Solved: ACS TO ISE migration in a parallel set up

sameer.dy09 · ‎01-04-2019

I need some expert advice for ACS to ISE migration

Current :

1) ACS 5.8 latest patch and used only for TACACS

2) No AD integration

New :

1) Need to build parallel ISE set up before migration

2) I need to keep the same IP schema like ACS for accessing ISE

3) Model 2 ISE cisco SNS 3515 appliance

I have doubt since we are not connecting ISE to the network so it is possible if we can atleast set the configuration parameters and later plan the migration

Also , do I need to set the CIMC in advance as I believe new boxes would be loaded with ISE software , please advise best practice

Thanks in advance

Damien Miller · ‎01-04-2019

CIMC will pick up a dhcp address, if dhcp isn't available someone will have to hook up a monitor/keyboard to give it an IP on boot. The SNS will come preinstalled with ISE but you will have to have console access to run through the initial setup. Either physically next to it with a monitor/keyboard, or once CIMC has an IP so you can access the java KVM.

It's not unusual to have the requirement of reusing IP's with an ACS migration. Assuming that the ACS authentication nodes are not being load balanced, there are two possible methods I would suggest investigating. Keep in mind that you can change an ISE node IP, but it can't be part of a deployment, it must be a standalone node.

Option 1: Setting up a temporary VM on a new IP
1. Set up a temporary VM in parallel as PAN/MNT/PSN, build out and test the new ISE "deployment".
2. When testing is complete, change freeze ACS and sync network devices with ISE.
2. Shut down one legacy ACS node and IP and register the first SNS appliance to the deployment as secondary admin node and MNT.
3. Shut down the second ACS node and register the second SNS appliance to the deployment.
4. Deregister temporary VM.
5. Promote second SNS to Admin/MNT.

In the temp VM scenario outline in option 1, you have 90 days of licensing upon install, if that's not enough you can issue the licenses/apply them, then re host them later on. ISE will complain about not having vm licensing, but that's only a nag right now, not enforced.

Option 2: Use one SNS appliances on a new IP and change it
1. Setup SNS on new IP, build out and test ISE.
2. Change freeze ACS and sync network devices.
3. Shutdown first ACS node.
4. Change IP on SNS appliance from ISE CLI.
5. Shut down second ACS node, and deploy/register SNS .
6. Deploy second SNS appliance with it's ACS IP and register it to ISE deployment.

View solution in original post

kthiruve · ‎01-07-2019

Thanks Damien.

Please look at http://cs.co/acstoise for details about migration, videos and how to document for step by step instruction.

If you are using migration tool, you need a temp VM with a different IP address. Once you migrate, then you can backup the ISE configuration and restore to the appliance.

-Krishnan

View solution in original post

Damien Miller · ‎01-04-2019

CIMC will pick up a dhcp address, if dhcp isn't available someone will have to hook up a monitor/keyboard to give it an IP on boot. The SNS will come preinstalled with ISE but you will have to have console access to run through the initial setup. Either physically next to it with a monitor/keyboard, or once CIMC has an IP so you can access the java KVM.

It's not unusual to have the requirement of reusing IP's with an ACS migration. Assuming that the ACS authentication nodes are not being load balanced, there are two possible methods I would suggest investigating. Keep in mind that you can change an ISE node IP, but it can't be part of a deployment, it must be a standalone node.

Option 1: Setting up a temporary VM on a new IP
1. Set up a temporary VM in parallel as PAN/MNT/PSN, build out and test the new ISE "deployment".
2. When testing is complete, change freeze ACS and sync network devices with ISE.
2. Shut down one legacy ACS node and IP and register the first SNS appliance to the deployment as secondary admin node and MNT.
3. Shut down the second ACS node and register the second SNS appliance to the deployment.
4. Deregister temporary VM.
5. Promote second SNS to Admin/MNT.

In the temp VM scenario outline in option 1, you have 90 days of licensing upon install, if that's not enough you can issue the licenses/apply them, then re host them later on. ISE will complain about not having vm licensing, but that's only a nag right now, not enforced.

Option 2: Use one SNS appliances on a new IP and change it
1. Setup SNS on new IP, build out and test ISE.
2. Change freeze ACS and sync network devices.
3. Shutdown first ACS node.
4. Change IP on SNS appliance from ISE CLI.
5. Shut down second ACS node, and deploy/register SNS .
6. Deploy second SNS appliance with it's ACS IP and register it to ISE deployment.

sameer.dy09 · ‎01-04-2019

Thanks Damien,

If I am building ISE on new IP address (Option 2) and post testing it . Is it possible to directly overwrite the IP address like we do in firewalls/Router.

I believe I need to follow ACS to ISE migration process , is there any direct way we can just sync the NADs or any basic policy if we have 1000+ and to my understanding standalone ISE can have all persona

Damien Miller · ‎01-04-2019

Yes you can, but as noted the node has to be standalone. Putting this another way, you can't have it registered to any other nodes before changing the IP. The steps are outlined for you in the ISE guide, the services will restart but your config will remain. The single ISE node can host all personas but has no redundancy.
https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/install_guide/b_ise_InstallationGuide24/b_ise_InstallationGuide24_chapter_0101.html#ID-1412-00000138

As for the second piece of your question. You can take advantage of the ACS migration tool Cisco has built. It's listed with the ISE version on the software download page.
https://software.cisco.com/download/home/283801620/type/283802505/release/2.4.0
file name ACS-MigrationApplication-2.4.0.zip.

You can choose different categories to migrate, everything if you want policies, nads, identity sources, command sets, profiles etc. Now a word of caution before you start when it comes to NADs and the migration tool. The tool is not "change" aware in that you can re-sync any time, but if a NAD with the same name already exists in ISE the tool will skip it, if the the management IP has changed it does not get updated in ISE. The ideal solution here is to continue making all production changes in ACS. Then when you are ready, change freeze ACS, "delete all" NADs in ISE, reimport the NADs with a final migration/import.

The migration tool also does some weird things with the policy set authorization rules. The logic is not a 1:1 mapping from ACS to ISE so you have to audit what migrates over. Watch for duplicate rules nested within the parent, and rules that have "in xxx device group/type" where it might have to be manually changed to "contains xxx device group/type".

kthiruve · ‎01-07-2019

Thanks Damien.

Please look at http://cs.co/acstoise for details about migration, videos and how to document for step by step instruction.

If you are using migration tool, you need a temp VM with a different IP address. Once you migrate, then you can backup the ISE configuration and restore to the appliance.

-Krishnan