Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
712
Views
0
Helpful
4
Replies

Link/import devices' information into ACS

hansen-mitchell
Level 1
Level 1

‎09-19-2005 07:58 AM - edited ‎03-10-2019 02:19 PM

We have an application which monitors all our network devices (e.g. switches). We want to link/import the information of those devices (e.g. host name, IP addresses) into the ACS. Is that possible?

Labels:
0 Helpful
4 Replies 4

andrewclymer
Level 1
Level 1

‎09-19-2005 06:39 PM

You certainly can, although there are some considerations

1) ACS is currently designed to hold up to 5k devices

2) From a policy standpoint importing a flat list of devices makes building scalable policy difficult.

For example lets say you have Network Access Restrictions defined at the group level. Users of group "West Coast Admins" are allowed to connect to West Coast switches. If you enter bulk import each device manually as you add new "West Coast Switches" you need to modify the policy as well. Alternativly if you create a network device group called West Coast devices, and base policy on that group then when you add a new device to the west coast group the policy will automatically work.

So you may need to think about how you organise devices as well as just importing raw IP.

3) You will also need to import the shared key used to communicate between the device and the AAA server, as well as the device type information.

The bottom line is ACS is not designed to be a device inventory system, the configuration of devices is centered around what it needs to communicate with devices and also the knowledge it needs to make policy decisions. The use of IP address ranges and NDGs are key elements of the configuration to enable scalable policy.

Ok, as for doing the import there exists two methods

1) Csutil

2) Csdbsync, via a csv file or RDBMS

Csutil is the easiest way, create a text file along the lines below, the setting of the NDG ( Network Device group ) is optional.

ADD_NAS:myNas:IP:1.1.1.1:KEY:secret:VENDOR:"TACACS+ (Cisco IOS)":NDG:"East Coast"

The import file can comprise of multiple lines

use csutil -i to import the file

0 Helpful

hansen-mitchell
Level 1
Level 1
In response to andrewclymer

‎09-21-2005 01:12 PM

Mr. Andrew,

Thank you very much for your information. However, is there any way that we can link directly the tables of our thrid-party -network monitoring- application into our ACS, without importing them (csutil/csdbsync)? I have been reading many documentation without finding that option.

0 Helpful

andrewclymer
Level 1
Level 1
In response to hansen-mitchell

‎09-21-2005 01:16 PM

Sorry, Im afraid not. Its something that has been talked about about, but it opens a whole can of worms in regard to maintianing referential integrity between the ACS configuration and the foreign data store.

0 Helpful

hansen-mitchell
Level 1
Level 1
In response to andrewclymer

‎09-21-2005 01:30 PM

Dear Mr. Andrew,

Again, thank you very much for clarifying our view.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents