Solved: Best approach to updating TACACS/RADIUS share secrets on ISE and network devices - Page 2

pn2020 · ‎05-31-2020

We have an automation (using python) project where we have to update shared secrets on network devices (Cisco IOS/IOS XR and also other non-Cisco platforms, via netmiko). Of course, we also have to update (via ERS REST API) the Cisco ISE server with the same shared secrets.

What is the best approach to updating, with minimum connectivity outage? One device at a time, ie, updating the ISE, then updating the device, check for connectivity, then move on to another device? Or bulk update, ie, updating the shared secrets on the ISE for a small group of devices, then updating the secrets for the same group of devices?

I assume it would be one at a time, but like hear additional feedbacks.

Also, is there a solution whereby we can dictate/direct the Cisco devices (or any network device platform) and Cisco ISE to try to check the authenticate using the new shared secret. If check is good, then flip over to the new shared secret. That way, we can get a minimum connectivity disruption. Is that possible?

Thanks,

Peter

Mike.Cifelli · ‎06-02-2020

Specifically, on these:
- NADs: what do you mean by NADs?
Network Access Devices. Edge/Access switches that clients connect to.
- that onboard via 8021x or mab
How you authenticate and authorize hosts onto their respective network.
- reauth timer: where do I change that? On the devices, ISE server, or both?
If you are utilizing ISE already to push authz policy I would recommend configuring it in the authz profiles. This can be done under 'Common Tasks' section under 'Reauthentication'.
HTH!

pn2020 · ‎06-02-2020

Thanks Mike. I will explore the auth timer more