cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1541
Views
2
Helpful
7
Replies

ACS to ISE migration - is standalone a requirement?

tgraham
Level 1
Level 1

The Cisco ACS to ISE Migration Guide has the instruction to bring up a standalone ISE for the staging environment. We already have a test ISE environment in the PAN(PRI),MNT(SEC)/PAN(SEC),MNT(PRI) configuration. Do we *have* to put the primary mode in standalone, or is it recommended or not necessary? Thanks

Ref: How to Migrate ACS 5.x to ISE 2.x

1 Accepted Solution

Accepted Solutions

I Am pretty sure it needs to be standalone and not a production system

Tagged SME

kthiruve and surasky

View solution in original post

7 Replies 7

Nidhi
Cisco Employee
Cisco Employee

The guidelines mentioned in the document are the best practices which has been tested and yield the best results.

however, I will check with our SME for this query .

Thanks,

Nidhi

Thanks again Nidhi.

As I mentioned in my other reply, I am merging the TACACS functionality into a live ISE running RADIUS/dot1x. I *could* temporarily put the ISE into standalone but we are running v2.1 and hate to touch any dominos we don't have to. We are running a PAN(PRI),MNT(SEC) & PAN(SEC),MNT(PRI) deployment.

Ref: Re: Migrate TACACS from ACS to a live ISE deployment

I Am pretty sure it needs to be standalone and not a production system

Tagged SME

kthiruve and surasky

hslai
Cisco Employee
Cisco Employee

Echoing what Nidhi said, it's not good to use an ISE deployment with multiple nodes as the target, because the migrating data generate numerous updates on the primary PAN and all of them need replicated over to the secondary ISE nodes.

Thanks for all the information. I don't have any choice but to migrate my TACACS functionality to our production ISE system. We will be doing a dry run against our test/QA environment before hitting production.

I am confused - one answer above says  "it needs to be standalone and not a production system" - I was asking if I should put the production system into standalone.  Building a whole new deployment just for TACACAS is not an option.

So is the recommendation to just move all the policies, etc by hand and *not* use the migration tool at all?

hslai
Cisco Employee
Cisco Employee

I do not think we limiting it to standalone ISE node, but not recommending the primary PAN in a multi-node deployment as the migration target. It's not well tested, either.

Thus, it's best to de-register one of the ISE nodes from the deployment and use that as the target for the migration. Once everything tested, promote that standalone ISE as the primary and register other ISE nodes to it to re-form the deployment.

I don't know what your experience with ISE in production is but all this promoting and un-deploying seems like a recipe for a crash if not an extended outage.

If you deregister the secondary does the primary know to take over as primary MNT or is that a separate manual operation?  If you have a node running as primary for ADM and MNT and another standalone node tries to aquire that node as a secondary does the old primary know to make itself  sec/sec before joining?