10-25-2017 05:50 AM - edited 02-21-2020 10:36 AM
Hi all,
I need to configure ISE to authenticate our users against a cluster of external TACACS Servers (ACS) and with the local users defined in the ISE as a fallback mechanism in case the external servers are unreachable, but I can't find any documentation about this.
I have found how to configure the local authentication for device administration (It is working), and how to configure the proxy sequence authentication for remote TACACS servers (working too), but i don't get how can I use the external TACACS servers (if reachable) and if not use the local users on the ISE.
Have someone managed to configure a similar setting? Any help will be appreciated.
Solved! Go to Solution.
10-26-2017 07:22 AM
10-25-2017 07:05 AM
10-25-2017 09:05 AM
Hi Francesco,
The main idea es keep using our ACS to the authentication but with some type of fallback in case we lost both servers (suppose we lost the local user info too), we just thought that using the ISE as a middle point could help us with that (all devices authenticate versus the ISE and the ISE proxy the authentication to the ACS or to the local user DB).
Now I think the fallback between the AAA servers is easier from the devices using multiple tacacs+ groups, but we got devices from other vendors that did not have that flexibility.
10-25-2017 02:03 PM
10-26-2017 07:14 AM
Well, i think we'll go with the tacacs groups in the aaa configuration of the devices, thank you for the help.
PS: We don't migrate because the ISE and the ACS are in two separate networks with different security requirements, but people expect that the ISE slution will backup the authz if the ACS gone bad.
Greetings!
10-26-2017 07:22 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide