Solved: Re: ACS to ISE Migration. Policy Group. Authentication Policy will not be exported

techie21 · ‎11-13-2018

I have 2 Rules setup on ACS. Rule-1 is for Radius. Rule-2 is for TACACS.

Authentication Policy for Rule-1 is not going to be exported and giving the following error. All the Authorization policies are being exported though.

Object Type: Policy Groups
==========================================
> 2018.11.13 10:09:57'191 : In Policy Set Rule-1:
Authentication Policy: will not be exported because all of its rules have invalid condition(s) or have not any condition.
Authorization Policy Rule: 'Object_Name': exported successfully.

Rule-2 has no issues and Authentication and Authorization both are being exported:
In Policy Set Rule-2:
Authentication Policy: rule based - exported successfully.
Authorization Policy Rule: 'Object_Name': exported successfully.

How do I fix it?

Surendra · ‎11-13-2018

Identity group mapping is not supported on ISE. Please disable it and run the tool again.

View solution in original post

Surendra · ‎11-13-2018

Identity group mapping is not supported on ISE. Please disable it and run the tool again.

techie21 · ‎11-14-2018

Hi Surendra,

Thanks for the reply. Where to disable it? And what about Rule-1 migration if disabling it? Rule-1 is referencing to RADIUS access which is being used and will be required in ISE as well.

Appreciate your guidance. Thanks.

Surendra · ‎11-14-2018

You can disable it at Access Policies > Access Services > RADIUS Access (click on this) > Uncheck “Group Mapping”. You cannot use it in ISE since it is not supported. Once the migration is done, enable it again for your ACS to make use of it.

techie21 · ‎11-14-2018

Hi Surendra,

Thanks for the prompt response. I tried testing it in the lab. It gives the following msg:

So if I remove Group mapping, it will delete the policy and rules. Won't that cause issues in ISE, after the migration?

techie21 · ‎11-21-2018

NOT SOLVED YET.