3 Replies Latest reply on Jan 9, 2017 1:42 PM by jkrenzien

    Cisco Config Change Templates for TACACS

    lolmc

      Hi,

      We have just installed Cisco ISE with TACACS capability and want to move all devices off our ACS servers onto the ISE as well as introduce all other devices that didn't use TACACS due to lack of licensing (ISE is a perpetual no device limit license whereas ACS had a 500 device limit). So, in order to make the deployment as secure as we can we are looking to use unique TACACS keys for each device instead of a single key for all devices or groups of devices.

       

      To this end we have generated a uniquie key for every Cisco device in the NCM database and I have two list - device and key.

       

      How do I create a config change template to dynamically pick the device and associated key from these lists to make the so it will use them as parameters to create the code snippets? Is this even possible?

        • Re: Cisco Config Change Templates for TACACS
          jkrenzien

          My suggestion would be to put the keys in as custom properties for each node. Then you can call it the same way you would any other custom property. if there are concerns about having that information stored in NCM you could import it just before you make your change and then clear the value afterwards. Let me know if this helped at all.

            • Re: Cisco Config Change Templates for TACACS
              lolmc

              I had considered this but I'm looking at adding unique TACACS keys to over 800 devices and if i have to add a custom property item to each one just so i can then utilise the built in scripting i'm not sure it will be worth it from a time point of view. My other thought was to automate it via a Python script using EXPECT for the CLI interaction - it should be relatively easy to have the two lists in a dictionary with the device name as a key and then step through the dictionary and execute the required commands on each device.

               

              It will take a while to write and troubleshoot/debug but i think it would be a better use of my time tbh as the code will be re-useable as well.

                • Re: Cisco Config Change Templates for TACACS
                  jkrenzien

                  Sorry for the delayed response. It really shouldn't take much to add the unique key to each device. You likely already have it in an excel file, then al you have to do is make sure that solarwinds can match the names/IPs up and import. But if you don't already have it in excel/csv I could see the difficultly.

                  2 of 2 people found this helpful