ACS Server migration

elilraj07 · ‎08-04-2009

Need to migrate around 6 ACS servers which services around 3000 network devices to virtual servers without changing the IP addresses on the devices.

Can the current ACS servers /proxy/relay tacacs to the new virtual ACS servers or is there any tool appliance in the market which can proxy/load balance tacacs? DNS was ruled out as IOS does not support DNS for tacacs. All ideas are appreciated.

Erick Delgado · ‎08-18-2009

Hi,

I don't understand exactly what you need to accomplish but I have 2 ideas.

One is to install the ACS in a separate server assign the same IP address and remove the old one and put the new one at the same time.

Another feature is Proxy distribution server.

Please see link below.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341885

Please reply with a better explanation of the setup.

elilraj07 · ‎01-28-2010

Hi,

Due to consolidation & virtualization, the new ACS server will be in a new subnet in a different location. Therefore hot-swap of the old ACS server with a new ACS server with same IP address is therefore not possible.

The 'Proxy Distribution Server' suggested by you is a great idea but there seems to be a caveat.

" When an ACS receives a TACACS+ authentication request forwarded by proxy, any requests for Network Access Restrictions for TACACS+ are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client."

And we need to apply the NAR on the origination AAA client's IP address.

Any non-Cisco tool/script/appliance is also welcome.

Rgds,