Professional Documents
Culture Documents
Table of Contents
Introduction 4
Background ................................................................................................................................................ 4
Planning your Migration ................................................................................................................................................. 6
ACS vs ISE Feature Comparison ............................................................................................................... 6
ACS vs ISE underlying differences ...................................................................................................... 6
Migration Paths .......................................................................................................................................... 7
Migration from 5.x to ACS 5.5/ 5.6/ 5.7/ 5. 8 ........................................................................................ 7
Migration from ACS 4.x to ACS 5.x ...................................................................................................... 8
Deployment considerations ........................................................................................................................ 8
ACS vs ISE deployment comparison ................................................................................................... 8
Simple 2 Node deployment – ACS vs ISE..................................................................................... 9
ACS vs ISE Distributed deployment .............................................................................................. 9
What should my topology design for TACACS+ be? ................................................................................ 11
Device Administration model ............................................................................................................. 12
Deployment options ........................................................................................................................... 12
How to I scale my PSN’s for the deployment? ......................................................................................... 15
Licensing: ................................................................................................................................................. 15
How do I size my ISE VM’s/hardware for log retention?........................................................................... 16
Log retention and sizing MnT hard disks ........................................................................................... 16
What happens if my logging requirements exceeds the example? .................................................... 16
Prepare your Migration ................................................................................................................................................. 18
Configuration Maps and Exceptions......................................................................................................... 18
Staging Environment for Migration ........................................................................................................... 22
Migration tool requirements ...................................................................................................................... 23
Installation and configuration of the Migration Tool. ........................................................................... 23
Supported/ Unsupported objects for migration ......................................................................................... 24
Preparation for Migration from Cisco Secure ACS, Release 5.5+ ............................................................ 24
Migration process (assisted with Migration Tool) ...................................................................................................... 26
Exporting configuration: ........................................................................................................................... 27
Policy Gap Analysis: ................................................................................................................................ 28
Importing configuration: ............................................................................................................................ 29
Verifying migration of access policies ...................................................................................................... 30
Cisco Systems © 2017 Page 2
SECURE ACCESS HOW-TO GUIDES
Introduction
This document provides partners, Cisco field engineers and TME’s with a guide to plan ACS to ISE migration. This
document will also have procedure for migrating from Cisco Secure Access Control System (ACS) to Identity Services
Engine (ISE) software. ISE 2.1 and above supports migration from ACS 5.5/ 5.6/ 5.7/ 5.8. ISE 2.0 supports migration
from ACS 5.5 or ACS 5.6 only. ACS from prior versions need to be upgraded to these versions before migrating over
to ISE 2.x.
This document will have 3 broad sections for performing ACS to ISE migration.
Planning your migration
Prepare your migration
Migration process
Planning your migration section covers the feature comparison and underlying differences between ACS vs ISE
features. It provides options for topology design, device administration models to help scale PSN’s. It provides step by
step guide to plan out your hardware capacity keeping the IT Audit needs for logs retention while migrating to new
ISE environment.
Prepare your Migration section includes best practices and steps for operational tasks to prepare for your migration.
This includes configuration maps that points to location of functional configuration in ACS and ISE calling in
exceptions during migration of ACS to ISE with ways to fix issues. It also discusses on creating a staging environment
for migration and preparing the tool/setup for migration.
Migration process is the core section that will cover the migration process and provides step by step procedure to
export configuration, fix policy gaps and import configuration to ISE iteratively till the migration is successful.
Background
Cisco Secure Access Control System (ACS) is a centralized identity and access policy solution that ties together an
enterprise's network access policy and identity strategy. Cisco Secure ACS operates as a RADIUS and TACACS+
server, combining user authentication, user and administrator device access control, and policy control in a centralized
identity networking solution.
Cisco ISE is a consolidated policy-based access control system that incorporates a superset of features available in
existing Cisco policy platforms. Cisco ISE performs the following functions:
Consolidates the network access functionality of ACS and ties together profiling and posture compliance.
On-boarding mobile device using secure BYOD (Bring your own device) flows.
Provides for comprehensive guest access management for Cisco ISE administrators.
Enforces endpoint compliance with comprehensive client provisioning.
Discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
Employs advanced enforcement capabilities with TrustSec using Secure Group Tags(SGT’s)
Facilitates TACACS-enabled device administration through its Work Center. The Work Center menu
contains a work flow for TACACS+ configuration, which acts as a single start point for ISE administrators.
For TACACS+, ISE 2.x has a Device Administration work center that provides a nice work flow for the
administrator to configure the device administration functionality. Migration tool can be downloaded directly from
work center to your Windows machine to perform migration between ACS and ISE. ISE provides robust reporting
capability of TACACS + authentication, authorization, accounting and command accounting. ISE 2.3 included
additional set of reports to complete the functionality on par with ACS.
ISE 2.3 included IPv6 support for TACACS+ and support for IP ranges in all IPv4 octets.
Policy Sets in ISE vs Access Service + Service Selection Policy in ACS:
ISE 2.x has a rule based policy model like ACS 5.x versions. ISE 2.x supports policy sets. Each policy set that has an
entrance criteria for filtering incoming requests to apply to the corresponding Authentication and Authorization
policies.
In ACS, access services lets you create a service policy structure based on service type (RADIUS/ TACACS+/external
proxy) to create an Identity/Authorization policy. A Service Selection Policy provides a criteria to select the right
access services. An access service is selected based on conditions where single or multiple Service Selection Rules can
use the same service.
In ISE, you must enable Policy Sets on ISE UI from Administration System Settings Policy Settings to
make them available on the Policy menu for RADIUS.
4. Unsupported rule elements: ISE does not support certain elements that are part of rule or condition. This
includes Unsupported attributes used by the policy, Unsupported AND/OR condition structure (mainly, once
complex conditions are configured) and Unsupported operators. For example, ACS supports a combination of
AND and OR in its compound condition used in an authorization policy. ISE 2.0 through ISE 2.2 supports either
AND or in its authorization conditions in an authorization policy. This may cause policies not to get migrated. ACS
authorization policy needs to be analyzed, split and additional policies should be added in view of this. For
complete list of unsupported rule elements please see Appendix D.
Migration Paths
ISE 2.0 supports migration from ACS 5.6 or ACS 5.5 versions only.
ISE 2.1+ supports migration from ACS 5.5 / 5.6 / 5.7 and ACS 5.8.
Please follow the link for detailed procedure for migrating to ACS 5.8. Here are the upgrade paths for the ACS 5.x
versions. The versions that support migration to ISE is in black letters as shown below, rest in blue.
ACS 5.0ACS 5.2 ACS 5.4 ACS 5.6ACS 5.7 or ACS 5.8
ACS 5.1 ACS 5.3 ACS 5.5 ACS 5.6 or ACS 5.7 or ACS 5.8
ACS 5.2 ACS 5.4 ACS 5.6 ACS 5.7 or ACS 5.8
ACS 5.3 ACS 5.5 ACS 5.6 or ACS 5.7 or ACS 5.8
ACS 5.4 ACS 5.6 ACS 5.7 or ACS 5.8
ACS 4.1.1.24
ACS 4.1.4
ACS 4.2.0.124
ACS 4.2.1
Please look at the ACS 4.x to 5.x migration doc for more details on architecture and the choices for migration based
on your configuration sets.
Deployment considerations
ISE supports standalone deployment for smaller networks. For larger networks, ISE supports distributed deployment
to support services including network access, profiling, BYOD, Guest, Posture Compliance and TrustSec. ISE 2.x
supports TACACS+ service for providing device admin and audit control supporting 30k network device objects in
ISE 2.0 and 100k network devices in ISE 2.1+ in a single deployment.
In ISE deployment, each persona can be a dedicated node with separate Administration, Monitoring and Policy
Services nodes or a combination as shown in Figure 2 below. Policy Services Node provides AAA services including
RADIUS services, TACACS services. Policy Services persona evaluates the policies and makes all the decisions in an
ISE deployment. You can have more than one node assuming this persona.
supports robust replication, full synchronization and incremental replication. As the number of ACS scales up for large
deployment, a dedicated syslog server is recommended with a total deployment supporting 22 ACS instances.
ACS Database
Master download
Incremental
Replication
Note: In a distributed deployment, inter-ISE node delay (latency) should be lesser than or equal to 200ms for
versions ISE 2.0 and lower (300ms for ISE 2.1+) for successful node communication and replication. For TACACS+
the latency requirement may be relaxed.
The full distributed topology requires datacenters to be connected with a high speed and low latency links. With ISE
2.1, a maximum of 50 PSN’s with 2 PAN and 2 MnT’s are supported with a maximum of 500,000 endpoints across
PSN’s (250k endpoints for ISE 2.0). Policy services nodes in the same location can be part of a node group called
cluster that will help with high availability in case of PSN failures. This can be useful for services such as profiling etc.
Appendix A provides comparison on the deployment limits of ACS vs ISE and can be used as a reference to
determine to scale your deployment.
Tip: If you wish to combine both TACACS+ Device Administration and RADIUS into same deployment, then
dedicating nodes to TACACS+ service may be the best option for a large organization to prevent user services from
impacting device admin services and vice versa.
For programmatic device admin model, recommend dedicated PSN nodes for Device Admin service.
For human device admin model where individual admin users manually login and manage network
devices, consider the following example:
20 Device admins concurrent sessions @ 1 command/s = 40 TPS (command authorization +
accounting record)
In this scenario, it would be acceptable to run Device Admin service on PSNs running other core
endpoint services.
If you expect a much higher level of activity – much higher number of concurrent admins or
transactions – then consider dedicating PSN.
Note: Organizational requirements and security policies such as “separation of device admin and user
access control” may dictate the need for dedicated PSN nodes for Device Admin function, or even an
isolated ISE deployment to separate RADIUS and TACACS+ control.
Deployment options
There are 3 ways you can deploy TACACS+/ RADIUS services with ISE simple or distributed deployment. These are
dedicated deployment, dedicated PSN’s and Integrated deployment as described below. Each has its own pros and cons
and use cases.
Dedicated deployment is where you have separate deployments for RADIUS and TACACS+. This includes a
separate Administration Node (PAN) for managing policies, users/groups, network devices etc., a separate Monitoring
Node (MnT) for managing TACACS+ logs and dedicated Policy Services Node for supporting TACACS+ or RADIUS
service.
Dedicated PSN’s in the deployment means that the Administration Node and Monitoring Node are shared for
managing policies, policy elements, logging and other configuration for both TACACS+ and RADIUS. However you
will still have a dedicated PSN’s for addressing incoming TACACS+ or RADIUS requests and they are not shared.
Finally the Integrated deployment where all the node types (Administration Node, Monitoring Node, and Policy
Services Node) are shared between both RADIUS and TACACS+ services and it comes one integrated deployment for
your entire network.
The illustration below will give further details on each of the above options:
TACACS+
Cons: PAN/ MnT
Separate ISE deployments to
maintain.
Cost of additional PAN and PSN PSN PSN
MNT nodes for the second
deployment.
Use case: For large deployments, where IT is managed by different
groups. Provides Total ownership.
For companies where ACS deployments are seperate for TACACS+ and
RADIUS for a reason.
Where seperation of Network access and Device admin users are
critical due to high user authentications for network access, high
profile users or IT policy requirements.
For Device administration model using scripts extensively
generating large amounts of logs for IT Audit.
To plan and run your ACS to ISE migration, you need to perform several steps. The document will guide you through
these steps necessary based on the type of customer, deployment needs etc.
Step 1 Choose the deployment model that fits your need based on the information in the section above.
Step 2 Choose the type of deployment, 2 Node Dedicated vs Simple or fully distributed deployment based on the
Deployment considerations
From Appendix C: TACACS+ transactions, logs and storage , select the right Device Administration
model to determine the transactions per second (TPS) for TACACS+ controls (Authentication, session
authorization, accounting (or) Command accounting only (or) for everything) in your environment. Please
pay attention to the peak TPS based on the model.
Then refer Appendix B and look at the table at the bottom to know the peak TPS supported across
different appliance to choose the hardware needed for the PSN’s. Please remember to scale PSN’s
considering redundancy, location/geography and other factors as outlined in in ACS vs ISE Distributed
deployment section above.
Tip: Please pay attention to TACACS+ performance in Appendix B for dedicated and shared deployments
which will be the key to determine the number of PSN’s. Remember that all other transactions happens
once during the TACACS + session except for command authorization and accounting.
Licensing:
When migrating from ACS deployment using a 35xx appliance/ legacy appliance or VM, use the ISE ordering guide
for information about licensing. Go to ‘Migration appliance ordering information’ section for your specific needs.
TACACS+ functionality requires a perpetual license for the entire ISE deployment and does not have a migration
license. You also need for a minimum number of Base license e.g.: Base license for 100 endpoints to access the UI
functionality of TACACS+ and to turn on TACACS+ service.
To expand ISE deployment for more than TACACS+, please use the ordering guide mentioned above as reference.
Please take a look at the ‘Cisco ISE migration Licenses’ and the ‘License consumption’ section in the ordering guide
for more information.
Users and Identity Stores Internal AdministrationIdentity Management Account disable policy,
Identity Stores Users IdentityUsers Password type not supported
Users and Identity Stores Identity AdministrationIdentity Management in ISE 2.0 (Supported in ISE
groups User Identity Groups User 2.1).
identity Groups. Disable password hashing for
(A valid User and User Identity group users if using ACS 5.7/5.8
name can contain alphanumeric and Naming constraints. If using
~@# $&*_+.- characters.) ISE 2.0/2.1, need to fix names
during policy gap analysis.
Enable password option: Users and Enable Password option: (Workcenter Check the password policy
Identity Stores Internal Identity Device AdminIdentityUsers for defaults, password history,
Stores Users(create user) (Add Users) password Lifetime.
Users and Identity Stores Internal AdministrationIdentity Management Wild cards are not supported
Identity Stores Hosts IdentityEndpoints. in ISE.
(A valid MAC address consists of six
octets, separated by ':','.' or '-'. Valid
octets contain 0-9,a-f,or A-F only.)
User Identity Stores External Identity Administration Identity Description, RSA instance
Store ManagementExternal Identity Store file, Display RSA missing
secret will not be migrated.
RSA sdopts.rec file and
secondary information are not
migrated.
User Identity Stores Certificate AdministrationCertificates Migration not supported.
Authorities Certificate Management Trusted
Certificates
User Identity Stores Certificate Administration Identity Name Constraints. If using
Authentication profile ManagementExternal Identity ISE 2.0/2.1, fix name
StoreCertificate Authentication mismatch in ACS.
Profile
(A valid name can contain
alphanumeric and underscore(_)
characters.)
User and Identity Store Identity Administration Identity Management Additional Attribute retrieval
Store Sequence Identity Store Sequence not supported in ISE. See 1
for more details.
Policy Elements:
ACS 5 Element ISE Element Exceptions and Fixes
Policy Elements Authorization and PolicyPolicy Elements Results Unique name required. Name
Permissions Network Access Authorization profile Conflicts (shared namespace
Authorization Profiles in ISE)
Policy Elements Authorization and PolicyPolicy Elements Results Unique name required.
Permissions Named Permission Downloadable ACL
Objects Downloadable ACL
Policy Elements Device Work Centers Device Administration No Callback verify, No
Administration Shell Profiles Policy Results TACACS Profiles hangup, Callback line,
CallBack Rotary is not
supported in ISE.
Unique name required.
Recommend using a prefix for
Device admin Authorization
Results.
Policy Elements Device Work Centers Device Administration Unique name required.
AdministrationCommand Sets Policy Results TACACS
Command Sets
Access Policies:
ACS 5 Element ISE Element Exceptions and Fixes
System Administration:
ACS 5 Element ISE Element Exceptions and Fixes
Step 10 If your configuration object is not in the list above, here is the complete list of data mapping of objects that
are supported for migration between ACS and ISE 2.0. Please get familiarized with this so as to understand
the gaps and results during and after the migration process.
By entering the following URL on the browser address bar: https://<hostname-or-hostipaddress of ISE
>/admin/migTool.zip
Alternately, you can navigate to the Work Centers Device Administration Overview page, and
click the migration tool in the Prepare section to download the migration tool.
Migration tool requires specific version of the migration tool for specific ISE versions. If you are using
ISE 2.2 and above, please go to the software download center for the specific version of ISE and download
the migration tool.
This is aimed to assist with configuration migration from ACS 5.5+ to ISE 2.x. Migration tool is supported in both
Windows and Linux machines. For large deployment please make sure you have 2GB RAM and 1 GB hard disk to run
the migration. Migration Tool uses Java run-time executable (JRE7 and not below) and libraries and can be run on
supported Windows and Linux platform.
Tip: The root CA certificate of the ACS server certificate that got restored in the staging ACS server needs
to be added to the migration tool.
Step 19 Enable the migration interface in ACS and ISE with the following commands from the CLI.
Step 20 Migration tool uses DN host name (FQDN in ISE) to establish communication between itself and ACS or
ISE, hence hostnames of ACS and ISE machines need to be DNS resolvable.
Tip: Make sure to have a DNS entry for the hostnames for proper resolution. Remember to use the
hostname and not the IP address in the tool dialog box while importing/exporting. This hostname should
match the name in the server certificate.
Step 21 If DNS resolution does not work, create an entry in the host file on your Windows machine. Please make
sure the DN in the certificate matches the IP address and hostname entries in hosts file in your Windows
machine (location: C:\Windows\system32\drivers\etc).
Note: You might get an error message if any of the above are not complete. Please also make sure you have
ACS service running with a compatible license.
Warning: It is recommended to build dedicated temporary ACS machine for staging the migration. Please
do not use the production environment.
Migrate Cisco Secure ACS, Release 5.5+ configuration data only when the Policy Set mode in Cisco ISE,
Release 2.0 is configured. Enable Policy set in ISE UI by browsing to
AdministrationSystemSettingsPolicy sets
Migrate on a fresh installation of Cisco ISE, Release 2.x.
Generate one policy set per an enabled rule in the Service Selection Policy (SSP) and order them
according to the order of the SSP rules.
We recommend that you do not change to Simple mode after a successful migration from Cisco Secure ACS. Because,
you might lose all the migrated policies in Cisco ISE. You cannot retrieve those migrated polices, but you can switch
to Policy Set mode from Simple mode.
Note: The service that is the result of the Service Selection Policy default rule in ACS becomes the default policy set
in Cisco ISE, Release 2.0. For all the policy sets created in the migration process, the first matching policy set is the
matching type.
Step 23 It is important understand the differences between the Service selection policies in ACS and policy sets in
ISE. The policy set migration guidelines provides a list of considerations as part of pre-migration to help
migrate Access services and service selection rules from ACS to ISE.
The Migrated objects will have main container such as Policy Elements etc. Please click on the
container to open it to view the objects migrated.
You can see that all the containers have a progress bar . The objects under the containers
have a status bar in green showing the status of the import or export.
The Count shows the number of object imported/exported.
The Warnings and Errors count will appear if there is a warning or error during the import and
export phase of the migration.
By clicking on the error/warning count you can open the corresponding report.
The Policy gap analysis report shows the gap analysis in the policies between ACS and ISE as
part of import/ export process.
The Import Reports and Export Reports button will open up the corresponding reports to
understand and analyze errors/warnings during the import and export phase.
The Settings tab is used for importing CA certificates and for default settings for migration. Please
do not change the default settings unless absolutely necessary.
Log console displays the activity log that includes tracks the tool process and issue warning/errors.
This is stored in migration.txt file under the migTool folder.
Migration is an iterative process, consisting 3 phases, exporting configuration, gap analysis and finally the import
process. The export process needs to be repeated since there may be exceptions and errors that will appear during
exporting. Corrective actions need to be taken based on the exceptions that appear on the reports.
Exporting configuration:
Warning: You cannot use NAT between the migration machine and the ACS 5.x server.
Step 24 Please use the tables after step 9 to understand the types of the objects before exporting objects from ACS.
Click ‘Export from ACS’ button to start the export.
Step 25 Type in the ACS host name, admin user name and password, click Connect.
Step 26 Observe the progress of exporting via progress bars per container and per individual objects. Time spent
for export process greatly depends on configuration size and amount of entities to be exported.
Note: Migration tool will export or import all the supported object once and lists the gaps, errors if an
objects are not supported in ISE (or) if ISE already has the objects available (or) if the character set does
not support it etc. You cannot stop the migration tool in-between. However you can exit out of it and it
should start from where it stopped.
Step 27 To get more information about a warning or an error that occurred during the export process, click any on
the link under ‘Warnings’ or ‘Errors’ column on the Migrations tab. The ‘Object Errors and Warnings
Details’ window displays the result of a warning or an error during export. It provides the object group, the
type, and the date and time of a warning or an error.
Step 28 Data export process may take long time depending the configuration. If you have a large number of
network devices it (for e.g.: 15k it will take up to 4-5hours). When the data export process has completed,
the Cisco Secure ACS to Cisco ISE Migration Tool window displays the status of export that Exporting
finished.
Note: It was observed that sometimes the progress bar across the objects shows complete but the export
process status does not change to Export finished. In such case, please open the export report to see the
status of the export at the bottom of the report to proceed.
Step 29 Open the export report by clicking on the Export report(s) button as shown in the screenshot above.
Export report will have information that will help do gap analysis.
==========================================
Object Type: Users
==========================================
> 2016.01.27 18:24:56'561 : 'america\sample.adm' will not be exported because the name contains
special characters or space that are not supported by ISE.
The valid name can contain alphanumeric and ~@# $&*_+.- characters
==========================================
Object Type: Certificate Authentication Profile
==========================================
> 2016.01.27 18:24:57'996 : 'CN Username' will not be exported because the name contains space or
special characters that are not supported by ISE.
The valid name can contain alphanumeric and underscore(_)
=========================================
Object Type: Authorization Profiles
==========================================
> 2016.01.27 18:30:49'605 : 'DenyAccess': will not be exported because it is predefined in ISE.
> 2016.01.27 18:30:49'621 : 'Deny Access' will not be exported because the name contains special
characters that are not supported by ISE.
The valid name can contain alphanumeric, space and !@#$%&()-_+{};'<>.?/~ characters
Note: During the policy export, the migration tool will provide this information in the policy gap analysis
report. Object Names that are not compatible with ISE 2.0/ISE 2.1 will not be processed. Hence import
policies and rules may not be possible, partial configurations are not allowed.
Step 32 For parity gaps observed per configuration set between ACS and ISE. Reconciliation is possible for some
of these, for others alternate method needs to be chosen. Please see the tables from Step 9 for details to fix
the parity gaps. Future versions of ISE is expected to close the gap. Here is the sample behavior for
Network Devices/ Network Device Groups below during reconciliation.
Warning: The migration tool migrates all the policies when they are compatible. However, it will not migrate any of
the policies if one or more are incompatible. Please make sure to fix all the access policies for error by analyzing the
policy gap report.
Step 33 Once the errors/warnings are reviewed and corrected start the export process once again. Go back to the
Exporting configuration: section above. Start the export process again. Go through the Policy gap analysis and
make sure that it is clean after looking at all exceptions and go the next step.
Importing configuration:
Step 34 Administrator should connect to target ISE 2.x using FQDN and should start import configuration into ISE.
Click on “Import to ISE” button from the screenshot above to start the import. During importing, the
migration tool will create a report that can be opened from the menu. Generally, if ACS configuration is
clean, import process does not produce any errors.
Step 35 In the LDAP Identity Store drop-down list, select the identity store to which you want to add attributes,
and click Add Attribute. These attributes will be imported from the ID store during migration.
Alternatively, you can Cancel it to skip adding LDAP attribute. Skip the next step and go the following
step to proceed further.
Step 36 Enter a name in the Attribute Name field, choose an attribute type from the Attribute Type drop-down list,
enter a value in the Default Value field, and click Save & Exit.
Step 37 When you have finished adding attributes, click Import to ISE, enter the Cisco ISE Fully Qualified
Domain Name (FQDN), username, and password in the ISE Credentials window and click Connect. The
migration tool checks that the Hostname/FQDN matches the CN in the SSL certificate. You will see an
error if does not match. Please make sure your DNS hostname of ISE is the same as CN of the certificate
being used.
Step 38 Data import process will take time to complete depending on the configuration. When the data import
process has completed, the Cisco Secure ACS to Cisco ISE Migration Tool window displays the status of
import that Importing finished.
Step 39 To view a complete report on the imported data, click Import Report(s).
Step 40 To get more information about a warning or an error that occurred during the import process, click any
underlined numbers in the Warnings or Errors column on the Migrations tab.
Step 41 To analyze the policy gap between Cisco Secure ACS and Cisco ISE, click Policy Gap Analysis Report.
Step 42 At any time, click View Log Console to display a real-time view of the export or import operations.
Warning: If you have multiple deployments of ACS and are merging to ISE then migration tool will only add
configuration not merge with the exception of Network devices. Even for Network devices if there are two separate
deployments one for RADIUS and another for TACACS+, migration tool will add configuration to the same entry.
This may change in the future. It is highly recommended to start import on clean ISE configuration.
Upon completion, it is necessary to review results in ISE 2.x UI for consistency and integrity. All policies have to be
based on existing rules, which, in turn should create existing and logically sound results, for e.g. shell profiles,
commands sets and authorization profiles.
Note: It is highly recommended to check policy’s order and security logic at this point and change it in ISE. More
specific policies for e.g., analyzing specific user names usually allow access, default policies usually deny assess.
Step 43 Once the migration is complete and successful, and take an ISE backup of all the configuration imported
from ACS and name it suitably.
Rule 1 from the Service selection policy will be migrated to Policy Policy Sets as new Policy Set for
RADIUS(observe the screenshot below). Rule 2 will be migrated to Work Center Device Administration
Device Admin policy sets in TACACS+ work center as shown below.
In ACS, Service Selection policy will result in an access service. For e.g., Rule 4 for TACACSAMERICAS from
screenshot above resulted in “PA-AMERICAS Network Device” as access service. Every access services consists of
two parts, Identity and Authorization. As an example we see how Rule 4 from screenshots above was migrated from
ACS to ISE.
Identity Rule in ACS
Next screenshot from ISE 2.0 will show how ACS rules translated into ISE Policy Sets after migration.
This example was sample of real world configuration, though same idea will be applied to set of rules of any
complexity.
RADIUS Access policies: RADIUS access policies can be verified the same way however for RADIUS flows the
policy will have a different Network access protocol. Authorization policy shown in the screenshot above will be
mapped to Authorization profile instead of command sets and Shell profiles. From ISE UI, please go to PolicyPolicy
Sets for this.
External Proxies: When adding an external proxy server or verifying the configuration. Here are the steps
For RADIUS:
1. Create/verify external RADIUS server configuration by visiting Administration Network resources External
Radius Server from ISE UI.
2. Verify that the Access Services selection for service type external proxy in ACS are migrated to Administration
Network resources RADIUS Server Sequences in ISE. In ACS, you have go to Access services and click
on the external proxy policy for the configuration.
3. Verify that the Service Selection Rules from ACS for external proxy is migrated to PolicyPolicy Sets in ISE.
Adding proxy sequence is part of the authentication policy in ISE UI. You can create one by editing authentication
policy, clicking on “Allowed protocols” drop down for the authentication policy, click RADIUS Server sequence
and select the correct name.
Step 1
Step 2
For TACACS:
1. Verify the external TACACS server and TACACS+ Server sequences has entries by browsing ISE UI , go to Work
Centers Device AdministrationNetwork Resources. Check that the Access Services Selection for service
type external proxy in ACS is migrated to TACACS+ Server sequences.
2. For TACACS+ proxy sequence, go to Work Centers Device AdministrationPolicy sets under the policy set
criteria. Make sure the Proxy sequence is selected and the correct TACACS+ Server sequence entry is selected
from the dropdown.
Step 1
Step 2
Note: It is very important to estimate number of simultaneous connections that might be established to single ISE PSN
in order to avoid TCP socket starvation.
Step 44 This is post-migration activity to improve TACACS + efficiency for chatty devices. Create a list of chatty
network devices and enable single connect mode for them with the TACACS+ draft option enabled as
shown in the screenshot above.
Step 45 ISE allows you to export and import “Network devices” list. Export the existing network device list as a
csv file. Open the csv file in Microsoft Excel or other spreadsheet supporting software.
Step 46 Change the values of the column ‘TACACS:Connect Mode Options:String
(OFF|ON_LEGACY|ON_DRAFT_COMPLIANT)’ for the list of chatty devices to
“ON_DRAFT_COMPLIANT”. Save the file as csv.
Step 47 Import this csv to ISE. The export and import process takes time depending the number of network devices.
Please be patient while importing or exporting large sets of devices.
Step 48 Take an ISE backup of all the configuration imported from ACS and name it suitably. ISE configuration
can be restored into production with backup/restore process in ISE software. While doing this please make
sure the ISE versions and patch level are the same in your staging and production system.
Note: For CA signed certificates, please make sure you create the server certificates in advance based on the number
of servers including PAN, MnT and PSN’s.
Step 49 FINAL STEPS: Once the ISE server (PAN) is in production, install additional nodes (MnT and PSN’s)
and allow it to replicate.
Step 50 Change the TACACS+ and/or the RADIUS configuration on few Network devices to point to ISE server
(Policy Services Node) in normal business hours for a few days. Observe for any inconsistencies before
changing the configuration settings on the next set of network devices. Please move the network devices
from ACS to ISE in batches to avoid disruptions.
Step 51 Once you successfully moved all the network devices to the ISE server, monitor your daily log size for
TACACS+ until you move all the network devices for first two months to tune it based on the traffic needs.
Visit the ‘What happens if my logging requirements exceeds the example?’ section of this document for
recommendation on log size considerations.
Attributes ACS 5.x ISE 2.0 Limits ISE 2.1 Limits ISE 2.2 Limits
Limits
Nodes 22 44 (2 PANs, 2 54(2 PANs, 2 MnTs, 54(2 PANs, 2 MnTs,
MnTs, 40 PSNs) 50 PSNs) 50 PSNs)
Endpoints 150,000 250,000 concurrent 500,000 concurrent 500,000 concurrent
endpoints sessions(not specific sessions(not specific
1 M total endpoints to Endpoint or Users) to Endpoint or Users)
1.5M Total endpoints 1.5M Total endpoints
Users 300,000 25,000 Internal 300,000 Internal 300,000 Internal
Users Users Users
1 million Internal
Guests
Admins 50 - - -
Admin Roles 9 - - -
Identity Groups 1,000 500(User), 500(End- 500(User), 500(End- 500(User), 500(End-
point ID) point ID) point ID)
Active Directory 1 join point 50 50 50
Join Points per node
Active Directory 1,500 1000 1000 1000
Group Retrieval
Network Devices 100,000 30,000 (network 100,000 100,000
150,000(35xx) objects not IP’s)
Network Device 10000 100 100 100(10k in ISE 2.3)
Groups
Network Device 6 - - - (6 in ISE 2.3)
Hierarchies
Services 25 - - -
Authentication - 100 100 100(Simple mode)
Rules 200( Policy set mode
- 2 rules + default)
Authorization 320 600 (<100 600 600 (Simple mode)
Rules recommended) 700 ( Policy set
mode)
Conditions 8 8 8 8
Max Concurrent RADIUS Sessions / TACACS+ TPS by Deployment Model and Platform
Deployment Model Platform Max #PSNs: Max Max TACACS+
Integrated / RADIUS TPS (Integrated
Dedicated PSNs( Endpoints / dedicated T+
Radius + per PSNs)
TACACS+) Deployment
Standalone (all personas 3415 0 5,000 50
on same node) 3495 0 10,000 50
(2 nodes redundant)
3515 0 7,500 50
3595 0 20,000 50
Basic Distributed: Admin 3415 as Admin+MNT **5 / 3+2 5,000 100 / 500
+ MnT on same node; 3495 as Admin+MNT **5 / 3+2 10,000 100 / 1,000
Integrated / Dedicated
PSNs (Minimum 4 nodes 3515 as Admin+MNT **5 / 3+2 7,500 * 100 / 1,000
redundant) 3595 as Admin+MNT **5 / 3+2 20,000 * 100 / 1,500
Fully Distributed: 3495 as Admin and **40 / 38+2 250,000 1,000 / 2,000
Dedicated Admin and MnT MNT
nodes;
3595 as Admin and *50* / 48+2 500,000 * 1,000 / 3,000
Integrated / Dedicated MNT
PSNs (Minimum 6 nodes
redundant)
