cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1463
Views
10
Helpful
6
Replies

TACACS Live cut over from ACS to ISE

j0liu001
Level 1
Level 1

I am planning Live cut over from ACS to ISE for more than 1000+ devices globally.

Currently they are configured in ACS: TACACS for Router/Switch/ASAs, RADIUS for WLC/AP/VPNs.

 

The policy sets are all configured, Shared secret key are all matched between ISE and Routers/Switches/ASAs.

 

Just want to be cautious:

If I simply change the network devices' TACACS server pointer from ACS to ISE, will it cause network outage ?

should I do "no aaa new-model" first, and then re-enable "aaa new-model" .... any other issues I should be concerned ?

 

Thanks

 

 

1 Accepted Solution

Accepted Solutions

pan
Cisco Employee
Cisco Employee

No need for "no aaa new-model"

View solution in original post

6 Replies 6

pan
Cisco Employee
Cisco Employee

First add cisco ISE on router/switch/ASA and then run "test aaa" command to check if you are able to authenticate successfully.

 

Example:

tacacs server TACACS-SERVER-IP-1
 address ipv4 <ISP PSN IP>
 key <Shared Key>

 

aaa group server tacacs+ TACACS-GROUP
 server name TACACS-SERVER-IP-1

 

test aaa group TACACS-GROUP <username> <password> new-code

 

Once you are able to authenticate then change the "aaa authentication", "aaa authorization" command and point ISE to it.

Example:

aaa authentication login VTY group TACACS-GROUP local

aaa authorization commands 15 VTY group TACACS-GROUP local if-authenticated

 

Don't do write memory until everything works.

 

You can also have "reload in 30"  so that device will reload automatically in 30 min if you lock yourself out. If everything goes well you can cancel reload

 

sw3850#reload in ?
Delay before reload (mmm or hhh:mm)

To add to the helpful tips provided by @pan:

Change your current reauthentication timers to 4 hours or however long you need to complete the cutover. Wait for hosts to auth. Then you will know that you have a 4 hour window until they need to reauth. This will help keep end users up during the cutover.

HTH!

Totally agree  :=)  Thanks

j0liu001
Level 1
Level 1

Thanks a lot, Pan!  The "reload in 30" is an excellent tip !

Since I changed the TACACS server pointer from ACS to ISE, should I do "no aaa new-model" first, and then re-enable "aaa new-model" ? ...

 

Regards

pan
Cisco Employee
Cisco Employee

No need for "no aaa new-model"

Hi, the first thing is to add devices to ISE if this is not done .

Second create a policy sets for device administration radius etc.

Third is to configure switch router etc.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: