08-13-2013 11:57 AM - edited 02-21-2020 04:57 AM
What's the best practice for deploying ACS in a multitenant environment. I see some people are using an open source version of TACACS+ for this purpose.
Any thoughts?
08-14-2013 08:46 PM
Depends on how you mean multitenant - there're lots of deployment models that can be called that.
In my experience, the multitenant services are often data plane with respect to the tenants' network services. ACS AAA services are control plane and use a non-tenant-accessible management VRF to access the ACS server(s).
08-15-2013 07:03 AM
We have multiple entities within a state agency that we provide shared services for. I need guidance on how to provide AAA to the multiple ASA Contexts we've created for the tenants. Currently they are using local login credentials. I've been tasked with creating one universal context that will provide tenants with shared TACACS so we can monitor what command caused whatever mischief. We had a rev of ASA code recently that would crash the device when the tenants issued NAT commands. I need to know how others are deploying their ACS's in this sort of environment.
08-15-2013 07:23 AM
That's pretty straightforward.
Each context can have AAA setup (to include accounting) pointing to the ACS server using the TACACS+ protocol. See, for example, Jatin's posting here.
It's a best practice to setup AAA that way independent of whether it's a multitenant scenario.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide