02-19-2019 01:03 PM
I am planning Live cut over from ACS to ISE for more than 1000+ devices globally.
Currently they are configured in ACS: TACACS for Router/Switch/ASAs, RADIUS for WLC/AP/VPNs.
The policy sets are all configured, Shared secret key are all matched between ISE and Routers/Switches/ASAs.
Just want to be cautious:
If I simply change the network devices' TACACS server pointer from ACS to ISE, will it cause network outage ?
should I do "no aaa new-model" first, and then re-enable "aaa new-model" .... any other issues I should be concerned ?
Thanks
Solved! Go to Solution.
02-19-2019 07:44 PM
No need for "no aaa new-model"
02-19-2019 05:42 PM
First add cisco ISE on router/switch/ASA and then run "test aaa" command to check if you are able to authenticate successfully.
Example:
tacacs server TACACS-SERVER-IP-1
address ipv4 <ISP PSN IP>
key <Shared Key>
aaa group server tacacs+ TACACS-GROUP
server name TACACS-SERVER-IP-1
test aaa group TACACS-GROUP <username> <password> new-code
Once you are able to authenticate then change the "aaa authentication", "aaa authorization" command and point ISE to it.
Example:
aaa authentication login VTY group TACACS-GROUP local
aaa authorization commands 15 VTY group TACACS-GROUP local if-authenticated
Don't do write memory until everything works.
You can also have "reload in 30" so that device will reload automatically in 30 min if you lock yourself out. If everything goes well you can cancel reload
sw3850#reload in ?
Delay before reload (mmm or hhh:mm)
02-20-2019 05:50 AM
02-20-2019 06:29 AM
Totally agree :=) Thanks
02-19-2019 07:43 PM
Thanks a lot, Pan! The "reload in 30" is an excellent tip !
Since I changed the TACACS server pointer from ACS to ISE, should I do "no aaa new-model" first, and then re-enable "aaa new-model" ? ...
Regards
02-19-2019 07:44 PM
No need for "no aaa new-model"
02-20-2019 02:02 AM
Hi, the first thing is to add devices to ISE if this is not done .
Second create a policy sets for device administration radius etc.
Third is to configure switch router etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide