Thanks Federico,

I'm OK with configuring ACS, what I'd like to know is if the CiscoWorks roles can be defined in ACS?

For example when I configure an ACE appliance with context based roles I have to add custom attributes to ACS, can I do a similar thing for CiscoWorks?

Jim

Thank you

I have a follow-up question for this thread. I understand that LMS 3.2 and ACS 5.1 integration is not there.

On the other hand, full LMS/ACS integration allows complex authorization policies to configured in ACS, such as new roles for managing segments of a network. If we take out the complex stuff and simply use the roles (Helpdesk, Approver, etc.) already built into LMS, that should be possible to do with an ACS shell profile or something like that. For example, then one may define an ACS profile to assign users in an ID group to a specific LMS built-in role.

Would Cisco be willing to do that for its customers?

Sure,

As long as LMS accepts the attributes/values passed back by ACS through standard shell profile dictionaries, that should be possible.

LMS 3.2 and ACS 5 integration is not there yet, because on ACS 5 we cannot add customized TACACS+ common services and attributes as we could with ACS 4.x.

But for what concerns the standard pre-built TACACS+ shell attributes and values, as long as LMS supports them, ACS 5 can definitely pass them back following from a specific authorization rule match.

Regards,

Fede

--
If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks for the response.

Are there documents on what ACS 4.x sends back to LMS for authorized role or service when a user is successfully authenticated and authorized?

As far as I can find, LMS/ACS integration documents are all written from the perspective of registering LMS modules in the ACS and setting new roles there, etc. What I want to find out is, for example, if I want to assign the "Network Administrator + System Administrator" roles to a group of users when they log into LMS, what do I do exactly?

Regards,

--

Wei

Hi Wei,

This might be the steps you are looking for to assign roles in LMS through ACS 4.x:

http://www.cisco.com/en/US/partner/docs/net_mgmt/ciscoworks_common_services_software/3.1.1/user/guide/admin.html#wp882436

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi, Fede,

Thanks for the response. However, I don't seem to have access to the information. Clicking the URL leads me to an error 403 "Forbidden File or Application".

Regards,

--

Wei

Hi Wei,

You may need to login to Cisco.com with the corresponding rights to browse through the configuration guides.

The section the link is pointing to is "Roles in ACS", from chapter 4 of the "User Guide for CiscoWorks Common Services 3.1.1" (it should apply to LMS 3.2 as well).

Let me know if this helps,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

I should have added in the last reply: I am/have been logged in with my CCO account while getting the 403.

There is a "Log In" link in the upper-right corner in the 403 message page. Even that doesn't work -- I get the same 403 message clicking that link.

My company does have a TKL license and I have access to the Cisco TKL. Is that document in there?

OK. I removed the "partner/" part from the URL you posted, that worked -- I hope that points me to the same document.

Unfortunately, the section about "Roles in ACS" does not apply to my question as it only discusses the steps after the LMS modules ("applications") have been registered in ACS, which cannot be done with ACS 5.1. What I want to know is: What are actually returned to LMS from the ACS after a user is authenticated and authorized?

Maybe the ACS doesn't just send a role name but a list of all authorized functions? If that is the case, maybe the authorization model needs to be changed: The ACS should be in charge of authenticating a user and assigning "roles" using authorization policies. The definition of those "roles" should remain with CiscoWorks LMS.

Thanks and regards,

--

Wei

Hi Wei,

This is precisely what we pointed out previously in this thread with Jim.

With CiscoWorks, the authorization (so roles assignment) through ACS 5 is still not supported, so the authorization part should be configured through local user roles.

Regards,

Fede

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Hi, is this sorted in LMS 4.2 or 4.3 ?

is there any documentation available from Cisco?

Thanks,

Dion