ACS Server migration

Unanswered Question
Aug 4th, 2009
User Badges:

Need to migrate around 6 ACS servers which services around 3000 network devices to virtual servers without changing the IP addresses on the devices.

Can the current ACS servers /proxy/relay tacacs to the new virtual ACS servers or is there any tool appliance in the market which can proxy/load balance tacacs? DNS was ruled out as IOS does not support DNS for tacacs. All ideas are appreciated.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Erick Delgado Tue, 08/18/2009 - 16:54
User Badges:
  • Bronze, 100 points or more

Hi,


I don't understand exactly what you need to accomplish but I have 2 ideas.


One is to install the ACS in a separate server assign the same IP address and remove the old one and put the new one at the same time.


Another feature is Proxy distribution server.


Please see link below.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/NetCfg.html#wp341885


Please reply with a better explanation of the setup.




elilraj07 Thu, 01/28/2010 - 13:37
User Badges:

Hi,

Due to consolidation & virtualization, the new ACS server will be in a new subnet in a different location. Therefore hot-swap of the old ACS server with a new ACS server with same IP address is therefore not possible.


The 'Proxy Distribution Server' suggested by you is a great idea but there seems to be a caveat.


" When an ACS receives a TACACS+ authentication request forwarded by proxy, any requests for Network Access Restrictions for TACACS+ are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client."


And we need to apply the NAR on the origination AAA client's IP address.


Any non-Cisco tool/script/appliance is also welcome.



Rgds,

Actions

This Discussion