Recently migrated ACS 5.8 patch 8 to ISE 2.3 patch 3. Migration was a successful, picture attached but none of my policy sets work. All requests are using default deny rule for some reason, however same rules work perfectly n ACS 5.8. I pointed few radius supported a TACACS supported devices to ISE but they are all hitting the default rule. Not sure what is wrong. I audited usually id stores other parameters related to service selection policy they were are migrated just fine, not sure what is wrong.
I can't tell you your exact issue from the description, however here are a couple things to check.
I found that the migration tool does not always duplicate logic correctly. The location tree logic was the main issue I found. I have to modify location "in" to "contains".
Another thing to check, does your ldap connection work? You can test the connection from the GUI. If you are using secure LDAP then ensure the "ldap server root CA" certificate is valid on all configured connections. I ran in to an issue where following a reload post acs - ise migration that the ldap connections were failing to load. The ldap root ca certificate on unsued connections was not valid. Broken all connections.