Solved: Re: Using CiscoSecureACS with CiscoWorks-RME

mjshoaf · ‎08-31-2005

I need help in configuring CiscoWorks to use CiscoSecureACS for login authentication. I have specified TACACS+ as the login module. I am able to login with a account from the ACS server. However, the permissions aren't configured correctly. When I login with the ACS server account, options aren't displayed (e.g., under RME, Administration, Inventory, Add Devices...the Add Device option isn't present). Please advise.

aalton · ‎09-01-2005

To be succinct, ACS doesn't have all the fields that are required by Ciscoworks. That is why you still need to define the user profiles in ACS.

ACS is simply an authenticator. Ciscoworks still handles authorization. Look at the fields available in Ciscoworks and you'll see there are a number of roles that each user can take. I suppose Cisco may someday include extensions in ACS to handle the specific CiscoWorks profile fields but that isn't the case today.

I think the advantage to using ACS is the centralized authentication. Users don't have to change their passwords in multiple places. Logon violations are recorded in one place.

You'll find that once you define the profiles in CiscoWorks they will remain quite static.

View solution in original post

aalton · ‎08-31-2005

In CiscoWorks have you used Server Configuration / Setup / Security / Add Users (or Modify/Delete Users) to create user profiles for each of the authorized users? In other words for each ID you create in ACS you'll also need to define the same ID in CiscoWorks. In CiscoWorks you can assign Roles for each ID.

mjshoaf · ‎08-31-2005

Thanks for the reply. To answer your question, no I haven't created user profiles on the CiscoWorks server. What's the advantage to using ACS if I must duplicate all of the user accounts on the CiscoWorks server? If the user database is going to exist on the CiscoWorks server anyway, why bother with using ACS (or TACACS+) as my login module (or authentication method)?

aalton · ‎09-01-2005

To be succinct, ACS doesn't have all the fields that are required by Ciscoworks. That is why you still need to define the user profiles in ACS.

ACS is simply an authenticator. Ciscoworks still handles authorization. Look at the fields available in Ciscoworks and you'll see there are a number of roles that each user can take. I suppose Cisco may someday include extensions in ACS to handle the specific CiscoWorks profile fields but that isn't the case today.

I think the advantage to using ACS is the centralized authentication. Users don't have to change their passwords in multiple places. Logon violations are recorded in one place.

You'll find that once you define the profiles in CiscoWorks they will remain quite static.

mjshoaf · ‎09-01-2005

Thank you for the information. I have created the user profiles and it is working great. I didn't realize that you could create profiles without entering passwords. My concern was having duplicate account databases, but that is not the case since CiscoWorks doesn't require you to enter password information in the profiles. This is the solution I needed. Thanks again for your help!

pankaj.sheth · ‎10-04-2005

How the users will access the Ciscoworks if TACACS+ goes down when only the users profiles are created in CiscoWorks without password.

srowles · ‎10-05-2005

Hi

You should create at least one user on the CiscoWorks server with a password (there is no harm increating passwords for all users on the CiscoWorks server).

Under Server Configuration > Setup > Security > Select Login Module , chooese EDIT to edit the TACACS+ options.

You can then choose the option to allow all users to fall back to their local passwords if the ACS server is not available or specify a subset of users that have this functionality.

Hope that helps.