Solved: Re: ACS 5.6 to ISE 2.1 migration for TACACS only

Steve Bellan · ‎04-11-2017

We have ACS 5.6 in production now. I have read the migration guide for ISE 2.1. It does not show if certificates are migrated. We also have an existing PKI environment. What we want to do, is do the complete migration, and then change the IP address of the ISE 2.1 server to the old IP of the ACS so as to avoid modifying 5500 devices in the environment to a new address

Are certificates migrated?

Can we change the IP Address of the ISE server post migration?

kthiruve · ‎04-24-2017

I think you mean the server certificates. If the certificate is used for Https access to ISE then it is server/system certificate.

Other than that if a device admin needs access to a device using SSH, it is a communication between a admin machine to network device. ISE is not involved in the front end of the communication. ISE talks to the network device.

On a different note, if you are you saying user certificates are not being migrated. Update ISE 2.1 to the latest patch and see if it helps.

I had changed the note under step 9 and updated the How to Migrate ACS 5.x to ISE 2.x doc. Please see the "system administration" table under step 9 for information on certificate migration.

View solution in original post

kthiruve · ‎04-11-2017

ISE server creates a self-signed certificate when installed. You can update the server with a CA signed certificate afterwards. It is not a secure practices to migrate/copy certificates from one system to another if the systems are different such as ACS and ISE.

I covered this in the how to doc for migration in the table after step 9.

Here is the link to all the doc/videos related to ACS to ISE migration.

ACS to ISE Migration

Yes, you should be able to re-IP ISE, but make sure the update the DNS accordingly for ISE to work correctly across all the different flows.

-Krishnan

Steve Bellan · ‎04-11-2017

I was speaking of user facing certificates

kthiruve · ‎04-24-2017

I think you mean the server certificates. If the certificate is used for Https access to ISE then it is server/system certificate.

Other than that if a device admin needs access to a device using SSH, it is a communication between a admin machine to network device. ISE is not involved in the front end of the communication. ISE talks to the network device.

On a different note, if you are you saying user certificates are not being migrated. Update ISE 2.1 to the latest patch and see if it helps.

I had changed the note under step 9 and updated the How to Migrate ACS 5.x to ISE 2.x doc. Please see the "system administration" table under step 9 for information on certificate migration.

Saied Ehsan Alavi Fazel · ‎08-15-2017

Hi Krishnan,

Can you clarify where exacly the certificate migration guide is? I can't see step 9 on the link you shared earlier. Thanks for your help.

kthiruve · ‎08-16-2017

Hi Ehsan,

I corrected the link above to point to the how to doc instead of the acs to ise migration page.

Local Certificates are not migrated. If you look at the how to doc link above, under step 9, look at the table with system administration as heading, you will see it.

Thanks

Krishnan