Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
662
Views
4
Helpful
2
Replies

ACS to ISE Migration

Go to solution
achachaw
Cisco Employee
Cisco Employee

‎05-08-2018 04:29 AM

HI Team

I am doing migration and came with below two errors while migrating, could someone please explain this.

> 2018.05.08 10:52:12'867 : 'UserIdentityGroup': will not be exported because its a default identity attribute.

> 2018.05.08 10:52:12'213 : 'HostIdentityGroup': will not be exported because its a default identity attribute.

> 2018.05.08 10:56:50'092 : NDG Root 'IdentityGroup': is predefined or already exist internal object, and it will not be exported.

> 2018.05.08 11:01:45'259 : One of the Policy Groups elements cannot be migrated. Please check Policy GAP Analysis Report for more details.

Thanks

Aditya

1 Accepted Solution

Accepted Solutions

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎05-08-2018 12:38 PM

Hi Aditya,

Few things…

If a group exists already the migration tool will not override it.

Also ISE has pre-built attributes and groups these would not be overwritten either. Your error seems to point out to some of these issues.

As for the last error, you have to look at policy group analysis report in the logs to see what exactly it is.

Remember that ISE has a shared name space. If any object being has the same name as that in ISE then it will not be imported either.

Hope this helps.

Thanks

Krishnan

View solution in original post

2 Replies 2

Go to solution
kthiruve
Cisco Employee
Cisco Employee

‎05-08-2018 12:38 PM

Hi Aditya,

Few things…

If a group exists already the migration tool will not override it.

Also ISE has pre-built attributes and groups these would not be overwritten either. Your error seems to point out to some of these issues.

As for the last error, you have to look at policy group analysis report in the logs to see what exactly it is.

Remember that ISE has a shared name space. If any object being has the same name as that in ISE then it will not be imported either.

Hope this helps.

Thanks

Krishnan

Go to solution
achachaw
Cisco Employee
Cisco Employee
In response to kthiruve

‎05-09-2018 07:52 PM

Hi Krishnan

Thanks for the reply

I can see that none of the service selection rules get migrated from ACS, majority of the error in like this in the policy gap analysis report

One of the example

Rule: NEXUS-TACACS-AD

Description: This rule cannot be migrated because the Authentication Policy(Identity Source) configured with Identity Store Sequence object that contains AD which is not Joined.


so technically do we have to create all these in the ISE these are quite in number ? please comment


Secondly

For the ones which error is not shown I am navigating to ISE on Device Administration  > Device Admin Policy Sets I cant 'locate them either , I am missing something here?


-Aditya

0 Helpful
Customers Also Viewed These Support Documents