Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2143
Views
15
Helpful
3
Replies

ACS to ISE Migration with a policy to allow access and log

Go to solution
alalli2002
Level 1
Level 1

‎08-03-2021 08:50 PM

Good Day,

 

We are in a process of moving from ACS 5.8 to ISE 2.7.

We have run the migration tool and it appears to have worked without issue.

 

I checked the policy on the ISE server and we now have a policy set containing 2 elements.

 

Rule 1

Condition Network Access Protocol EQUALS RADIUS

Allowed protocols :  Migrated_Default Network Access

 

Rule 2

Default (looks like deny all)

 

I am hoping to put both of the rules into Monitor mode on the cut over night.

Then, the plan is to change the IP addresses of the ISE server to use the ones used by the ACS servers and restart the application.

 

That,  in theory should allow us to migrate on the night without locking myself or anyone else out.

 

Then,  as another process,  I hope to take Rule 1 and split that out to a number of other rules to accommodate the various authentication and authorisation needs for the business.

 

My questions are:

 

Does this approach of swapping IP addresses sound reasonable and does anyone have some additional resources for me to look at during the planning phase?

 

Thanks in advance for any pointers:

 

Regards,

 

 

alalli

 

 

 

 

 

 

 

 

 

2 Accepted Solutions

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-04-2021 03:28 AM

There are couple of options.

 

If the device configured fall back to Local account ( you have Local account, any scenario is good) and suggested this method always.

 

Since its new setup, i am more keen to go with  new ISE IP address, add this new ISE Address to all devices, so you can change the order in the device, in case any issue you can remove ISE from network, so it still authenticated with ACS.

 

Due to some Limitation you like to use same IP can be possible, Do not Turn off the ACS device, just shutdown the ACS conencted ports, change the ISE IP address to ACS IP bring up only (make sure if ARP default, clear the ARP on the connected device, rather going to panic to clear ARP their own time).

 

Test with new ISE, should be straight forward if you done all the ground work, if any issue, (  capture as much as Log information you can - before you roleback to ACS) bring down ISE ports - clear the ARP - bring up the ACS as roleback.

 

Do it all in maintenance window to cover yourself from risk. (make sure all devices have local access with priv 15) - in case you need it and tested before cutover.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-04-2021 11:13 AM

Highly recommend testing your new ISE policy with a spare or lab device to ensure it does what you expect when the production devices begin sending requests.

View solution in original post

3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎08-04-2021 03:28 AM

There are couple of options.

 

If the device configured fall back to Local account ( you have Local account, any scenario is good) and suggested this method always.

 

Since its new setup, i am more keen to go with  new ISE IP address, add this new ISE Address to all devices, so you can change the order in the device, in case any issue you can remove ISE from network, so it still authenticated with ACS.

 

Due to some Limitation you like to use same IP can be possible, Do not Turn off the ACS device, just shutdown the ACS conencted ports, change the ISE IP address to ACS IP bring up only (make sure if ARP default, clear the ARP on the connected device, rather going to panic to clear ARP their own time).

 

Test with new ISE, should be straight forward if you done all the ground work, if any issue, (  capture as much as Log information you can - before you roleback to ACS) bring down ISE ports - clear the ARP - bring up the ACS as roleback.

 

Do it all in maintenance window to cover yourself from risk. (make sure all devices have local access with priv 15) - in case you need it and tested before cutover.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
thomas
Cisco Employee
Cisco Employee

‎08-04-2021 11:13 AM

Highly recommend testing your new ISE policy with a spare or lab device to ensure it does what you expect when the production devices begin sending requests.

Go to solution
alalli2002
Level 1
Level 1
In response to thomas

‎08-19-2021 10:41 PM

Thanks Thomas.

We are migrating across now using the stepped approach.

0 Helpful
Customers Also Viewed These Support Documents