You are currently viewing KT Labs EP5 :: ACS to ISE Migration

KT Labs EP5 :: ACS to ISE Migration

In the video, I show you how you can leverage the ACS to ISE migration tool to migrate objects from ACS to ISE. As mentioned in the video, a few prerequisites need to be met, these are listed below.


  • Direct connectivity to both the ACS and ISE platforms
  • The correct version of ACS (see here for more information)
  • Certificates from both platforms added to the migration tool
  • ACS and ISE Migration interfaces enabled via the CLI
    • ACS CLI Command: acs config-web-interface migration enable
    • ISE CLI Command: application configure ise and select option 11 and enter Y
  • Windows-based machine to host the migration tool
  • Windows-based machine with Jave 7.1 or above
  • FQDN’s for each platform

Added notes 10/09/2018

More recently it was observed that not all users would successfully export using the migration tool. No errors were output while using the ACS to ISE migration tool meaning internal users were unknowingly missed as part of the migration. It was found that in order to rectify this problem a patch had to be applied to the Access Control Server. In my case, I was running ACS 5.5 with no patch until patch 11 was applied.

Added notes 11/04/2019

  • ACS version 5.4 doesn’t require a backup password. This means that you should be able to restore from a 5.4 backup without the need for a password.
  • Once you’ve upgraded an ACS appliance you won’t be able to restore from a backup that is on another version. To save having to reinstall the older version, I would suggest that a new backup is taken as soon as an appliance has been upgraded.
  • Using Google Chrome to navigate around the ACS GUI can corrupt the ACS database. I recommend that Internet Explorer is used where possible.
  • If a backup is restored from a production network to a non-produtcion network, ensure that the relevant controls are in place to stop communication between nodes. Although production and non-production nodes may not sync together, there is a possibility that nodes can still be thrown out of sync.
  • After a restoring from a backup to another node, be aware that whatever acsadmin password was set on the original node will also now be set on the new node. If you cannot remember the password, access the CLI and reset the acsadmin password.
  • When generating a self-signed certificate ensure the key length is 2048 and not 512 as you can have issues accessing the GUI when using certain browsers.
  • Service selection rules will not be migrated when the rules have a result in the service. Service selection rules, when translated to ISE, are essentially policy sets. Remove the results from each of the rules and then re-attempt the migration if using the migration tool. You can replace the rule with the ‘Deny’ result.
  • If ACS doesn’t load when you have selected a particular option in the GUI, give it time to load or ACS will timeout and you will have to log back in.


Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

Leave a Reply