Solved: TACACS solution overview

Florin Barhala · ‎03-24-2014

Hi guys,

We need a centralised solution for device authentication (routers&switches) and we opt to use TACACS.

Except ACS 5.x is there any other tool you can recommend for this requirement?

Second: equipment are spread both on EU, North America and Asia; how can I tackle this? Install two instances one in EU and one in NA?

Many thanks,

Florin.

pmccubbin · ‎03-24-2014

Cisco ACS is a tried and true solution for centralized router and switch authentication. I would install one TACACS server as your primary and replicate it to a secondary. I would do this with virtual machines for ease of maintenance and support.

As to whether or not you install a TACACS solution on each continent you support, you could justify this depending upon how many devices there are in each part of the world.

Hope this helps you make an informed decision:

"With the Base license, a Cisco Secure ACS 5.5 appliance or software virtual machine can support the deployment of up to 500 network devices. These are authentication, authorization, and accounting (AAA) clients. The number of network devices is based on how many unique IP addresses are configured. The 500-device limit is not a limit for each individual appliance or instance, but a deployment-wide limit that applies to a set of Cisco Secure ACS instances (primary and secondary) that are configured for replication."

-Paul

View solution in original post

pmccubbin · ‎03-24-2014

Cisco ACS is a tried and true solution for centralized router and switch authentication. I would install one TACACS server as your primary and replicate it to a secondary. I would do this with virtual machines for ease of maintenance and support.

As to whether or not you install a TACACS solution on each continent you support, you could justify this depending upon how many devices there are in each part of the world.

Hope this helps you make an informed decision:

"With the Base license, a Cisco Secure ACS 5.5 appliance or software virtual machine can support the deployment of up to 500 network devices. These are authentication, authorization, and accounting (AAA) clients. The number of network devices is based on how many unique IP addresses are configured. The 500-device limit is not a limit for each individual appliance or instance, but a deployment-wide limit that applies to a set of Cisco Secure ACS instances (primary and secondary) that are configured for replication."

-Paul

Florin Barhala · ‎03-24-2014

Hi mate,

Thanks for the input. I am not familiar with ACS, so your answer is very helpful.

I will start with ACS on North America and try routing most of the traffic over MPLS for using it in EU or AS. Based on the outcome we will decide if a second deployment is needed.

Nevertheless I would really want to know what other options do I have.

How is the ACS 5.x, except the recent polished GUI?

I am really interested in the functionalities and trying to avoid buying&deploying from scratch an OLD dusty product (if the case).

pmccubbin · ‎03-24-2014

We have been using it for years with few complaints to mention. The ACS 5.x does have a polished GUI and the ability to install it on a VM. It was rebuilt entirely in version 5.x so you need not worry about buying an "old dusty product."

The reporting functionality is also greatly improved in version 5.x compared with 3.x of 4.x. It's robust and easy to use.

Take a look at Juniper if you want something to compare Cisco ACS with. Hope this helps.