Need to migrate around 6 ACS servers which services around 3000 network devices to virtual servers without changing the IP addresses on the devices.
Can the current ACS servers /proxy/relay tacacs to the new virtual ACS servers or is there any tool appliance in the market which can proxy/load balance tacacs? DNS was ruled out as IOS does not support DNS for tacacs. All ideas are appreciated.
Due to consolidation & virtualization, the new ACS server will be in a new subnet in a different location. Therefore hot-swap of the old ACS server with a new ACS server with same IP address is therefore not possible.
The 'Proxy Distribution Server' suggested by you is a great idea but there seems to be a caveat.
"When an ACS receives a TACACS+ authentication request forwarded by proxy, any requests for Network Access Restrictions for TACACS+ are applied to the IP address of the forwarding AAA server, not to the IP address of the originating AAA client."
And we need to apply the NAR on the origination AAA client's IP address.
Any non-Cisco tool/script/appliance is also welcome.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...