cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1661
Views
0
Helpful
3
Replies

ACS in Multitenant environment

aducey01
Level 1
Level 1

What's the best practice for deploying ACS in a multitenant environment.  I see some people are using an open source version of TACACS+ for this purpose. 

Any thoughts?

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Depends on how you mean multitenant - there're lots of deployment models that can be called that.

In my experience, the multitenant services are often data plane with respect to the tenants' network services. ACS AAA services are control plane and use a non-tenant-accessible management VRF to access the ACS server(s).

We have multiple entities within a state agency that we provide shared services for.  I need guidance on how to provide AAA to the multiple ASA Contexts we've created for the tenants.  Currently they are using local login credentials.  I've been tasked with creating one universal context that will provide tenants with shared TACACS so we can monitor what command caused whatever mischief.  We had a rev of ASA code recently that would crash the device when the tenants issued NAT commands.  I need to know how others are deploying their ACS's in this sort of environment. 

That's pretty straightforward.

Each context can have AAA setup (to include accounting) pointing to the ACS server using the TACACS+ protocol. See, for example, Jatin's posting here.

It's a best practice to setup AAA that way independent of whether it's a multitenant scenario.

Review Cisco Networking for a $25 gift card