cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1381
Views
15
Helpful
3
Replies
alalli2002
Beginner

ACS to ISE Migration with a policy to allow access and log

Good Day,

 

We are in a process of moving from ACS 5.8 to ISE 2.7.

We have run the migration tool and it appears to have worked without issue.

 

I checked the policy on the ISE server and we now have a policy set containing 2 elements.

 

Rule 1

Condition Network Access Protocol EQUALS RADIUS

Allowed protocols :  Migrated_Default Network Access

 

Rule 2

Default (looks like deny all)

 

I am hoping to put both of the rules into Monitor mode on the cut over night.

Then, the plan is to change the IP addresses of the ISE server to use the ones used by the ACS servers and restart the application.

 

That,  in theory should allow us to migrate on the night without locking myself or anyone else out.

 

Then,  as another process,  I hope to take Rule 1 and split that out to a number of other rules to accommodate the various authentication and authorisation needs for the business.

 

My questions are:

 

Does this approach of swapping IP addresses sound reasonable and does anyone have some additional resources for me to look at during the planning phase?

 

Thanks in advance for any pointers:

 

Regards,

 

 

alalli

 

 

 

 

 

 

 

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
balaji.bandi
VIP Guru

There are couple of options.

 

If the device configured fall back to Local account ( you have Local account, any scenario is good) and suggested this method always.

 

Since its new setup, i am more keen to go with  new ISE IP address, add this new ISE Address to all devices, so you can change the order in the device, in case any issue you can remove ISE from network, so it still authenticated with ACS.

 

Due to some Limitation you like to use same IP can be possible, Do not Turn off the ACS device, just shutdown the ACS conencted ports, change the ISE IP address to ACS IP bring up only (make sure if ARP default, clear the ARP on the connected device, rather going to panic to clear ARP their own time).

 

Test with new ISE, should be straight forward if you done all the ground work, if any issue, (  capture as much as Log information you can - before you roleback to ACS) bring down ISE ports - clear the ARP - bring up the ACS as roleback.

 

Do it all in maintenance window to cover yourself from risk. (make sure all devices have local access with priv 15) - in case you need it and tested before cutover.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

thomas
Cisco Employee

Highly recommend testing your new ISE policy with a spare or lab device to ensure it does what you expect when the production devices begin sending requests.

View solution in original post

3 REPLIES 3
balaji.bandi
VIP Guru

There are couple of options.

 

If the device configured fall back to Local account ( you have Local account, any scenario is good) and suggested this method always.

 

Since its new setup, i am more keen to go with  new ISE IP address, add this new ISE Address to all devices, so you can change the order in the device, in case any issue you can remove ISE from network, so it still authenticated with ACS.

 

Due to some Limitation you like to use same IP can be possible, Do not Turn off the ACS device, just shutdown the ACS conencted ports, change the ISE IP address to ACS IP bring up only (make sure if ARP default, clear the ARP on the connected device, rather going to panic to clear ARP their own time).

 

Test with new ISE, should be straight forward if you done all the ground work, if any issue, (  capture as much as Log information you can - before you roleback to ACS) bring down ISE ports - clear the ARP - bring up the ACS as roleback.

 

Do it all in maintenance window to cover yourself from risk. (make sure all devices have local access with priv 15) - in case you need it and tested before cutover.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

thomas
Cisco Employee

Highly recommend testing your new ISE policy with a spare or lab device to ensure it does what you expect when the production devices begin sending requests.

Thanks Thomas.

We are migrating across now using the stepped approach.

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube