Data Structure Mapping

Similar documents
Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

Data Structure Mapping

ACS 5.2 Attribute Support in the Migration Utility

Understanding ACS 5.4 Configuration

Question: 1 The NAC Agent uses which port and protocol to send discovery packets to an ISE Policy Service Node?

Using the Migration Utility to Migrate Data from ACS 4.x to ACS 5.5

Data Migration Principles

Persistent Data Transfer Procedure

User Guide for Cisco Secure ACS to Cisco ISE Migration Tool, Release 2.2

Managing External Identity Sources

Protected EAP (PEAP) Application Note

User Databases. ACS Internal Database CHAPTER

Manage Administrators and Admin Access Policies

Cisco Exam Questions & Answers

AAA Administration. Setting up RADIUS. Information About RADIUS

Using the Scripting Interface

Policy User Interface Reference

Cisco Systems, Inc. Aironet Access Point

Manage Authorization Policies and Profiles

ISE Primer.

RSA Ready Implementation Guide for

Manage Administrators and Admin Access Policies

Cisco Exam Questions & Answers

Manage Administrators and Admin Access Policies

DumpsFree. DumpsFree provide high-quality Dumps VCE & dumps demo free download

Barracuda Networks SSL VPN

Manage Authorization Policies and Profiles

Configuring FlexConnect Groups

Support Device Access

ForeScout CounterACT. Configuration Guide. Version 4.3

Cisco Secure ACS 3.0+ Quick Start Guide. Copyright , CRYPTOCard Corporation, All Rights Reserved

Configuring Web-Based Authentication

Symbols & Numerics I N D E X

Configuring EAP-FAST CHAPTER

Configuring Security for the ML-Series Card

Manage Users and External Identity Sources

CounterACT 802.1X Plugin

Manage Users and External Identity Sources

Cisco ISE Features. Cisco Identity Services Engine Administrator Guide, Release 1.4 1

MCSA Guide to Networking with Windows Server 2016, Exam

Support Device Access

VMware Identity Manager vidm 2.7

Data Migration Principles

Configuring Client Profiling

Network Access Flows APPENDIXB

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Secure Access Solutions. Version: Demo

Authentication, Authorization, and Accounting Configuration Guide, Cisco IOS Release 15M&T

Remote Authentication

Cisco Systems, Inc. Wireless LAN Controller

RADIUS Change of Authorization Support

Cisco ISE Features Cisco ISE Features

Install Certificate on the Cisco Secure ACS Appliance for PEAP Clients

Caradigm Single Sign-On and Context Management RSA Ready Implementation Guide for. Caradigm Single Sign-On and Context Management 6.2.

Forescout. Configuration Guide. Version 4.4

Migrate Data from Cisco Secure ACS to Cisco ISE

Configuring FlexConnect Groups

Control Device Administration Using TACACS+

RADIUS Servers for AAA

User Identity Sources

Troubleshooting Cisco ISE

Avocent DSView 4.5. RSA SecurID Ready Implementation Guide. Partner Information. Last Modified: June 9, Product Information Partner Name

RSA SecurID Ready Implementation Guide. Last Modified: March 27, Cisco Systems, Inc.

Manage Users and External Identity Sources

Cisco Nexus 1000V for KVM Security Configuration Guide, Release 5.x

Barracuda Networks NG Firewall 7.0.0

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

Configuring Web-Based Authentication

RADIUS Servers for AAA

This primer covers the following major topics: 1. Getting Familiar with ACS. 2. ACS Databases and Additional Server Interaction

Configuring RADIUS Servers

Cisco Systems, Inc. Catalyst Switches

Cisco TrustSec How-To Guide: Universal Configuration for the Cisco Wireless LAN Controller

IEEE 802.1X Multiple Authentication

Index. Numerics. Index 1

Exam Questions Demo Cisco. Exam Questions

Configuring TACACS+ About TACACS+

Configuring Web-Based Authentication

RADIUS Servers for AAA

Reports. Cisco ISE Reports

Configuring RADIUS. Information About RADIUS. RADIUS Network Environments. Send document comments to

Security Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches)

<Partner Name> RSA SECURID ACCESS Standard Agent Implementation Guide. WALLIX WAB Suite 5.0. <Partner Product>

Administrative Tasks CHAPTER

User Identity Sources

Configuring Web-Based Authentication

Device Administration with TACACS+ using ISE 2.X

Realms and Identity Policies

RSA SecurID Implementation

Identity-Based Networking Services Command Reference, Cisco IOS XE Release 3SE (Catalyst 3850 Switches)

SecureW2 Enterprise Client

ACCP-V6.2Q&As. Aruba Certified Clearpass Professional v6.2. Pass Aruba ACCP-V6.2 Exam with 100% Guarantee

Control Device Administration Using TACACS+

Access Control Rules: Realms and Users

Configuring IEEE 802.1x Port-Based Authentication

CounterACT Wireless Plugin

RSA Ready Implementation Guide for. GlobalSCAPE EFT Server 7.3

Transcription:

This appendix provides information about the data objects that are migrated, partially migrated, and not migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4., page 1 Migrated Data Objects, page 1 Data Objects Not Migrated, page 2 Partially Migrated Data Objects, page 4 Supported Attributes and Data Types, page 4 Data Information Mapping, page 6 Data structure mapping from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4, is the process by which data objects are analyzed and validated in the migration tool during the export phase. Migrated Data Objects The following data objects are migrated from Cisco Secure ACS to Cisco ISE: Network device group (NDG) types and hierarchies Network devices Default network device External RADIUS servers Identity groups Internal users Internal endpoints (hosts) Lightweight Directory Access Protocol (LDAP) 1

Data Objects Not Migrated Microsoft Active Directory (AD) RSA (Partial support, see Table A-19) RADIUS token (See Table A-18) Certificate authentication profiles Date and time conditions (Partial support, see Unsupported Rule Elements) RADIUS attribute and vendor-specific attributes (VSA) values (see Table A-5 and Table A-6) RADIUS vendor dictionaries (see Notes for Table A-5 and Table A-6.) Internal users attributes (see Table A-1 and Table A-2) Internal endpoint attributes Authorization profiles Downloadable access control lists (DACLs) Identity (authentication) policies Authorization policies (for network access) Authentication, Authorization, and Authorization exception polices for TACACS+ (for policy objects) Authorization exception policies (for network access) Service selection policies (for network access) RADIUS proxy service User password complexity Identity sequence and RSA prompts UTF-8 data (see UTF-8 Support page) EAP authentication protocol PEAP-TLS User check attributes Identity sequence advanced option Additional attributes available in policy conditions AuthenticationIdentityStore Additional string operators Start with, Ends with, Contains, Not contains RADIUS identity server attributes Data Objects Not Migrated The following data objects are not migrated from Cisco Secure ACS to Cisco ISE, Release 1.4: Monitoring reports Scheduled backups Repositories Administrators, roles, and administrators settings 2

Data Objects Not Migrated Customer/debug log configurations Deployment information (secondary nodes) Certificates (certificate authorities and local certificates) Security Group Access Control Lists (SGACLs) Security Groups (SGs) AAA servers for supported Security Group Access (SGA) devices Security Group mapping Network Device Admission Control (NDAC) policies SGA egress matrix SGA data within network devices Security Group Tag (SGT) in SGA authorization policy results Network conditions (end station filters, device filters, device port filters) Device AAA policies Dial-in attribute support TACACS+ Proxy TACACS+ CHAP and MSCHAP Authentication Attribute Substitution for TACACS+ shell profiles Display RSA node missing secret Maximum user sessions Account disablement Users password type Internal users configured with Password Type as External Identity Store Additional attribute available in a policy condition NumberOfHoursSinceUserCreation Wildcards for hosts Network device ranges OCSP service Syslog messages over SSL/TCP Configurable copyright banner Internal user expiry days IP address exclusion 3

Partially Migrated Data Objects Partially Migrated Data Objects The following data objects are partially migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4: Identity and host attributes that are of type date are not migrated. RSA sdopts.rec file and secondary information are not migrated. Multi-Active Directory domain (only Active Directory domain joined to the primary) is migrated. LDAP configuration defined for primary ACS instance is migrated. Supported Attributes and Data Types User Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE 1.4 Supported User Attributes in Cisco Secure ACS, Release 5.5 or 5.6 String UI32 IPv4 Boolean Date Enum Target Data Type in Cisco ISE, Release 1.4 String Not supported Not supported Not supported Not supported Not supported User Attribute: Association to the User Attributes Associated to Users in Cisco Secure ACS, Release 5.5 or 5.6 String UI32 IPv4 Boolean Cisco ISE, Release 1.4 Supported Not Supported Not Supported Not Supported 4

Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4 Attributes Associated to Users in Cisco Secure ACS, Release 5.5 or 5.6 Date Cisco ISE, Release 1.4 Not Supported Hosts Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4 Supported Host Attributes in Cisco Secure ACS, Release 5.5 or 5.6 String UI32 IPv4 Boolean Date Enum Target Data Type in Cisco ISE, Release 1.4 String UI32 IPv4 Boolean Not supported Integers with allowed values Host Attribute: Association to the Host Attributes Associated to Hosts in Cisco Secure ACS, Release 5.5 or 5.6 String UI32 IPv4 Boolean Date Enum Cisco ISE, Release 1.4 Supported Supported (Value is converted to String) Supported (Value is converted to String) Supported (Value is converted to String) Supported (Value is converted to String) Supported (Value is converted to String) 5

RADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4 RADIUS Attributes Migrated from Cisco Secure ACS, Release 5.5 or 5.6 to Cisco ISE, Release 1.4 Supported RADIUS Attributes in Cisco Secure ACS, Release 5.5 or 5.6 UI32 UI64 IPv4 Hex String String Enum Target Data Type in Cisco ISE, Release 1.4 UI32 UI64 IPv4 Octect String String Integers with allowed values RADIUS Attribute: Association to RADIUS Server Attributes Associated to RADIUS Servers in Cisco Secure ACS, Release 5.5 or 5.6 UI32 UI64 IPv4 Hex String String Enum Cisco ISE, Release 1.4 Supported Supported Supported Supported (Hex Strings are converted to Octets Strings) Supported Supported (Enums are integers with allowed values) Data Information Mapping This section provides tables that list the data information that is mapped during the export process. The tables include object categories from Cisco Secure ACS, Release 5.5 or 5.6 and its equivalent in Cisco ISE, Release 1.4. The data-mapping tables in this section list the status of valid or not valid data objects mapped when migrating data during the export stage of the migration process. 6

Network Device Mapping Network Device Mapping Network device group Single IP address Single IP and subnet address Collection of IP and subnet addresses Exclude IP address TACACS information RADIUS shared secret CTS SNMP Model name Software version Not Supported Not Supported Not migrated because the TACACS is unsupported in Cisco ISE, Release 1.4. SNMP data is available only in Cisco ISE; therefore, there is no SNMP information for migrated devices. This property is available only in Cisco ISE (and its value is the default, which is unknown ). This property is available only in Cisco ISE (and its value is the default, which is unknown ). Note Any network devices that are set only as TACACS are not supported for migration and are listed as non-migrated devices. Active Directory Mapping Domain name User name 7

External RADIUS Server Mapping Password Allow password change Allow machine access restrictions Aging time User attributes Groups Multiple domain support Only domains joined to primary ACS instance migrated External RADIUS Server Mapping Server IP address Shared secret Authentication port Accounting port Server timeout Connection attempts Hostname Shared secret Authentication port Accounting port Server timeout Connection attempts Hosts (Endpoints) Mapping Cisco Secure ACS Properties MAC address Status Not migrated 8

Identity Dictionary Mapping Cisco Secure ACS Properties Identity group Attribute Authentication state Class name Endpoint policy Matched policy Matched value NAS IP address OUI Posture status Static assignment Migrates the association to an endpoint group. Endpoint attribute is migrated. This is a property available only in Cisco ISE (and its value is a fixed value, Authenticated ). This is a property available only in Cisco ISE (and its value is a fixed value, TBD ). This is a property available only in Cisco ISE (and its value is a fixed value, Unknown ). This is a property available only in Cisco ISE (and its value is a fixed value, Unknown ). This is a property available only in Cisco ISE (and its value is a fixed value, 0 ). This is a property available only in Cisco ISE (and its value is a fixed value, 0.0.0.0 ). This is a property available only in Cisco ISE (and its value is a fixed value, TBD ). This is a property available only in Cisco ISE (and its value is a fixed value, Unknown ). This is a property available only in Cisco ISE (and its value is a fixed value, False ). Identity Dictionary Mapping Cisco Secure ACS Properties Attribute Internal name Attribute type Attribute name Internal name Data type 9

Identity Group Mapping Cisco Secure ACS Properties Maximum length Default value Mandatory fields User Not migrated Not migrated Not migrated The dictionary property accepts this value ( user ). Identity Group Mapping Cisco Secure ACS Properties Parent This property is migrated as part of the hierarchy details. Note Cisco ISE, Release 1.4 contains user and endpoint identity groups. Identity groups in Cisco Secure ACS, Release 5.5 or 5.6 are migrated to Cisco ISE, Release 1.4 as user and endpoint identity groups because a user needs to be assigned to a user identity group and an endpoint needs to be assigned to an endpoint identity group. LDAP Mapping Server connection information Directory organization information Directory groups. (Server Connection tab; see Figure A-1 on page A-10.).. (Directory Organization tab; see Figure A-2 on page A-10.). 10

LDAP Mapping Directory attributes Migration is done manually (using the Cisco Secure ACS to Cisco ISE migration tool). Note Only the LDAP configuration defined for the primary ACS instance is migrated. Figure 1: Server Connection Tab Figure 2: Directory Organization Tab 11

NDG Types Mapping NDG Types Mapping Note Cisco Secure ACS, Release 5.5 or 5.6 can support more than one network device group (NDG) with the same name. Cisco ISE, Release 1.4 does not support this naming scheme. Therefore, only the first NDG type with any defined name is migrated. NDG Hierarchy Mapping Cisco Secure ACS Properties Parent No specific property is associated with this property because this value is entered only as part of the NDG hierarchy name. (In addition, the NDG type is the prefix for this object name). Note Any NDGs that contain a root name with a colon (:) are not migrated because Cisco ISE, Release 1.4 does not recognize the colon as a valid character. RADIUS Dictionary (Vendors) Mapping Vendor ID Vendor ID 12

RADIUS Dictionary (Attributes) Mapping Attribute prefix Vendor length field size Vendor type field size No need to migrate this property. Vendor attribute type field length. Vendor attribute size field length. Note Only RADIUS vendors that are not part of a Cisco Secure ACS, Release 5.5 or 5.6 installation are required to be migrated. This affects only user-defined vendors. RADIUS Dictionary (Attributes) Mapping Attribute ID Direction Multiple allowed Attribute type Add policy condition Policy condition display name No specific property associated with this because this value is entered only as part of the NDG hierarchy name (NDG type is the prefix for this object name). Not supported in Cisco ISE Not supported in Cisco ISE Not supported in Cisco ISE Not supported in Cisco ISE Note Only the user-defined RADIUS attributes that are not part of a Cisco Secure ACS, Release 5.5 or 5.6 installation are required to be migrated (only the user-defined attributes need to be migrated). 13

User Mapping User Mapping Status Identity group Password Enable password Change password on next login User attributes list Expiry days No need to migrate this property. (This property does not exist in Cisco ISE) Migrates to identity groups in Cisco ISE Password No need to migrate this property. (This property does not exist in Cisco ISE) No need to migrate this property User attributes are imported from the Cisco ISE and are associated with users Not supported Certificate Authentication Profile Mapping Principle user name (X.509 attribute) Binary certificate comparison with certificate from LDAP or AD AD or LDAP name for certificate fetching Principle user name (X.509 attribute). Binary certificate comparison with certificate from LDAP or AD. AD or LDAP name for certificate fetching. 14

Authorization Profile Mapping Authorization Profile Mapping DACLID (downloadable ACL ID) Attribute type (static and dynamic) if static attribute. Migrated as is, if dynamic attribute, except Dynamic VLAN. Attributes (filtered for static type only) RADIUS attributes. Downloadable ACL Mapping DACL content DACL content External RADIUS Server Mapping Server IP address Shared secret Authentication port Accounting port Hostname Shared secret Authentication port Accounting port 15

Identity Attributes Dictionary Mapping Server timeout Connection attempts Server timeout Connection attempts Identity Attributes Dictionary Mapping Attribute Attribute type No such property Not exported or extracted yet from the Cisco Secure ACS Not exported or extracted yet from the Cisco Secure ACS Not exported or extracted yet from the Cisco Secure ACS Maximum length Default value Mandatory field Add policy condition Policy condition display name Attribute name Internal name Data type Dictionary (Set with the value InternalUser if it is a user identity attribute, or InternalEndpoint if it is a host identity attribute.) Allowed value = display name Allowed value = internal name Allowed value is default None None None None None RADIUS Token Mapping 16

RADIUS Token Mapping Safeword server Enable secondary appliance Always access primary appliance first Fallback to primary appliance in minutes Primary appliance IP address Primary shared secret Primary authentication port Primary appliance TO (timeout) Primary connection attempts Secondary appliance IP address Secondary shared secret Secondary authentication port Secondary appliance TO Secondary connection attempts Advanced > treat reject as authentication flag fail Advanced > treat rejects as user not found flag Advanced > enable identity caching and aging value Shell > prompt Directory attributes Safeword server Enable secondary appliance Always access primary appliance first Fallback to primary appliance in minutes Primary appliance IP address Primary shared secret Primary authentication port Primary appliance TO Primary connection attempts Secondary appliance IP address Secondary shared secret Secondary authentication port Secondary appliance TO Secondary connection attempts Advanced > treat reject as authentication flag fail. Advanced > treat rejects as user not found flag. Advanced > enable identity caching and aging value. Authentication > prompt Authorization > attribute name (In cases where the dictionary attribute lists in Cisco Secure ACS includes the attribute CiscoSecure-Group-Id, it is migrated to this attribute; otherwise, the default value is CiscoSecure-Group-Id.) 17

RSA Mapping RSA Mapping Realm configuration file Server TO Reauthenticate on change to PIN RSA instance file Treat rejects as authentication fail Treat rejects as user not found Enable identity caching Identity caching aging time is always RSA Not migrated Realm configuration file Server TO Reauthenticate on change to PIN Not migrated Treat rejects as authentication fail Treat rejects as user not found Enable identity caching Identity caching aging time RSA Prompts Mapping Passcode prompt Next Token prompt PIN Type prompt Accept System PIN prompt Alphanumeric PIN prompt Numeric PIN prompt Passcode prompt Next Token prompt PIN Type prompt Accept System PIN prompt Alphanumeric PIN prompt Numeric PIN prompt 18

Identity Store Sequences Mapping Identity Store Sequences Mapping Certificate based, certificate authentication profile Password based Advanced options > if access on current IDStore fails than break sequence Advanced options > if access on current IDStore fails then continue to next Attribute retrieval only > exit sequence and treat as User Not Found Certificate based, certificate authentication profile Authentication search list Do not access other stores in the sequence and set the AuthenticationStatus attribute to ProcessError. Treated as User Not Found and proceed to the next store in the sequence. Not supported (should be ignored) Default Network Devices Mapping Default network device status Network device group Authentication Options - TACACS+ RADIUS - shared secret RADIUS - CoA port RADIUS - Enable keywrap RADIUS - Key encryption key RADIUS - Message authenticator code key RADIUS - Key input format Default network device status Not migrated Not migrated Shared Secret Not migrated Enable keywrap Key encryption key Message authenticator code key Key input format 19

Default Network Devices Mapping 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback