Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1095
Views
1
Helpful
3
Replies

Cisco Secure ACS to Cisco ISE Migration Tool – Cannot export ACS policies

Go to solution
B. BELHADJ
Level 4
Level 4

‎06-26-2017 05:23 AM

Hi Guys

I’m trying to export ACS policies from ACS 5.8.1.4 to be imported later on ISE 2.2 using the ACS-MigrationApplication-2.2.0 tool.

I’m able to export all objects except the Access Plicies. In the Migration tool logs I see that the Service Selection Policy is not supported.

Below the different logs:

===================================================================================

ACS 5.8

ACSLab

=======================================================================

ASEAPTLSPhone

=======================================================================

Rule: SSPPhoneEAPTLS

Description: Enabled SSP rule 'SSPPhoneEAPTLS' points on a service that is not a network

access service. This is not supported by ISE

=======================================================================

ASMD5Phone

=======================================================================

Rule: SSPPhoneMD5

Description: Enabled SSP rule 'SSPPhoneMD5' points on a service that is not a network

access service. This is not supported by ISE

----------------------------------------------------------------------

=======================================================================

DefaultNetworkAccess

=======================================================================

Rule: Radius

Description: Enabled SSP rule 'Radius' points on a service that is not a network access

service. This is not supported by ISE

-----------------------------------------------------------------------

=======================================================================

DefaultDeviceAdmin

=======================================================================

Rule: Tacacs

Description: Enabled SSP rule 'Tacacs' points on a service that is not a network access

service. This is not supported by ISE

-----------------------------------------------------------------------

=======================================================================

Summary:

*Service Selection Policy     : Unsupported

*Authentication Policy         : Supported

*Authorization Policy         : Supported

Not all policies are compatible with ISE 2.2. Out of security concerns,

the migration application will not migrate any of your ACS 5.5/5.6/5.7/5.8

policies.

=======================================================================

                               End of Report

=======================================================================

I have attached the different Access Services in the Lab.

I have suspected the: ANY and the compound conditions with AND and OR but they are not the issue.

Any suggestion will be appreciated! Don't hesitate if you need any further information

Best regards

Preview file
96 KB
1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to B. BELHADJ

‎06-26-2017 05:21 PM

Hi Abdollah,

What does the export report say?

Also in the folder where you unzip the migration tool, a migration log captures all the processes/tasks in the migration tool. Please check those logs for further information.

If this is a critical problem, please open up a TAC case to debug further.

Thanks

Krishnan

View solution in original post

0 Helpful
3 Replies 3

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎06-26-2017 10:06 AM

Hi Abdollah,

In general, the information below points to use of different service type.

Go to Access policy --> Access services and make sure the corresponding services( used in Service selection policy) has either Device administration or Network access for service type. You did mention that you attached different access services.

Need export/import/policy gap analysis logs and migration tool logs to answer further. If this is impacting, please call TAC.

Thanks

Krishnan

0 Helpful

Go to solution
B. BELHADJ
Level 4
Level 4
In response to kthiruve

‎06-26-2017 12:47 PM

Hi Krishnan

Thank you for your reply and your ACS to ISE migration videos!

Yes I confirm that all Access Services have Network Access or Device Administration for Service Type.

The Policy Gap Analysis report is mentioned earlier in my post. This is what I have in the Policy Gap Analysis report when trying to export just the Access Policies.

I suspect that my SSP and Access Services use some unsupported ACS attributes like NDG:  and compound conditions with a combination of AND and OR operator.

I will change the configuration on my ACS lab and update you

Best regards

0 Helpful

Go to solution
kthiruve
Cisco Employee
Cisco Employee
In response to B. BELHADJ

‎06-26-2017 05:21 PM

Hi Abdollah,

What does the export report say?

Also in the folder where you unzip the migration tool, a migration log captures all the processes/tasks in the migration tool. Please check those logs for further information.

If this is a critical problem, please open up a TAC case to debug further.

Thanks

Krishnan

0 Helpful
Customers Also Viewed These Support Documents