cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

913
Views
2
Helpful
2
Replies
rmartini
Beginner

Migration from ACS 5.x to ISE for TACACS

Good afternoon,

I'm working on a migration of TACACS+ from ACS 5.x to ISE2.x

There are over 25k devices in the network.

The current deployment of ACS has 1 primary to manage all the cluster and 6 secondary.

All logs are sent directly from the secondaries to Splunk.

Questions on ISE vs ACS behaviour?

1- are the accounting logs in the same format?

2- is it possible to send the logs from the PSN to Splunk bypassing the MnT node? The MnT function is not used anyway.

thanks

R.

1 ACCEPTED SOLUTION

Accepted Solutions
kthiruve
Cisco Employee

Hi Raffaello,

To answer your question,

1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.

For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,

Thanks

Krishnan

View solution in original post

2 REPLIES 2
kthiruve
Cisco Employee

Hi Raffaello,

To answer your question,

1. These are in syslog format but the fields used should be the same since these fields are part of the TACACS+ protocol

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.

For ACS to ISE Migration, please use the ACS to ISE Migration community that has details with answers to top of the mind questions, differences between ACS vs ISE, demos, how to docs etc.,

Thanks

Krishnan

View solution in original post

2. From the network devices, you can forward the syslogs to any destination as an alternative. PSN's sends these records to MnT. You can configure remote logging target for these in ISE so that ISE forwards these to SPLUNK. AFAIK there is no capability per PSN to just send out the logs to Splunk. Also I am not sure why you need this.


2 reasons

  1. This is a global deployment and the PSN will be in different continent, the customer has separate SPLUNK clusters on a per GEO basis and it makes sense to send say the US logs to the US splunk etc etx
  2. They are creating all sorts of services with the data coming from the logs, if the MNS is the node in charge of forwarding everything to splunk, then it becomes a single point of failure - one more thing to look after for the customer.


Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel