Home / Cisco Security / Migration from Cisco ACS to Cisco ISE

Migration from Cisco ACS to Cisco ISE

Today I am going to provide you the information and the difference between Cisco ACS which is earlier used for AAA functionality and Cisco ISE which is not called as AAA driver for networks. There are lot of Cisco customers who used Cisco ACS in their network and may be they want to migrate the things to Cisco ISE.

What is Cisco ISE ? Cisco Identity Services Engine ?
As i covered this in my earlier articles about Cisco ISE, With the help of Cisco ISE, you can simplifies the delivery of consistent, highly secure access control across wired and wireless multivendor networks and remote VPN connections. With far-reaching, intelligent sensor and profiling capabilities, Cisco ISE can reach deep into the network to deliver superior visibility into who and what are accessing resources.

Cisco ISE deployment limits are large in terms of concurrent endpoints and number of endpoints supported etc. Cisco ISE supports up to 50 PSN’s, ACS supports 22 backup servers. Scalability numbers are likely to go up and these are some advantages for large customers. These are covered in Deployment limits section below. Cisco ISE supports upto 50 Active directory domains on a single node. ACS is 1 Active directory domain per node.

What is the difference between Cisco ACS and Cisco ISE ?
Here are the difference between ACS and ISE from security, eco-system support, interoperability with Cisco devices(Cisco on Cisco) and third party functionalities.

Fig 1.1- Cisco ACS and Cisco ISE
  • Network Access : Both Cisco ISE and ACS supported Network Access.
  • Device Administration: Both Cisco ISE and ACS supported
  • Context : Both Cisco ISE and ACS supported
  • Visibility : Only Cisco ISE supported this feature while ACS not.
  • Context sharing with Eco-system : Only Cisco ISE supported this feature while ACS not.
  • Network Segmentation/ TRUSTSEC : Both Cisco ISE and ACS supported
  • 3rd Party Support: Both Cisco ISE and ACS supported
  • Threat/ Vulnerability/ posture scanning and enforcement : Only Cisco ISE supported this feature while ACS not.
  • Any-connect Posture : Only Cisco ISE supported this feature while ACS not.
  • Any-connect deployment from ISE and integrations : Only Cisco ISE supported this feature while ACS not.
  • EasyConnect for passive authentication/non-dot1x : Only Cisco ISE supported this feature while ACS not.
  • Control plan security ( Radius - DTLS/ IPSec in ISE 2.2): Only Cisco ISE supported this feature while ACS not.
  • Integration with DNAC : Only Cisco ISE supported this feature while ACS not.
Primary difference Cisco ISE is used to gather and share context using PxGrid to Cisco ISE eco-system partners consisting of third party and Cisco device. ACS does not have way to share context nor support profiling, or guest services/BYOD services.

Cisco ISE provides flexibility of supporting 3rd party devices and latest support of using SNMP as a backplane. ACS does not have third party profiles and even though third party devices would work, integration is not as easier.

Another big difference is that Cisco ISE is tightly integrated and is a linchpin for TRUSTSEC deployment to define, manage and push policies/tags etc and is also used for propagation of tags using SXP. ISE also integrates with ACI environment in both policy and data plane. ACS support tags but not as powerful and flexible as Cisco ISE.

From a security standpoint, Cisco ISE provides protection on devices using posture compliance and threat information from FMC for Threat centric NAC. It receives actionable threat information from Cisco AMP/CTA and vulnerability assessment information from Qualys/Tenable/Rapid 7 as part of Rapid Thread Containment, and protects the endpoint. ACS does not support Threat, Vulnerability or posture in general.

Any-connect is tightly integrated with Cisco ISE for posture and other services it supports, ACS supports Any-connect NAM and VPN. Other solutions around Any-connect NVM, Lancope works with Cisco ISE for enforcement. Any-connect can be also deployed to endpoints from Cisco ISE  (just like in ASA).

Migration Statergy 
If customers are in prior version of ACS 5.x, you have to upgrade to ACS 5.5 / 5.6 first before migrating to Cisco ISE 2.0. For migrating to Cisco ISE 2.1, your customer be in one of the last 4 releases of ACS( ACS 5.5/ 5.6/ 5.7 or 5.8)

The ACS versions that supports migration to Cisco ISE are :
  • ACS 5.0 --> ACS 5.2 --> ACS 5.4 --> ACS 5.6 --> ACS 5.7 or ACS 5.8 —> Cisco ISE 2.0
  • ACS 5.1 --> ACS 5.3 --> ACS 5.5 --> ACS 5.6 or ACS 5.7 or ACS 5.8—> Cisco ISE 2.0
  • ACS 5.2 --> ACS 5.4 --> ACS 5.6 --> ACS 5.7 or ACS 5.8—> Cisco ISE 2.0 
  • ACS 5.3 --> ACS 5.5 --> ACS 5.6 or ACS 5.7 or ACS 5.8—> Cisco ISE 2.0 
  • ACS 5.4 --> ACS 5.6 -->  ACS 5.7 or ACS 5.8—>Cisco ISE 2.0