This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
Recently migrated ACS 5.8 patch 8 to ISE 2.3 patch 3. Migration was a successful, picture attached but none of my policy sets work. All requests are using default deny rule for some reason, however same rules work perfectly n ACS 5.8. I pointed few radius supported a TACACS supported devices to ISE but they are all hitting the default rule. Not sure what is wrong. I audited usually id stores other parameters related to service selection policy they were are migrated just fine, not sure what is wrong.
If possible, please engage Cisco TAC support on this. We would not be able to help unless we have a copy of your ACS backup and perform a recreate to check it out.
If you are using AD, it could be due to a known issue -- CSCvj31243
I can't tell you your exact issue from the description, however here are a couple things to check.
I found that the migration tool does not always duplicate logic correctly. The location tree logic was the main issue I found. I have to modify location "in" to "contains".
Another thing to check, does your ldap connection work? You can test the connection from the GUI. If you are using secure LDAP then ensure the "ldap server root CA" certificate is valid on all configured connections. I ran in to an issue where following a reload post acs - ise migration that the ldap connections were failing to load. The ldap root ca certificate on unsued connections was not valid. Broken all connections.