Solved: Re: Bulk import of switches into ACS

Kurt Warner · ‎11-02-2010

i have a new acs 1120 running 5.1.0.44

i have over 1000 cisco switches to add to this ( good thing i have the unlimted lic) .

All of the switches for the most part are the same type is there a way to bulk import these switches into the ACS? Bascially say hey 192.1.1.1-253 is a certain switch.

The 2nd part of this question is im pretty sure i am going to have to log into ever switch to config it to talk to the ACS any way around that?

Thanks for the help

jrabinow · ‎11-02-2010

What you need to do is as follows:

1) Go toNetwork Resources> Network Devices and AAA Clients. Devices can be imported from here

2) Press File Operations then Add, then Next and "Download "Add" Template"

You will get a file similar to the following (this is what is displayed by default for ACS 5.1)

name:String(64):Required,description:String(1024),subnets:Subnets(a.b.c.d/m;...):Required,"supportRADIUS:Boolean(true,false):Required",radiusSecret:String(32),"supportTACACS:Boolean(true,false):Required",tacacsSecret:String(32),"singleconnect:Boolean(true,false)","legacyTACACS:Boolean(true,false)",Location:String(256),Device Type:String(256)

3) This line must be retained as is for the first line of the import file and also defines the structure of each data record that corresponds to a device defintions. For devices that will only do TACACS the following can be used to define an entry:

device1,,1.2.3.4/32,false,,true,cisco,false,false,All Locations:US,All Device Types:Switch

///explanation

device1, /// name

, /// description, empty

1.2.3.4/32, /// subnet - this is in fact IP address 1.2.3.4

false, /// not support RADIUS

, /// empty, shared secret

true, /// support T+

cisco, /// T+ shared secret

false, /// singleConnect

false, /// legacyTACACS

All Locations:US, // location NDG

All Device Types:Switch // Device Type

Add a line/entry for each device you want to add duing the import process

4) Now import the new definitions

Select File Operations then Add, then Next and Next and can then define the file to be imported and then press "Finish"

View solution in original post

jrabinow · ‎11-02-2010

On the first part of your question there is a bulk mechanism to import device definitions from a csv file. It can be used to

set the shared secret IP address. If you want to follow this approach you should decide first how you want to divide your devices into device groups and define these groups first. By default there is a device group hierarchy for "Device Type" and "Location"

Kurt Warner · ‎11-02-2010

They are grouped by location and they are all the same type. Is there a sample csv any where? and where inside the ACS is the mech for uploading that file?

jrabinow · ‎11-02-2010

What you need to do is as follows:

1) Go toNetwork Resources> Network Devices and AAA Clients. Devices can be imported from here

2) Press File Operations then Add, then Next and "Download "Add" Template"

You will get a file similar to the following (this is what is displayed by default for ACS 5.1)

name:String(64):Required,description:String(1024),subnets:Subnets(a.b.c.d/m;...):Required,"supportRADIUS:Boolean(true,false):Required",radiusSecret:String(32),"supportTACACS:Boolean(true,false):Required",tacacsSecret:String(32),"singleconnect:Boolean(true,false)","legacyTACACS:Boolean(true,false)",Location:String(256),Device Type:String(256)

3) This line must be retained as is for the first line of the import file and also defines the structure of each data record that corresponds to a device defintions. For devices that will only do TACACS the following can be used to define an entry:

device1,,1.2.3.4/32,false,,true,cisco,false,false,All Locations:US,All Device Types:Switch

///explanation

device1, /// name

, /// description, empty

1.2.3.4/32, /// subnet - this is in fact IP address 1.2.3.4

false, /// not support RADIUS

, /// empty, shared secret

true, /// support T+

cisco, /// T+ shared secret

false, /// singleConnect

false, /// legacyTACACS

All Locations:US, // location NDG

All Device Types:Switch // Device Type

Add a line/entry for each device you want to add duing the import process

4) Now import the new definitions

Select File Operations then Add, then Next and Next and can then define the file to be imported and then press "Finish"

Kurt Warner · ‎11-02-2010

ok that worked like a charm any idea on question 2 LOL

jrabinow · ‎11-02-2010

I don't see any way to get around configuring each of the switches.

Yudong Wu · ‎11-02-2010

1. If those Cisco devices are managed by something like CSM (Cisco Security Manager - might not support low end switch), you can push the new AAA configuration by using CSM.

Or

2. You can write a script to do the job for you. You can use the interactive script like "Expect" or if you are using secureCRT, it can run the VB, Java and Perl script directly from it.

Or

3. Manually do it.