topic Re: How can we enable write access on allowed change window in TACACS (ACS)via change record? in Network Access Control

How can we enable write access on allowed change window in TACACS (ACS)via change record?

ranjanvishwakarma4 — Fri, 21 Feb 2020 19:11:19 GMT

Current Scenario-

Network engineer have TACACS (r/w) access so there is possibility authorized engineer can do not schedule or without record change , which can cause outage .

Since engineer have authorized to do make change they do changes and unfortunately brings outages.

Need help on -

What if Engineer’s TACACS write access enabled only in change window ?

Is it possible ? we are using snow ticketing solution and there is stages of change record like New->schedule->implement.

As per change window timing TACACS will be in write mode else always in read mode.

So any change owner whose change comes in Implement stage can do the change because at that time only write access would enable.

Can anyone please suggest if it is possible in traditional way of ACS configuration ?

we are not using ISE Solution as of now.

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Francesco Molino — Sun, 03 Nov 2019 04:01:20 GMT

Hi

On ise you can create rules based on a time and date condition. However, i don't recall any API available to modify it dynamically.
You'll need to do it manually and i believe it's going to be a nightmare.

What you can do is using api to modify the tacacs profile. This means you need to find a way to get the date and information saved from your tool and dynamically create a cron job that will modify the tacacs profile at that date and time using ise API.

Right now, i don't think any other solution but if something comes up in my mind i let you know.

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

ranjanvishwakarma4 — Sun, 03 Nov 2019 07:04:39 GMT

Thank you so much for replying.
This though was for my automation Idea and seems Like i have to dig more on solution however your suggestion is very helpful and greatly appreciated.

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Francesco Molino — Tue, 05 Nov 2019 04:06:44 GMT

You're welcome.

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

hslai — Thu, 07 Nov 2019 04:58:30 GMT

Similar to ISE, ACS 5.8 appears also have Date and Time Conditions. In case the maintenance windows are always on specific days and hours (e.g. Sunday 12:01 midnight to 06:00 AM), it's not so bad to use date/time conditions. And, you may combine it by user group memberships, which might possibly be updated via API.

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

ranjanvishwakarma4 — Sat, 09 Nov 2019 13:11:21 GMT

Thank you for solution on ACS. I need to work more to create demo and then move it to prod.