I'm doing a bit of R&D for my employer (Managed Services Provider and Systems Integrator).
We currently have quite a number of small to medium clients (~30) that have networks with up to 20 routers / switches and we are looking at ACS as a central authentication system. As it stands as the moment, most clients have their own un/pw combination we use on their network. The problem is that because the IT industry is the way that it is, we have employees coming and going all the time. To keep client networks secure we would have to change hundreds of passwords every couple of months (if at all). ACS would allow us to use AD credentials to authenticate engineers and provide better change tracking / authorisation.
Labbing up this solution I have come across an interesting problem. TACACS+ will use an interface on the network devices to identify itself to the TACACS server. Because these clients are not connected there is the possibility for network devices to have the same private IP address. ACS will not let you add two devices (abeit in different network device groups) to have the same IP address. Also, this IP address needs to be routeable as it is used as the source address for the authentication request so I can't just use a custom loopback on the device.
Does anyone know if there is provision in ACS / TACAS to use another field for device identification?
Your thoughts are greatly appreciated