Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6727
Views
61
Helpful
18
Replies

Best approach to updating TACACS/RADIUS share secrets on ISE and network devices

Go to solution
pn2020
Level 1
Level 1

‎05-31-2020 07:54 AM - edited ‎05-31-2020 07:55 AM

We have an automation (using python) project where we have to update shared secrets on network devices (Cisco IOS/IOS XR and also other non-Cisco platforms, via netmiko).  Of course, we also have to update (via ERS REST API) the Cisco ISE server with the same shared secrets.

 

What is the best approach to updating, with minimum connectivity outage?  One device at a time, ie, updating the ISE, then updating the device, check for connectivity, then move on to another device?  Or bulk update, ie, updating the shared secrets on the ISE for a small group of devices, then updating the secrets for the same group of devices?

 

I assume it would be one at a time, but like hear additional feedbacks.  

Also, is there a solution whereby we can dictate/direct the Cisco devices (or any network device platform) and Cisco ISE to try to check the authenticate using the new shared secret.  If check is good, then flip over to the new shared secret.  That way, we can get a minimum connectivity disruption. Is that possible?

 

Thanks,

Peter

 

0 Helpful
18 Replies 18

Go to solution
Arne Bier
VIP
VIP
In response to pn2020

‎03-13-2025 05:41 PM

In case anyone stumbles on this discussion in future, I made some further revelations about the usage of RADIUS second shared secret.  Here are some limitations/caveats regarding RADIUS:

  • Even when second RADIUS shared secret is configured, ISE will still use the primary shared secret when it sends CoA. If the network device has been updated to the new (second) shared secret, then the CoA will not be acknowledged by the device
  • The second RADIUS shared secret will only be honoured by ISE if the Access-request contains the attribute 80 (Message-Authenticator) - the absence of this attribute will cause a reject. Most PAP requests and things like IOS "test aaa" commands do not include Message-Authenticator.  EAP requests always include the Message-Authenticator.

Therefore, the message is, your mileage may vary.  The safest option is probably to update one device at a time, taking care of the CoA shared secret on the device as well.  That is the cleanest and safest approach - and also the hardest.

As for TACACS, it's 2025 and ISE 3.4 still doesn't support rotation in bulk.  It's a case of doing those one-by-one too, Not fun.

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to Arne Bier

‎05-15-2025 08:20 PM

An update on the TACACS+ key rotation using REST API topic - great news!  The Cisco Developer ISE SDK is listing this feature as being available in ISE 3.5 if I read that correctly. ISE 3.5 is not yet publicly available.

 

ArneBier_0-1747355648134.png

 

 

0 Helpful

Go to solution
Mike.Cifelli
VIP Alumni
VIP Alumni
In response to pn2020

‎06-02-2020 10:29 AM

Specifically, on these:
- NADs: what do you mean by NADs?
Network Access Devices. Edge/Access switches that clients connect to.
- that onboard via 8021x or mab
How you authenticate and authorize hosts onto their respective network.
- reauth timer: where do I change that? On the devices, ISE server, or both?
If you are utilizing ISE already to push authz policy I would recommend configuring it in the authz profiles. This can be done under 'Common Tasks' section under 'Reauthentication'.
HTH!

Go to solution
pn2020
Level 1
Level 1
In response to Mike.Cifelli

‎06-02-2020 03:10 PM

Thanks Mike.  I will explore the auth timer more

0 Helpful
Customers Also Viewed These Support Documents