topic Re: TACACS Live cut over from ACS to ISE in Network Access Control

TACACS Live cut over from ACS to ISE

j0liu001 — Tue, 19 Feb 2019 21:03:21 GMT

I am planning Live cut over from ACS to ISE for more than 1000+ devices globally.

Currently they are configured in ACS: TACACS for Router/Switch/ASAs, RADIUS for WLC/AP/VPNs.

The policy sets are all configured, Shared secret key are all matched between ISE and Routers/Switches/ASAs.

Just want to be cautious:

If I simply change the network devices' TACACS server pointer from ACS to ISE, will it cause network outage ?

should I do "no aaa new-model" first, and then re-enable "aaa new-model" .... any other issues I should be concerned ?

Thanks

Re: TACACS Live cut over from ACS to ISE

pan — Wed, 20 Feb 2019 01:42:45 GMT

First add cisco ISE on router/switch/ASA and then run "test aaa" command to check if you are able to authenticate successfully.

Example:

tacacs server TACACS-SERVER-IP-1
address ipv4 <ISP PSN IP>
key <Shared Key>

aaa group server tacacs+ TACACS-GROUP
server name TACACS-SERVER-IP-1

test aaa group TACACS-GROUP <username> <password> new-code

Once you are able to authenticate then change the "aaa authentication", "aaa authorization" command and point ISE to it.

Example:

aaa authentication login VTY group TACACS-GROUP local

aaa authorization commands 15 VTY group TACACS-GROUP local if-authenticated

Don't do write memory until everything works.

You can also have "reload in 30" so that device will reload automatically in 30 min if you lock yourself out. If everything goes well you can cancel reload

sw3850#reload in ?
Delay before reload (mmm or hhh:mm)

Re: TACACS Live cut over from ACS to ISE

j0liu001 — Wed, 20 Feb 2019 03:43:35 GMT

Thanks a lot, Pan! The "reload in 30" is an excellent tip !

Since I changed the TACACS server pointer from ACS to ISE, should I do "no aaa new-model" first, and then re-enable "aaa new-model" ? ...

Regards

Re: TACACS Live cut over from ACS to ISE

pan — Wed, 20 Feb 2019 03:44:33 GMT

No need for "no aaa new-model"

Re: TACACS Live cut over from ACS to ISE

ognyan.totev — Wed, 20 Feb 2019 10:02:39 GMT

Hi, the first thing is to add devices to ISE if this is not done .

Second create a policy sets for device administration radius etc.

Third is to configure switch router etc.

Re: TACACS Live cut over from ACS to ISE

Mike.Cifelli — Wed, 20 Feb 2019 13:50:22 GMT

To add to the helpful tips provided by @pan:

Change your current reauthentication timers to 4 hours or however long you need to complete the cutover. Wait for hosts to auth. Then you will know that you have a 4 hour window until they need to reauth. This will help keep end users up during the cutover.

HTH!

Re: TACACS Live cut over from ACS to ISE

j0liu001 — Wed, 20 Feb 2019 14:29:45 GMT

Totally agree :=) Thanks