I don't know if it's the best way, but I have ours setup with a simple expect script. The script is setup to run as a job on the server every night at 1:00am. The script basically telnets to the switches and routers throughout the network and copies the configuration via tftp to a server and the tftp root directory on that server is setup as a website that can be accessed via our intranet from our admin network. Here is a sample of the expect script I'm using for our gear;

#!/usr/bin/expect

# ACCESSW01

# Backup script for ACCESSW01

#

set timeout 15

set name "username"

set pass "password-for-user"

spawn telnet ACCESSW01

expect "sername:"

send "$name\r"

expect "assword:"

send "$pass\r"

expect "HQ-ACCESSW01#"

send "copy start tftp\r"

expect "ddress or name of remote host []?"

send "XXX.XXX.XXX.XXX\r"

expect "?"

send "\r"

expect "HQ-ACCESSW01#"

send "exit\r"

expect eof

It is a rather simple approach although probably not best practice as the username and password are stored in plain text on a server. For a little added security I setup the user on our ACS server to only be able to run the command listed (copy start tftp) so that if the account were compromised the only command they could run is that. I have access-lists in place that denies tftp traffic to the outside so theoretically they could copy the configuration to an internal host which so far has not been an issue for us. Like I said before this is probably not the best solution but it works.

There are a bunch of useful scripts at http://cosi-nms.sourceforge.net/alpha-progs.html. I have used Ciscocmd in the past with good results.