributes didn't get migrated properly with the tool provided by Cisco.  ACS to ISE 2.4 migration tool seems to be a stable one.  My suggestion is that use the ACS to ISE 2.4 migration tool.  Once you have the system up and running, you can then migrate to ISE 2.6 patch 2.

bhattiwasif
Level 1
Level 1
In response to cciesec2011

‎11-12-2019 02:40 PM

Thank you for your input @cciesec2011, I am still in the planning phase and reading all the material related to ACS to ISE migration. I am planing to migrate the machines manually, will extract the data from ACS and create csv files with the fields required by ISE.

Fingers crossed hopefully things will go well.

-Wasif.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents