Below is an outline of the process that utilizes the migration utility provided by Cisco to migrate to the existing ACS configuration. These steps listed should be followed during a migration to make it successful.
* Build the test ISE environment to validate the existing TACACS policies from ACS Server(s)
* Utilize the ACS to ISE migration tool to migrate policies from production ACS to the test ISE server.
Note : Policies can NOT be migrated from ACS to an existing instance of ISE via Cisco’s migration tool. Hence, a new test instance must be deployed to test and validate the migrated policies prior to production implementation.
* Validate ISE policies in a test environment.
* Migrate from production ACS to production ISE using either Parallel or In-Place migration as described below.
ACS to ISE Parallel migration:
How does it work?
* Have existing ACS servers and ISE servers active at the same time
* If an existing ISE deployment will be used for device administration, merge the configuration from test ISE server to the production ISE instance
* Gradually migrate Network Device Administration capabilities, in a controlled manner, to prevent any disruption to IT operations
* Full migration can be scheduled over several weeks
* The “change window” for initial migration (for a limited number of devices) requires minimal downtime of, literally, a few minutes per device.
Note : New IP Addresses for each ISE Server must be allocated when choosing the Parallel migration approach. The configuration of each network device must be modified to point TACACS requests to the new ISE Server(s).