** Device Admin service enabled on same PSNs also used for RADIUS OR dedicated RADIUS and T+ PSNs.
* Under ISE 2.0.x, scaling for Small and Large 35x5 appliance same as Small and Large 34x5 appliance.
30,000 5 300 360k 600MB 18 1.3k 1.56M 1.7GB 32 2.3k 2.76M 4.0GB
50,000 7 500 600k 1GB 30 2.2k 2.6M 2.9GB 53 3.8k *4.6M 6.7GB
*Red indicates logs/ day that will cause performance hits and slowness in log processing.
Human admin – device admin using sample number of sessions and commands shown below.
Number of sessions: 50
Number of Commands/session: 10
Message Size /session (KB) = 5kB + Number of commands/session *3kB
Manual access log size calculation = 50 Sessions * N Admins * Message size
E.g. : Log Size for 50 admins = 85.4MB/ day
150,000 9 17 26 43 86 21
200,000 7 13 19 33 65 16
250,000 6 11 16 26 52 13
Note: Above values are based on controlled criteria including event suppression, duplicate detection, message size, re-
authentication interval, etc. and result may vary depending on the environment.
User attributes Partially Rules with conditions that include user attributes with a data type other than the
Supported “String” data type are not migrated.
Host attributes Not Authentication fails in case the condition refers to host attributes.
Supported Authorization policies that include a condition that has host (endpoint) attributes
are not migrated to Cisco ISE authorization policies.
Please see supported attributes and data types for additional information on User,
Host and Radius attributes.
Identity Stores ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.3
Internal User & Host Database Yes Yes Yes Yes
Windows Active Directory Yes Yes Yes Yes
LDAP Yes Yes Yes Yes
RSA SecurID Yes Yes Yes Yes
RADIUS token server Yes Yes Yes Yes
ODBC Yes No No Yes
AD Server specification per ACS/ISE instance Yes Yes N/A 1 N/A 1
LDAP Server specification per ACS/ISE instance Yes No No Yes
Map internal user’s password to an external ID store Yes Yes No Yes
Foot note:
1. ISE supports up to 50 AD domains from the same or from different forests.
Internal Users / Administrators ACS 4.2 ACS 5.7 ISE 2.0 ISE 2.3
Users: Password complexity Yes Yes Yes Yes
Users: Password aging Yes Yes1 Yes 1 Yes 1
Users: Password history Yes Yes Yes Yes
Users: Max failed attempts Yes Yes Yes Yes
Users: Disable user after n day of Yes Yes No Yes
inactivity
Users: User change password (UCP) Yes Yes No No
utility
Admin: Password complexity Yes Yes Yes Yes
Admin: Password aging Yes Yes Yes Yes
Admin: Password history Yes Yes Yes Yes
Foot note:
1. Warning and disable after defined interval. Grace period is not supported
2. Password change after n days of account inactivity not implemented.
API for users, groups and end-point CRUD Yes Yes Yes Yes
operations
Multiple NIC interfaces N/A Yes Yes Yes
Secure Syslogs No Yes Yes Yes
Foot Note:
1. Group mapping can be done with authorization conditions in ISE authorization policy
2. CLI interface is supported for bulk provisioning
3. RBAC for Network devices, NDG and User identity group only
4. ACS 4.2 and ISE 2.0 support MAR cache. ISE 2.1 supports MAR cache between restarts but not distribution.
Cisco Systems © 2017 Page 47
SECURE ACCESS HOW-TO GUIDES
Programmatic Interface for network device CRUD Yes Yes Yes Yes
operations.
Adding hosts with Wildcards Yes Yes No No
Foot note:
1. Data can be exported from M&T for reporting. Not supported as log target that can be defined as critical logger
2. Can search by IP address but this can’t be used in combination with other fields as search criteria