Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1407
Views
10
Helpful
5
Replies

How can we enable write access on allowed change window in TACACS (ACS)via change record?

Go to solution
ranjanvishwakarma4
Level 1
Level 1

‎11-01-2019 09:58 AM - edited ‎02-21-2020 11:11 AM

Current Scenario-

Network engineer have TACACS (r/w) access so there is possibility authorized engineer can do not schedule or without record change , which can cause outage .

Since engineer have authorized to do make change they do changes and unfortunately brings outages.

Need help on -

What if Engineer’s TACACS write access enabled only in  change window ?

Is it possible ? we are using snow ticketing solution  and there is stages of change record like New->schedule->implement.

As per change window timing TACACS will  be in write mode else always in read mode.

So any change owner whose change comes in Implement stage  can do the change because at that time only write access would enable.

Can anyone please suggest if it is possible in traditional way of ACS configuration ?

we are not using ISE Solution as of now.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ranjanvishwakarma4

‎11-06-2019 08:58 PM

Similar to ISE, ACS 5.8 appears also have Date and Time Conditions. In case the maintenance windows are always on specific days and hours (e.g. Sunday 12:01 midnight to 06:00 AM), it's not so bad to use date/time conditions. And, you may combine it by user group memberships, which might possibly be updated via API.

 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎11-02-2019 09:01 PM

Hi

On ise you can create rules based on a time and date condition. However, i don't recall any API available to modify it dynamically.
You'll need to do it manually and i believe it's going to be a nightmare.

What you can do is using api to modify the tacacs profile. This means you need to find a way to get the date and information saved from your tool and dynamically create a cron job that will modify the tacacs profile at that date and time using ise API.

Right now, i don't think any other solution but if something comes up in my mind i let you know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
ranjanvishwakarma4
Level 1
Level 1
In response to Francesco Molino

‎11-03-2019 12:04 AM

Thank you so much for replying.
This though was for my automation Idea and seems Like i have to dig more on solution however your suggestion is very helpful and greatly appreciated.
0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to ranjanvishwakarma4

‎11-04-2019 08:06 PM

You're welcome.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to ranjanvishwakarma4

‎11-06-2019 08:58 PM

Similar to ISE, ACS 5.8 appears also have Date and Time Conditions. In case the maintenance windows are always on specific days and hours (e.g. Sunday 12:01 midnight to 06:00 AM), it's not so bad to use date/time conditions. And, you may combine it by user group memberships, which might possibly be updated via API.

 

0 Helpful

Go to solution
ranjanvishwakarma4
Level 1
Level 1
In response to hslai

‎11-09-2019 05:11 AM

Thank you for solution on ACS. I need to work more to create demo and then move it to prod.
0 Helpful
Customers Also Viewed These Support Documents