Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1652
Views
5
Helpful
7
Replies

Need to configure Identity store sequence in ISE as the bottom half will not be migrated to ISE from ACS.

techie21
Level 1
Level 1

‎11-12-2018 09:21 AM

Hi, I am trying to do a migration from ACS 5.8 to ISE 2.4. Doing the Policy Gap Analysis at the moment and as per the MigTool, for Identity Store Sequence only the top half part will be migrated to ISE the bottom half will not. Because ISE already supports LDAP and Active Directory attributes, so it needs to be configured in a different way and these attributes need to be added in inline condition in ISE.

Here is one of the messages I am getting in MigTool:
The Identity Store Sequence object 'Object Name' contains: Internal Users as an additional attribute retrieval search lists. Which is not supported by ISE, so the following attribute retrieval search lists are ignored.

Watched the instructional video https://www.youtube.com/watch?v=psY0dOB9D-g but can't find the hidden slides as mentioned in the video at timecode 19:13:
LDAP attributes the only thing is you need to configure it in a different way and you can add these attributes as in line condition in ice so I have some hidden slides in this click through demonstration you can take a look at it at your leisure.

 

Can anyone help please?

0 Helpful
7 Replies 7

paul
Level 10
Level 10

‎11-12-2018 10:56 AM

I don't use the migration tool for any of my ACS to ISE migrations.  Can you post a screen shot of the ISS you are trying to migrate and where it is used in the Access Policies?

0 Helpful

techie21
Level 1
Level 1
In response to paul

‎11-12-2018 12:12 PM

Thanks for getting back:

Here is the screenshot of one ISS (there are few like this):

ISS.PNG

And the MigTool gives this Warning:
Object Type: Identity Source Sequences
==========================================
> 2018.11.12 09:23:45'063 : The Identity Store Sequence object 'ISS OBJECT' contains: Internal Users as an additional attribute retrieval search lists. Which is not supported by ISE, so the following attribute retrieval search lists are ignored.
> 2018.11.12 09:23:45'191 : The Identity Store Sequence object 'AD_Internal___ID_Store_Seq' contains: _TISS as an additional attribute retrieval search lists. Which is not supported by ISE, so the following attribute retrieval search lists are ignored.

> 2018.11.12 09:23:45'461 : The Identity Store Sequence object 'Internal_AD___ID_Store_Seq' contains: _TISS as an additional attribute retrieval search lists. Which is not supported by ISE, so the following attribute retrieval search lists are ignored.

0 Helpful

paul
Level 10
Level 10
In response to techie21

‎11-12-2018 12:45 PM

If you look at the authorization rules for the access policies that are using that ISS what attributes from the internal user database are being used in the rules?  Are their shadow internal user accounts that match AD accounts that have values in them used by the rules?

techie21
Level 1
Level 1
In response to paul

‎11-13-2018 11:05 AM - edited ‎11-13-2018 11:06 AM

We have RADIUS access and TACACS access. I checked the authorization rules (Rule1 is for Radius, Rule2 is for TACACS) under Identity I found few of the ISS. Attaching screenshot.

 

 Please advise. Appreciate your help. Have a tight deadline.

Preview file
34 KB
Preview file
50 KB
0 Helpful

Jason Kunst
Cisco Employee
Cisco Employee
In response to techie21

‎11-13-2018 11:18 AM

If you need quick support please call the tac.
0 Helpful

techie21
Level 1
Level 1
In response to Jason Kunst

‎11-13-2018 11:55 AM

I have called and opened a ticket last week. Doesn't seem to be quick enough though.

If you can help, would be appreciated. Thanks.

0 Helpful

Surendra
Cisco Employee
Cisco Employee
In response to techie21

‎11-13-2018 11:39 PM

ISE does not have a visible option of setting the additional group retrieval attributes. However, if you have the same user in the internal store and on the Active Directory and if you have an authorization policy configured to look for attributes on the AD or the internal store, then ISE will evaluate them irrespective of the Identity store you choose in the authentication policy.
0 Helpful
Customers Also Viewed These Support Documents