Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3490
Views
0
Helpful
5
Replies

Cisco NAC migrate to Cisco ISE

ericohermoso
Level 1
Level 1

‎01-29-2012 03:33 AM - edited ‎03-10-2019 06:46 PM

Hello,

I have a failover Cisco NAC-CAM, failover Cisco NAC-CAS, Cisco NAC guest and Cisco profiler. Now, I want this to be migrated to Cisco ISE.

Is it possible to migrate all this devices to Cisco ISE?

thanks and regards

Labels:
0 Helpful
5 Replies 5

harvisin
Level 3
Level 3

‎09-21-2013 06:03 PM

Hello,

The 2 products are completely different on how the devices authenticate to the network and how they are controlled.

The guidance is to deploy ISE and then cut over your networks in a phased approach

A switch ad their ports can be managed by both NAC and ISE at the same time to help with this transition.

Please make sure that the NAC appliance agent network/ports are not able to communicate with ISE and the ISE NAC agent networks are not able to communicate with the NAC server as you don't want the agents discovering/communicating to the wrong service (ISE vs NAC) as they will not integrate.

For agent version please refer to this note:

http://www.cisco.com/en/US/docs/security/ise/1.2/release_notes/ise12_rn.html

Cisco NAC Agent Interoperability

There is integration support for different versions of Cisco NAC Agent for integration with Cisco NAC Appliance and Cisco ISE. Current releases are developed to work in either environment. However, interoperability between deployments is not guaranteed. Therefore, there is no explicit interoperability support for a given Cisco NAC Agent version intended for one environment. If you require support for Cisco NAC Appliance and Cisco ISE using a single Cisco NAC Agent, be sure to test NAC Agent in the specific environment to verify compatibility.

Unless there is a specific defect or feature required for Cisco NAC Appliance deployment, we recommend deploying the most current agent certified for your Cisco ISE deployment. If an issue arises, restrict Cisco NAC Agent to its intended environment and contact Cisco TAC for assistance. Cisco NAC Agent interoperability is not guaranteed, but testing and support is in progress.

0 Helpful

aqjaved
Level 3
Level 3

‎09-27-2013 03:51 AM

Installing Cisco ISE   Software on a Reimaged Cisco NAC Appliance

This   section provides the procedure for reimaging an existing  Cisco NAC appliance   as a Cisco ISE 3300 Series, Release 1.0.4,  appliance.

To   reimage a Cisco NAC appliance as a Cisco ISE  appliance, complete the   following steps:

Step 1 If the Cisco NAC appliance is   on, turn off the appliance.

Step  2 Turn on the Cisco NAC   appliance.

Step 3 Press F1 to enter the   BIOS setup mode.

Step  4 Using the arrow key, navigate   to Date and Time and press Enter.

Step 5 Set  the time for your   appliance to the UTC/GMT time zone.

Step  6 Press Esc to exit to   main BIOS menu.

Step  7 Press Esc to exit from   the BIOS setup  mode.

Note: If the  Cisco ISE DVD   installation process returns a message indicating that  "The installer   requires at least 600GB disk space for this appliance  type," you may   need to reset the RAID settings on the appliance to  facilitate installation   as described in Resetting the Existing RAID   Configuration on a Cisco  NAC Appliance, below.

Step 8 Perform the instructions   described in Before Configuring a   Cisco ISE 3300 Series Appliance.

Step 9 Perform the instructions   described in  Understanding the Setup   Program Parameters.

Step  10 Perform the instructions   described in Verifying the   Configuration Process.

Please check the below links which may be helpful for you:

Link-1

http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_app_f-installing_on_NAC-AC.html#wp1187112

0 Helpful

mlezerkiewicz
Level 1
Level 1

‎09-29-2013 06:48 PM

Th migration path is still immature but the next version of the ISE profiler will allow for a better but still lacking integration of both the NAC and ISE profilers on a Cam. It is possible now but the problem is ISE profiler psn will over right the NAC profiler entries and destroy the description field for the device profiled. Sync is also a problem. Cisco needs to continue to improve this as deployments to ISE will be substantially delayed across all its planned usages including NAC services, BYOD, and devices administration causes.

Sent from Cisco Technical Support iPad App

0 Helpful

Muhammad Munir
Level 5
Level 5

‎09-30-2013 12:25 AM

Hi

The installation process of the Cisco ISE 3300 Series software from the Cisco Identity Services Engine ISE VM on the following supported Cisco Secure ACS and Cisco NAC appliance platforms:

•                                                  Cisco Secure ACS-1121

•   Cisco NAC-3315

•   Cisco NAC-3355

•   Cisco NAC-3395

Installing the Cisco ISE 3300 Series software on a Cisco Secure ACS or Cisco NAC appliance is a simplified process because the underlying hardware on which the Cisco ISE software will be installed is the same physical device type:

•   Cisco Secure ACS-1121 and Cisco NAC-3315 appliances are based on the same physical hardware that are used for small Cisco ISE network deployments (Cisco ISE 3315 appliance).

•   Cisco NAC-3355 and Cisco NAC-3395 appliances are based on the same physical hardware that are used for medium and large Cisco ISE network deployments (Cisco ISE 3355 and Cisco ISE 3395 appliances, respectively).

For more information regarding step by step configuration, please visit these links:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cam/m_addSrv.html#wp1081985

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/49/cas/49cas-book.html

http://www.cisco.com/en/US/docs/security/ise/1.0.4/install_guide/ise104_app_f-installing_on_NAC-AC.html

0 Helpful

manjeets
Level 3
Level 3

‎04-16-2014 09:56 AM

Basically customer will get 1:1 3yr Adv for existing NAC user license counts and permanent Base for the same count.  For any endpoints beyond NAC user license entitlement, they could use Base Migration license (50% off list).

 

There are discrepancies in your NAC BoM below.  Assuming the 3rd column is quantities, I read this as (6) NAC Server FO bundles with 3500-users each, or ISE entitlement of 21k total.  However, the server count would be expected to be 12 physical servers, not 24.  Similarly, the NAC Manager FO bundle would normally contain (2) appliances, not (4).  If trying to indicate that they had two completely separate ISE deployments, then still expect NAC Server appliance count to match.

 

Existing appliances like NAC3350 and ACS1120 will not be usable in ISE deployment.  Customer can use appliance migration SKUs 1:1 for existing.  Any beyond that would be standard SKU.

 

Note that ATP along with HLD are required for NAC-to-ISE Migrations.

Preview file
64 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents