cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
221
Views
5
Helpful
5
Replies

How can we enable write access on allowed change window in TACACS (ACS)via change record?

Current Scenario-

Network engineer have TACACS (r/w) access so there is possibility authorized engineer can do not schedule or without record change , which can cause outage .

Since engineer have authorized to do make change they do changes and unfortunately brings outages.

Need help on -

What if Engineer’s TACACS write access enabled only in  change window ?

Is it possible ? we are using snow ticketing solution  and there is stages of change record like New->schedule->implement.

As per change window timing TACACS will  be in write mode else always in read mode.

So any change owner whose change comes in Implement stage  can do the change because at that time only write access would enable.

Can anyone please suggest if it is possible in traditional way of ACS configuration ?

we are not using ISE Solution as of now.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Similar to ISE, ACS 5.8 appears also have Date and Time Conditions. In case the maintenance windows are always on specific days and hours (e.g. Sunday 12:01 midnight to 06:00 AM), it's not so bad to use date/time conditions. And, you may combine it by user group memberships, which might possibly be updated via API.

 

View solution in original post

5 REPLIES 5
VIP Advisor

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Hi

On ise you can create rules based on a time and date condition. However, i don't recall any API available to modify it dynamically.
You'll need to do it manually and i believe it's going to be a nightmare.

What you can do is using api to modify the tacacs profile. This means you need to find a way to get the date and information saved from your tool and dynamically create a cron job that will modify the tacacs profile at that date and time using ise API.

Right now, i don't think any other solution but if something comes up in my mind i let you know.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Thank you so much for replying.
This though was for my automation Idea and seems Like i have to dig more on solution however your suggestion is very helpful and greatly appreciated.
VIP Advisor

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

You're welcome.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Cisco Employee

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Similar to ISE, ACS 5.8 appears also have Date and Time Conditions. In case the maintenance windows are always on specific days and hours (e.g. Sunday 12:01 midnight to 06:00 AM), it's not so bad to use date/time conditions. And, you may combine it by user group memberships, which might possibly be updated via API.

 

View solution in original post

Highlighted

Re: How can we enable write access on allowed change window in TACACS (ACS)via change record?

Thank you for solution on ACS. I need to work more to create demo and then move it to prod.