Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1092
Views
0
Helpful
3
Replies

migration tool from ACS to ISE is not working

mmercaldieze
Level 1
Level 1

‎06-19-2018 04:45 AM - edited ‎02-21-2020 10:58 AM

I am unable to get the migration tool working from ACS 5.8 to ISE 2.4.  I am constantly getting this error message:

Error occurred while communicating to ACS 5.x. (404)Not Found

I enabled migration on the ACS.

I added the certificate to my machine (even though I keep getting certificate errors when browsing to IE)

I added the certificate to the migration tool

 

I keep getting the following error message:

Error occurred while communicating to ACS 5.x. (404)Not Found

 

Any idea why I keep getting this?

Labels:
0 Helpful
3 Replies 3

ajc
Level 7
Level 7

‎06-19-2018 10:45 AM - edited ‎06-19-2018 10:46 AM

In order to make it easier, I configured ISE with an IP on the same VLAN as the ACS (you can change  ISE IP to the right one later) and I followed the next steps (like a checklist).

 

1.-Decide what type of migration SIMPLE or ITERATIVE - On my case, it was ITERATIVE
2.-Enable Policy Sets on ISE (check again video - manual guide)
3.-Enable Device Admin Service (check again video)
4.-Evaluation License on ISE can be used.
5.-Change Policy Set Name on ACS and change the name so they do not overlap the default ones on ISE
6.-Change Service Selection Rules Name on ACS so they do not collide with ISE default ones
7.-Compare once migrated the number of ACS:
 #devices
 #service selection rules
 #command sets
 #authorization profiles
 #internal users
8.-Use ACS superadmin account for the migration (mandatory)

9.-Add ACS and ISE self signed cert to the migration tool 

10.-DNS Entry for ACS and ISE in production
11.-Install ACS self-signed cert into the ISE Trusted Certificate list.
12.-Install ISE self-signed cert into the ACS Trusted Certificate list.
13.-Install permanent TACACS license on ISE (after the migration)
14.-Configure the LAN Switch where the Win 7 Laptop running the migration tool, the ACS and ISE will reside.

15.-From CLI, enable migration on ACS and ISE (both). Check video. 

           On ISE: application configure ISE option 11, then type 0 to exit
           On ACS: acs config-web-interface migration enable

 


C:\Program Files\Java\jre7\bin\javaw.exe

http://java.sun.com/products/autodl/j2se

0 Helpful

ajc
Level 7
Level 7

‎06-19-2018 10:48 AM

I suspect you are missing something from the checklist like step 9 - 12 or 15.

0 Helpful

ajc
Level 7
Level 7

‎06-19-2018 10:54 AM

Be aware that I migrated from 5.8 to 2.3 (2.4 is a recent release). In addition to the previous, please check the following that I posted sometime ago related to an issue with the migration that IS NOT explained in the cisco guides.

 

https://supportforums.cisco.com/t5/aaa-identity-and-nac/cannot-save-sid-values-migration-acs-5-8-to-ise-2-3-workaround/td-p/3355427

 

0 Helpful
Customers Also Viewed These Support Documents