05-08-2018 04:29 AM
HI Team
I am doing migration and came with below two errors while migrating, could someone please explain this.
> 2018.05.08 10:52:12'867 : 'UserIdentityGroup': will not be exported because its a default identity attribute.
> 2018.05.08 10:52:12'213 : 'HostIdentityGroup': will not be exported because its a default identity attribute.
> 2018.05.08 10:56:50'092 : NDG Root 'IdentityGroup': is predefined or already exist internal object, and it will not be exported.
> 2018.05.08 11:01:45'259 : One of the Policy Groups elements cannot be migrated. Please check Policy GAP Analysis Report for more details.
Thanks
Aditya
Solved! Go to Solution.
05-08-2018 12:38 PM
Hi Aditya,
Few things…
If a group exists already the migration tool will not override it.
Also ISE has pre-built attributes and groups these would not be overwritten either. Your error seems to point out to some of these issues.
As for the last error, you have to look at policy group analysis report in the logs to see what exactly it is.
Remember that ISE has a shared name space. If any object being has the same name as that in ISE then it will not be imported either.
Hope this helps.
Thanks
Krishnan
05-08-2018 12:38 PM
Hi Aditya,
Few things…
If a group exists already the migration tool will not override it.
Also ISE has pre-built attributes and groups these would not be overwritten either. Your error seems to point out to some of these issues.
As for the last error, you have to look at policy group analysis report in the logs to see what exactly it is.
Remember that ISE has a shared name space. If any object being has the same name as that in ISE then it will not be imported either.
Hope this helps.
Thanks
Krishnan
05-09-2018 07:52 PM
Hi Krishnan
Thanks for the reply
I can see that none of the service selection rules get migrated from ACS, majority of the error in like this in the policy gap analysis report
One of the example
Rule: NEXUS-TACACS-AD
Description: This rule cannot be migrated because the Authentication Policy(Identity Source) configured with Identity Store Sequence object that contains AD which is not Joined.
so technically do we have to create all these in the ISE these are quite in number ? please comment
Secondly
For the ones which error is not shown I am navigating to ISE on Device Administration > Device Admin Policy Sets I cant 'locate them either , I am missing something here?
-Aditya
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide