This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
I have a failover Cisco NAC-CAM, failover Cisco NAC-CAS, Cisco NAC guest and Cisco profiler. Now, I want this to be migrated to Cisco ISE.
Is it possible to migrate all this devices to Cisco ISE?
thanks and regards
The 2 products are completely different on how the devices authenticate to the network and how they are controlled.
The guidance is to deploy ISE and then cut over your networks in a phased approach
A switch ad their ports can be managed by both NAC and ISE at the same time to help with this transition.
Please make sure that the NAC appliance agent network/ports are not able to communicate with ISE and the ISE NAC agent networks are not able to communicate with the NAC server as you don't want the agents discovering/communicating to the wrong service (ISE vs NAC) as they will not integrate.
For agent version please refer to this note:
There is integration support for different versions of Cisco NAC Agent for integration with Cisco NAC Appliance and Cisco ISE. Current releases are developed to work in either environment. However, interoperability between deployments is not guaranteed. Therefore, there is no explicit interoperability support for a given Cisco NAC Agent version intended for one environment. If you require support for Cisco NAC Appliance and Cisco ISE using a single Cisco NAC Agent, be sure to test NAC Agent in the specific environment to verify compatibility.
Unless there is a specific defect or feature required for Cisco NAC Appliance deployment, we recommend deploying the most current agent certified for your Cisco ISE deployment. If an issue arises, restrict Cisco NAC Agent to its intended environment and contact Cisco TAC for assistance. Cisco NAC Agent interoperability is not guaranteed, but testing and support is in progress.
Installing Cisco ISE Software on a Reimaged Cisco NAC Appliance
This section provides the procedure for reimaging an existing Cisco NAC appliance as a Cisco ISE 3300 Series, Release 1.0.4, appliance.
To reimage a Cisco NAC appliance as a Cisco ISE appliance, complete the following steps:
Step 1 If the Cisco NAC appliance is on, turn off the appliance.
Step 2 Turn on the Cisco NAC appliance.
Step 3 Press F1 to enter the BIOS setup mode.
Step 4 Using the arrow key, navigate to Date and Time and press Enter.
Step 5 Set the time for your appliance to the UTC/GMT time zone.
Step 6 Press Esc to exit to main BIOS menu.
Step 7 Press Esc to exit from the BIOS setup mode.
Note: If the Cisco ISE DVD installation process returns a message indicating that "The installer requires at least 600GB disk space for this appliance type," you may need to reset the RAID settings on the appliance to facilitate installation as described in Resetting the Existing RAID Configuration on a Cisco NAC Appliance, below.
Step 8 Perform the instructions described in Before Configuring a Cisco ISE 3300 Series Appliance.
Step 9 Perform the instructions described in Understanding the Setup Program Parameters.
Step 10 Perform the instructions described in Verifying the Configuration Process.
Please check the below links which may be helpful for you:
Th migration path is still immature but the next version of the ISE profiler will allow for a better but still lacking integration of both the NAC and ISE profilers on a Cam. It is possible now but the problem is ISE profiler psn will over right the NAC profiler entries and destroy the description field for the device profiled. Sync is also a problem. Cisco needs to continue to improve this as deployments to ISE will be substantially delayed across all its planned usages including NAC services, BYOD, and devices administration causes.
Sent from Cisco Technical Support iPad App
The installation process of the Cisco ISE 3300 Series software from the Cisco Identity Services Engine ISE VM on the following supported Cisco Secure ACS and Cisco NAC appliance platforms:
• Cisco Secure ACS-1121
• Cisco NAC-3315
• Cisco NAC-3355
• Cisco NAC-3395
Installing the Cisco ISE 3300 Series software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because the underlying hardware on which the Cisco ISE software will be installed is the same physical device type:
• Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliance).
• Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395 appliances, respectively).
For more information regarding step by step configuration, please visit these links:
Basically customer will get 1:1 3yr Adv for existing NAC user license counts and permanent Base for the same count. For any endpoints beyond NAC user license entitlement, they could use Base Migration license (50% off list).
There are discrepancies in your NAC BoM below. Assuming the 3rd column is quantities, I read this as (6) NAC Server FO bundles with 3500-users each, or ISE entitlement of 21k total. However, the server count would be expected to be 12 physical servers, not 24. Similarly, the NAC Manager FO bundle would normally contain (2) appliances, not (4). If trying to indicate that they had two completely separate ISE deployments, then still expect NAC Server appliance count to match.
Existing appliances like NAC3350 and ACS1120 will not be usable in ISE deployment. Customer can use appliance migration SKUs 1:1 for existing. Any beyond that would be standard SKU.
Note that ATP along with HLD are required for NAC-to-ISE Migrations.