7

Is it possible for Cisco ACS 5.4 (or any other version) to work in a multi-tenancy environment?

I would like to have two ACS servers, one primary, one secondary, with completely different routing (but obviously keep access to each other for replication).

This would allow me to have centralised management of ACS, but I need ACS to accept client devices request coming from potentially overlapping IP addresses.

When I try on ACS5.4, it simply complains the second client device's IP clashes with the first.

Dave Noonan
  • 950
  • 7
  • 16

3 Answers3

4

I can't speak for ACS as I've only use the open source TACACS daemon but we utilise a SQL backend which allows for different boxes to have completely different routing / policies but still maintain a consistent user DB.

David Rothera
  • 2,788
  • 15
  • 20
  • In this case you would still be running 2 TACACS daemons though, correct? We use tac_plus and I can't see any easy way to allow duplicate IP addresses for clients without setting up multiple realms on different ports. This would still allow a unified user database, but would require customization on the client to talk to a non-default port. – smithian May 21 '13 at 13:01
  • This wouldn't matter to me, as the two sets of client devices would (in my basic example) connect to one TACACS server. So as long as the DB could hold: CustArouter1 = IP 192.168.1.1 CustBrouter1 = IP 192.168.1.1 and have policy based on the router (or group the router is in?) that would work for me. I suspect I am tied into using Cisco's ACS though... – Steve Wright May 21 '13 at 13:36
2

So basically, this is categorically not possible on Cisco ACS (or ISE either I believe), and so the options are:

  1. Multiple instances of ACS
  2. NAT to hide the IPs

Either are valid depending on the situation. Thanks for the input received!

0

As far as I see it:

1) Use policy NAT for the overlapping IP addresses. Include pre-NAT and post-NAT addresses when adding device. I don't know about the licensing here, but from my experience doing this will cost you the same as adding two different devices.

2) Use common a shared secret for overlapping IP's. Bad idea, since it will break policy rules.

sergejv
  • 111
  • 3
  • 1) NAT may not be an option for us due to the volume of devices 2) Different shared secret would not be a problem for us. – Steve Wright May 29 '13 at 10:04