cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
811
Views
15
Helpful
4
Replies

migration from acs 5.8 to ise 2.6

as00001111
Level 1
Level 1

Hi guys,

do you favor migrating acs 5.8 to ise 2.6 or would you do a clean configuration of ise?

 

Has anyone done the migration? Is it smooth? Would you recommend it?

Thank you!

4 Replies 4

Arne Bier
VIP
VIP

it all depends. If you have man ACS servers and tens of thousands of devices and really complex policies then perhaps it's a good tool for these kinds of jobs.

 

I once used the migration tool years ago and I realised that by the time I have finished fighting through all the options, I was better off doing the following (which worked well in my case)

Log into ACS and

  • export the Devices to .CSV
  • export the Internal Users (if any) to .CSV

The build the ISE server with different IP to the ACS (if you can afford this step it's highly recommended). Create the Policies etc in ISE, import the devices and the internal users and then migrate one device over to test. 

It's a good way to learn how ISE works while you still have the chance - in future you will need to administer the system - and if you simply rely on a migration tool then you will most likely not understand what it has done on your behalf. Plus, if I recall correctly, it makes up its own naming conventions. 

 

 

 

 

Hi!

what do you mean by internal users?

I got a lot of mac addresses for mab in ACS (Users and Identity Stores -> Internal Identity Stores -> Hosts)

Is there a possibility to migrate them to a new ISE system? (without the migration tool)

Exactly as you mentioned. Internal users means Identities  that exist in ISE for the purpose of RADIUS or TACACS authentication. These credentials can be exported and imported using CSV and possibly some shifting of columns in Excel to conform to the ISE template. Download the ISE template to see what it requires for the input. 

Damien Miller
VIP Alumni
VIP Alumni
I've leveraged the ACS migration tool to migrate a number of deployments. I would recommend it if the existing ACS deployment is even the slightest bit complex/large. It can save so many hours of rebuilding command sets, profiles, and authentication/authorzation rules.

There are two things I can complain about with the ACS migration tool. The first is that sometimes the logic isn't migrated in a clean way. Once you have completed the migration, you need to manually audit and correct the and/or statements in the radius and tacacs rule sets. Not the end of the world, just know that this is a post migration task, it's still easier than rebuilding all the rules from scratch.

The second issue is initial set up of the tool itself and the fact it doesn't just ignore certificates issues. You need root/admin access to both deployments to enable the migration CLI option. Hopefully that is a relatively easy one to get past. The tool is very picky about certificates, so make sure that both the ACS and ISE deployment have web gui certs that aren't expired. I wish the tool would just ignore certificate warnings, but alas it doesn't. Import the root/intermediate certs that signed ISE/ACS in to the tool, make sure that the certs for the web gui are still valid/not expired, and you should be good to go.

I recommend the ACS to ISE migration tool.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: