ACS 5.3 to ISE 1.2 Migration

Similar Messages

• ACS 5.4 to ISE 1.2 migration

  Hi,
  does somebody have an idea how to migrate users from ACS 5.4 to ISE?
  I tried with migtool, but it's telling me that migration from ACS 5.4 is not supported.
  However if I install older ACS 5.1 and restore a backup from ACS 5.4 then it fail because it doesn't match installed application.
  I don't want to use backup from older ACS as we put since that time so many users ...
  Thanks for any hint.
  Karel

  Hi Karel,
  As I see this is not supported so far. What you can do is to export your users from 5.4 and import them on 5.3 then proceed with the backup and migration process.
  If you still need to go with 5.4 you better communicate the TAC. They may help you better (they may probably have a patch to fix the issue with the migration from 5.4 to ISE).
  HTH
  Amjad
  Rating useful replies is more useful than saying "Thank you"

• ACS v4.2.1 to v5.5 migration vmware

  I am to upgrade an ACS from v4.2.1 to v5.5, the current v4.2.1 system is on vmware, its a large migration so I need to setup a v4.2.1 migration machine, so the thought is to clone the existing production system and use the clone as a migration machine.  Does that seem a reasonable idea, anyone done similar before?

  Sounds a good idea. But I never tried. I would like to give a try.

• Cisco ACS to ISE Migration Tool

  HI all.
  I'm gtrying to migrate in our LAB ACS 5.3 to ISE 1.2 using the migration tool and i take this error:
  D:\migTool>migration.bat
  log4j:WARN No such property [encoding] in com.cisco.acs.positron.migration.utils.Log4jTextAreaAppender.
   INFO [main] MigrationApplicationDriver.main:56: Starting Application, in the main method......
  Exception in thread "main" org.springframework.beans.factory.BeanDefinitionStoreException: Failed to read candidate component class: file [D:\migTool\bin\com\cisco\acs\positron\migra
  tion\gui\components\treetable\JTreeTable.class]; nested exception is java.lang.ArrayIndexOutOfBoundsException: 3145
          at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:237)
          at com.cisco.acs.positron.migration.MigrationApplicationDriver.main(MigrationApplicationDriver.java:61)
  Caused by: java.lang.ArrayIndexOutOfBoundsException: 3145
          at org.springframework.asm.ClassReader.readClass(Unknown Source)
          at org.springframework.asm.ClassReader.accept(Unknown Source)
          at org.springframework.asm.ClassReader.accept(Unknown Source)
          at org.springframework.core.type.classreading.SimpleMetadataReader.<init>(SimpleMetadataReader.java:54)
          at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:80)
          at org.springframework.core.type.classreading.CachingMetadataReaderFactory.getMetadataReader(CachingMetadataReaderFactory.java:82)
          at org.springframework.core.type.classreading.SimpleMetadataReaderFactory.getMetadataReader(SimpleMetadataReaderFactory.java:76)
          at org.springframework.core.type.filter.AbstractTypeHierarchyTraversingFilter.match(AbstractTypeHierarchyTraversingFilter.java:105)
          at org.springframework.core.type.filter.AbstractTypeHierarchyTraversingFilter.match(AbstractTypeHierarchyTraversingFilter.java:76)
          at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.isCandidateComponent(ClassPathScanningCandidateComponentProvider.java:280)
          at org.springframework.context.annotation.ClassPathScanningCandidateComponentProvider.findCandidateComponents(ClassPathScanningCandidateComponentProvider.java:214)

  Migration Tool Installation Guidelines:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-1/migration_guide/ise_migration_guide/ise_mig_install.pdf

• ACS VM version migration to ISE

  Hi,
  If a customer bought ACS on VMWare (2 x LCSACS-51-VM) in the past and are interested in migrating to ISE. They would like to consider moving 1 x LCSACS-51-VM to a similar VM based image and the other to an appliance based system. Both act as a redundant pair.
  The ordering guide seems unclear on how to handle this scenario. The customer has an SAS support contract.

  Have you already gone through this guide.
  http://www.cisco.com/en/US/docs/security/ise/1.1/migration_guide/ise_mig_undst_tool.html#wp1027036
  Should you've any specific questions regarding migration from ACS 5.x to ISE 1.x, let us know.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• ACS to ISE config issues

  Hi,
  Im trying to migrate VPNS from ACS to ISE but i cannot quite get used to the ISE.
  Below is a picture of my Authentication rule id like replicating on ISE but so far i have had no joy. Any points would be greatly received.
  If the network source IP is trusted Rule 1 is hit and ISS is just use AD
  If the network source IP is untrusted Rule 2 is hit and ISS is just use OTP Then AD
  Im not 100% on the authorisation aspect either.
  I think im want something along the lines of Ad:Group/x/x/x/x and TunnelGroup xxx = Permit/Apply ACL else Deny
  I can pass authentiation from the ASA to ISE, one thing i have noticed in the aaa report, in the AV pairs the tunnel group name is not listed.
  Many thanks in advance
  S

  Hi
  FYI
  Cisco Secure ACS and Cisco ISE exist on different hardware platforms and have  different operating systems, databases, and information models. Therefore, you  cannot perform a standard upgrade from Cisco Secure ACS to Cisco ISE. Instead,  the Cisco Secure ACS to Cisco ISE Migration Tool reads data from Cisco Secure  ACS and creates corresponding data in Cisco ISE.
  For migrating the policies, and all other information, please visit the following link particularly the chapter 3,4,5:
  http://www.cisco.com/c/en/us/td/docs/security/ise/1-2/migration_guide/ise_migration_guide/ise_mig_preface.html

• Can i configure a network with ACS and ISE?

  I have both acs and ise, how do i integrate these appliance to work togheter?
  Thanks

  ISE does not interoperate with Cisco Secure ACS deployments. The Cisco Identity Services  Engine can work in tandem with Cisco NAC Manager to provide the same  profiling service as the NAC Profiler, which has reached end-of-sale  status.
  Existing Cisco Secure ACS customers using network  access can easily migrate to the Cisco Identity Services Engine platform  using migration part numbers and tools. However, existing Cisco Secure  ACS customers using TACACS functions will not be able to migrate to the  current version of ISE for network device identity management which is  often acceptable for customers who prefer to keep user and network  identity on separate systems.

• ACS migration tool fails

  Hi, running the migration tool, I receive the following request:
  Make sure that the database is running.
  ACS 4.x DB is not available, Enter ACS 4.x database password(Encrypted Password)
  With the plain database password, used during the ACS installation,  I receive a fatal error message at the end of the procedure like this: "Fatal Error !! - cannot connect to ACS 4.x DB !!"
  Where can I find the ACS encrypted database password ?
  Following the migration log:
  10-07-2011 11:41:31 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle
  10-07-2011 11:46:52 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle
  10-07-2011 11:58:08 JavaUtils.isAttachmentSupported(JavaUtils.java:1308) WARN - Unable to find required classes (javax.activation.DataHandler and javax.mail.internet.MimeMultipart). Attachment support is disabled.
  10-07-2011 11:58:28 ACS4Connector.checkDBConnectivity(ACS4Connector.java:137)FATAL -  Fatal Error !! - cannot connect to ACS 4.x DB !!
  java.sql.SQLException: [Sybase][ODBC Driver][Adaptive Server Anywhere]Invalid user ID or password
  at ianywhere.ml.jdbcodbc.IDriver.makeODBCConnection(Native Method)
  at ianywhere.ml.jdbcodbc.IDriver.connect(IDriver.java:354)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at java.sql.DriverManager.getConnection(Unknown Source)
  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.getConnecter(ACS4Connector.java:66)
  at com.cisco.nm.acs.mgmt.migration.ACS4Connector.checkDBConnectivity(ACS4Connector.java:133)
  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.runExport(MigrationApplicationCLI.java:605)
  at com.cisco.nm.acs.mgmt.migration.MigrationApplicationCLI.main(MigrationApplicationCLI.java:266)
  I'm running the migration tool on a clone VMware machine, from the console.
  thank you in advance

  Hello, i have the same issue, migration utility can get acs4.x database password, entering the correct password does not change the errror message: "05-07-2014 16:19:41 MigrationApplicationCLI.getUserInformation(MigrationApplicationCLI.java:953)ERROR - Could not Invoke ACS 4 Password read system.Error at C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c line 1265, API calle"
  It seems that there is somewhere in the scripts a coded path to "C:\Work\ACS5x\ccweb_views\dgash_acs5_0_lenovo\vob\nm_acs\acs\mgmt\migration\DbPassword\Password.c"
  tried to search within the files in the migration utility directory, but no success.
  Does anybody know the answer?
  regards
  Thomas

• ACS 4.x server migration

  Hi Guys,
  We have ACS 4.x server which we are migrating to a new windows machine. Due to standards requirement new ACS will be installed in seperate directory in new machine.
  I would like to know if there are any potential issues that I should be aware while doing the database migration from one machine to another machine.
  For example  Database could point to original directory for logs and replication could fail in new machine since original dir path do not exist in new server installation
  Appreciate your inputs..

  Once you installed ACS on the new machine, you should be able to restore a backup of the database from the original ACS, if you have any problems with this please open a TAC case and we'll help you out.

• ISE : Machine/user ActiveDirectory group retrieving

  Hello,
  We are migrating our ACS 5.1 to ISE 1.0.4.
  - On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS
  I tested the same function with ISE and the behaviour is a bit different :
  - When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
  - When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
  It seems that the AD group attributes are not well updated :
  - AD logs show the second authentication doesn't engage a new group parsing from AD
  - Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
  - Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
  The NAS is Catalyst 3750 12.2.58(SE2)
  Thanks much for your reply.

  Hello,
  We are migrating our ACS 5.1 to ISE 1.0.4.
  - On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS
  I tested the same function with ISE and the behaviour is a bit different :
  - When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
  - When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
  It seems that the AD group attributes are not well updated :
  - AD logs show the second authentication doesn't engage a new group parsing from AD
  - Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
  - Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
  The NAS is Catalyst 3750 12.2.58(SE2)
  Thanks much for your reply.

• ISDN Authorization with RADIUS using ISE 1.1.2

  Hi,
  I am trying to move my ISDN dialup branches authentication/authorization from old ACS 4.1 to ISE appliance. Before it was through ACS 4.2 with TACACS protocol but now since we are moving to ISE we are moving them to ISE with radius.
  Problem is that isdn client gets authenticated and authorized but calls get dropped and they dont able to communicate with HO. IP address is assigned by Head End router to all remote isdn dialing branches..
  I have used default "PermitAccess" in authorization policy and authentication policy is also default. I dont understand where I am going wrong as authentication and authorization is sucessful.
  aaa authentication ppp default group radius local
  aaa authentication network default group radius
  aaa accounting network default start-stop group radius
  radius-server host 12.18.22.41
  radius-server key *****
  below is the router configuration for AAA
  can any one help in this

  CoA is not needed, nor supported for ISDN aaa, i used ACS 3.3 for this a long time ago. I think you should do some debugging if ise does not give you any errors.
  try doing some debug aaa / debug radius & deb ppp nego  if your calls are authenticated and ip is assigned to the calling router, you should see some disconnect reason in the debug.

• ACS 5.2 Authentication Issue with Local & Global ADs

  Hi I am facing authentication issue with ACS 5.2. Below is AAA flow (EAP-TLS),
  - Wireless Users >> Cisco WLC >> ADs <-- everything OK
  - Wireless Users >> Cisco WLC >> ACS 5.2 >> ADs <-- problem
  Last time I tested with ACS, it worked but didn't do migration as there'll be changes from ADs.
  Now my customer wants ACS migration by creating new Group in AD, I also update ACS config.
  For the user from the old group, authentication is ok.
  For the user from the new group, authentication fails. With subject not found error, showing the user is from the old group.
  Seems like ACS is querying from old records (own cache or database). Already restared the ACS but still the same error.
  Can anyone advice to troubleshoot the issue?
  Note: My customer can only access their local ADs (trusted by Global ADs). Local ADs & ACS are in the same network, ACS should go to local AD first.
  How can we check or make sure it?
  Thanks ahead,
  Ye

  Hello,
  There is an enhacement request open already:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte92062
  ACS should be able to query only desired DCs
  Symptom:
  Currently on 5.0 and 5.1, the ACS queries the  DNS with the domain, in order to get a list of all the DCs in the domain  and then tries to communicate with all of them.If the connection to even one DC fails, then the ACS connection to the domain is declared as failed.A lot of customers are asking for a change on this behavior.
  It  should be possible to define which DCs to contact and/or make ACS to  interpret  DNS Resource Records Registered by the Active Directory  Domain Controller to facilitate the location of domain controllers.  Active Directory uses service locator, or SRV, records. An SRV record is  a new type of DNS record described in RFC 2782, and is used to identify  services located on a Transmission Control Protocol/Internet Protocol  (TCP/IP) network.
  Conditions:
  Domain with multiple DCs were some are not accessible from the ACS due to security/geographic constraints.
  Workaround:
  Make sure ALL DCs are UP and reachable from the ACS.
  At the moment, we cannot determine which Domain Controller on the AD the ACS will contact. The enhacement request will include a feature on which we can specify the appropriate the Domain Controllers the ACS should contact on a AD Domain.
  Hope this clarifies it.
  Regards.

• ISE Wired Central Web Authentication no url redirect

  We are setting up ISE for wired guest accest but are having trouble with the client being redirected.  The switch gets the download from ISE and shows that it should use the URL redirect with the correct ACL.
  ISEtest3560#show authentication sessions interface fastEthernet 0/2
              Interface:  FastEthernet0/2
            MAC Address:  001d.09cb.78bd
             IP Address:  Unknown
              User-Name:  00-1D-09-CB-78-BD
                 Status:  Authz Success
                 Domain:  DATA
        Security Policy:  Should Secure
        Security Status:  Unsecure
         Oper host mode:  multi-auth
       Oper control dir:  both
          Authorized By:  Authentication Server
             Vlan Group:  N/A
                ACS ACL:  xACSACLx-IP-ISE-Only-52434fbe
       URL Redirect ACL:  ACL-WEBAUTH-REDIRECT
           URL Redirect:  https://REMOVED.Domain.corp:8443/guestportal/gateway?sessionId=0A0003E600000039064485B1&action=cwa
        Session timeout:  N/A
           Idle timeout:  N/A
      Common Session ID:  0A0003E600000039064485B1
        Acct Session ID:  0x00000293
                 Handle:  0x95000039
  Runnable methods list:
         Method   State
         dot1x    Failed over
         mab      Authc Success
  From the client pc I can get name resolution for anything I ping.  I also can ping the ise server by name.  The ACL that is downloaded it as follows:
  Extended IP access list xACSACLx-IP-ISE-Only-52434fbe (per-user)
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit ip any host 10.4.37.91
      40 deny ip any any log
  Extended IP access list ACL-WEBAUTH-REDIRECT
      10 deny udp any eq bootpc any eq bootps
      20 deny udp any any eq domain
      30 deny ip any host 10.4.37.91
      40 permit tcp any any eq www (13 matches)
      50 permit tcp any any eq 443
      51 permit tcp any any eq 8443
      60 deny ip any any
  The machine passes the Authentication with MAB and hits the CWA Authorization profile, ISE shows the cient as "Pending" then the next entry above that is the log is the dACL getting pushed to the switch.  Could part of the issue be that the device shows Unknown for IP address?  The command ip device tracking is in the swtich:
  ISEtest3560#show running-config | include tracking
  ip device tracking
  ISEtest3560#
  We have 802.1x clients working and the IP address for those do show up..
  Please advise,
  Thanks,
  Joe

  ISEtest3560#show ip access-lists interface fastEthernet 0/2       
  ISEtest3560#
  Doesn't appear the dacl is being applied. 
  interface FastEthernet0/2
  switchport access vlan 11
  switchport mode access
  ip access-group ACL-DEFAULT in
  authentication event fail action next-method
  authentication event server dead action reinitialize vlan 999
  authentication event server alive action reinitialize
  authentication host-mode multi-auth
  authentication open
  authentication order dot1x mab webauth
  authentication priority dot1x mab webauth
  authentication port-control auto
  authentication violation restrict
  mab
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree guard root
  Extended IP access list ACL-DEFAULT
      10 permit udp any eq bootpc any eq bootps
      20 permit udp any any eq domain
      30 permit icmp any any
      40 permit udp any any eq tftp
      41 permit ip any host 10.4.37.91
      50 deny ip any any log (1059 matches)
  Could the dACL being causing the issue with the Unknown, or is the Unknow causing the issue with the dACL?
  Thanks,
  Joe

• Guest authentication in ISE

  Hi All,
  We are having two SSID in WLC. We are planning that both SSID users has to get authenticate through ISE by Web auth .
  One SSID users will get authenticate via guest accounts created by sponsor. Another SSID need to get authenticate by AD user group.
  So , in ISE if it is possible to ceate two seperate rules for the SSID's?
  Thanks!
  TS.

  Hi Vijay,
  I am not an ISE guy, but from my understanding to the concept of the policy model on which the ISE is based I can say "yes. It is possible".
  You need to create two different identity sources based on which SSID the user is connecting.
  If a user is connecting to SSID1 then check credentials locally.
  If a user is connecting to SSID2 then check credentials on AD.
  HTH
  Amjad
  p.s: the term "identity source" is from Cisco ACS 5.x. in ISE you may have same or different name but with same concept.
  Rating useful replies is more useful than saying "Thank you"

• New ISE PSN Does Not Do Anything

  Hello,
  In my Cisco ISE deployment, I have:
  - 1 Primary Admin / Secondary Monitoring Server
  - 1 Secondary Admin / Primary Monitoring Server
  - 1 Policy Server (up and running without any issues)
  - 1 Policy Server (the one that has a problem right now).
  After having reimaged it from ACS 5.2 to ISE 1.1.4.218, I registered it as a Policy Service Node. This was done successfully.
  The Administration -> Deployment interface on the primary admin node shows that the PSN sync is COMPLETE.
  However, no authentication are done on this server and the Home page of the primary server shows a greyed icon with "no Data available".
  Any idea ?
  Many thanks,
  David

  Hi,
  The full replication is running fine without error.
  I saw that on my primary administration server, I have the status of all my deployment. And it shows the following:
  - the first ISE server I added to the cluster has the "services" field to All
  - the new ISE server I added to the cluster has the "services" field to "SESSION".
  If I click on it, I can indeed see that the Profiler Service is not ticked, only the Session is ticked. However, when I registered my new server, I am 100% sure to have ticked the Profiler and the Session services, because I did it twice already.
  However, I cannot tick it now because the option is grayed out.
  May that be the issue ? How to enable that now ?
  Many thanks,
  David