cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4876
Views
0
Helpful
15
Replies

CiscoWorks LMS 3.2 with TACACS role authentication

j.jeater
Level 1
Level 1

Chaps,

I'm trying to get user authentication backed off to ACS 5.1, I've got it working but not the way I'd like.  This is using the TACACS settings not ACS mode.

I've created a local user in CW and assigned it to the correct roles, then created a user in ACS with the same name and a different password and this works fine.

My question is can I set the roles on the TACACS server using a shell profile/custom attributes.  All the documentation I can find is for ACS v4

Thanks

Jim

1 Accepted Solution

Accepted Solutions

Hi Jim,

With CiscoWorks, the authorization (so roles assignment) through ACS 5 is still not supported:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/release/notes/cs33rel.html#wp79193

You can keep authenticating users through ACS, but the authorization part should be configured through local user roles:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.2/user/guide/admin.html#wp1014874

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

View solution in original post

15 Replies 15

Federico Ziliotto
Cisco Employee
Cisco Employee

Hi Jim,

Here you can find more details on how to set up the access and authorization rules on ACS 5.1

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/policy_mod.html

and also on how to create shell/command profiles

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/user/guide/pol_elem.html

Let me know if you'd need more clarifications on this topic.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks Federico,

I'm OK with configuring ACS, what I'd like to know is if the CiscoWorks roles can be defined in ACS?

For example when I configure an ACE appliance with context based roles I have to add custom attributes to ACS, can I do a similar thing for CiscoWorks?

Jim

Hi Jim,

With CiscoWorks, the authorization (so roles assignment) through ACS 5 is still not supported:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/release/notes/cs33rel.html#wp79193

You can keep authenticating users through ACS, but the authorization part should be configured through local user roles:

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.2/user/guide/admin.html#wp1014874

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thank you

I have a follow-up question for this thread. I understand that LMS 3.2 and ACS 5.1 integration is not there.

On the other hand, full LMS/ACS integration allows complex authorization policies to configured in ACS, such as new roles for managing segments of a network. If we take out the complex stuff and simply use the roles (Helpdesk, Approver, etc.) already built into LMS, that should be possible to do with an ACS shell profile or something like that. For example, then one may define an ACS profile to assign users in an ID group to a specific LMS built-in role.

Would Cisco be willing to do that for its customers?

Sure,

As long as LMS accepts the attributes/values passed back by ACS through standard shell profile dictionaries, that should be possible.

LMS 3.2 and ACS 5 integration is not there yet, because on ACS 5 we cannot add customized TACACS+ common services and attributes as we could with ACS 4.x.

But for what concerns the standard pre-built TACACS+ shell attributes and values, as long as LMS supports them, ACS 5 can definitely pass them back following from a specific authorization rule match.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks for the response.

Are there documents on what ACS 4.x sends back to LMS for authorized role or service when a user is successfully authenticated and authorized?

As far as I can find, LMS/ACS integration documents are all written from the perspective of registering LMS modules in the ACS and setting new roles there, etc. What I want to find out is, for example, if I want to assign the "Network Administrator + System Administrator" roles to a group of users when they log into LMS, what do I do exactly?

Regards,

--

Wei

Hi Wei,

This might be the steps you are looking for to assign roles in LMS through ACS 4.x:

http://www.cisco.com/en/US/partner/docs/net_mgmt/ciscoworks_common_services_software/3.1.1/user/guide/admin.html#wp882436

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi, Fede,

Thanks for the response. However, I don't seem to have access to the information. Clicking the URL leads me to an error 403 "Forbidden File or Application".

Regards,

--

Wei

Hi Wei,

You may need to login to Cisco.com with the corresponding rights to browse through the configuration guides.

The section the link is pointing to is "Roles in ACS", from chapter 4 of the "User Guide for CiscoWorks Common Services 3.1.1" (it should apply to LMS 3.2 as well).

Let me know if this helps,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

I should have added in the last reply: I am/have been logged in with my CCO account while getting the 403.

There is a "Log In" link in the upper-right corner in the 403 message page. Even that doesn't work -- I get the same 403 message clicking that link.

My company does have a TKL license and I have access to the Cisco TKL. Is that document in there?

OK. I removed the "partner/" part from the URL you posted, that worked -- I hope that points me to the same document.

Unfortunately, the section about "Roles in ACS" does not apply to my question as it only discusses the steps after the LMS modules ("applications") have been registered in ACS, which cannot be done with ACS 5.1. What I want to know is: What are actually returned to LMS from the ACS after a user is authenticated and authorized?

Maybe the ACS doesn't just send a role name but a list of all authorized functions? If that is the case, maybe the authorization model needs to be changed: The ACS should be in charge of authenticating a user and assigning "roles" using authorization policies. The definition of those "roles" should remain with CiscoWorks LMS.

Thanks and regards,

--

Wei

Hi Wei,

This is precisely what we pointed out previously in this thread with Jim.

With CiscoWorks, the authorization (so roles assignment) through ACS 5 is still not supported, so the authorization part should be configured through local user roles.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi, is this sorted in LMS 4.2 or 4.3 ?

is there any documentation available from Cisco?

Thanks,

Dion

Review Cisco Networking for a $25 gift card