Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1059
Views
10
Helpful
2
Replies

LMS 2.6 : ACS integration problem

cminard
Level 1
Level 1

‎01-24-2007 02:32 AM

Hi

I have tried to configure LMS to aaa login with ACS, but LMS was unable to add applications in ACS. I tried a step to step procedure and I think I had all the prerequisites (version ACS OK, admin user privileges OK on ACS side, group configuration OK on ACS side, LMS server declaration OK on ACS side) but no way to communicate from LMS to ACS.

Could anybody send me a link with the good and complete procedure on both ACS and LMS side, please ?

Besides, I have another question :

Since the ACS integration failed, the local login was just accessible to send the message "to revert to ciscoworks local mode, run .../ResetLoginModule.pl".

But no way to access any application, whereas authenticated in local (admin).

Does that mean that there is no fallback authentication to local login when ACS is unavailable ? Or is it only because the communication failed whereas the ACS server is operational ?

Thanks

Labels:
0 Helpful
2 Replies 2

frankzehrer
Level 4
Level 4

‎01-24-2007 03:32 AM

Hi Caroline,

here is a step by step installation guide in short:

- - - - - - - - - - - - - - - - - - - - - - -

ON CISCOWORKS

Step 1: Setup up a System Identity User

- Common Services > Server >Security >Multi-Server Trust Management >System Identity Setup

Step 2: Ensure that System Identity User is a local User with all the roles

- Server >Security >Single-Server Management >Local User Setup

ON ACS

Step 3: Define a group for CW Admin Users in ACS

- Go to GROUP SETUP

- Rename an available Group to something suitable such as CWAdmins

- Edit Settings

- Sessions available to user = unlimited

Step 4: Add the CW system identity user (and other Admin users in CW) to ACS

- Go to USER SETUP

- Create Users for Ciscoworks including the System Identity User in ACS

- password

- Assign all these Admin users to the Group created in Step 3

Step 5: Add a network device group with Ciscoworks as a Client

- Go to NETWORK CONFIGURATION

- Name

- IP address or range with wildcard masks

- key

- Authenticate using: TACACS+ (Cisco IOS)

- Submit+Restart

Note: (If NDG options are not visible, you can enable Network Device Groups in ACS under INTERFACE CONFIGURATION -> ADVANCED)

ON CISCOWORKS

Step 6: Change CW AAA Mode to ACS TYPE (and register CW applications with ACS)

- Common Services > Server > Security > AAA Mode Setup

- Select ACS type

- Fill in IP address/Hostname of ACS server

- Fill in the ACS admin login information and the shared key

Note: ?ACS admin login" must be a user with full admin rights to ACS (i.e. one configured under Administration Control in ACS with ALL options checked)

- Put a check mark in "Register all installed applications with ACS" **

- Click on apply

- Restart CW Daemon Manager for above changes to take effect.

**WARNING: Make sure that AFTER the first successful registration to any specific ACS server, you always keep this box UNCHECKED if switching between ACS and non-ACS modes on LMS server.

Failure to do so will erase all custom roles (SUPERUSER) and you will need to do Step 7-8 on ACS again.

ON ACS

Step 7: Add "SUPERUSER" role for each module of Ciscoworks in ACS

- Go to SHARED PROFILE COMPONENTS

- Select a CW module (such as Common Services)

- ADD

- Name it CWSuperUser or something similar

- Select everything under the available functionality for that module

--REPEAT above procedure for Ciscoview, RME, Campus, DFM and any other Ciscoworks modules such as IPM, etc.

Step 8: Assign the "SUPERUSER" role to the Admins Group (created in Step 3)

- Go to GROUP SETUP

- Edit Settings

- Select cwhp, rme, campus, dfm and any other CW components a select the "SUPERUSER" role (created in step 7)

- Submit+Restart

IMPORTANT: Once ACS mode is enabled on Ciscoworks, ALL devices MUST be added to the same ACS server as clients for them to be manageable in Ciscoworks. While the devices must be known (i.e. configured as clients) in the same ACS server, they do not have to use that ACS for their own AAA configuration, nor do those devices need to be configured for AAA themselves.

- - - - - - - - - - - - - - - - - - - - - - -

The ResetLoginModule.pl is a command line tool to reset the LoginMethod. So if you have access to the server (Windows or Solaris) you may open a shell and reset the login method, cause Login may not working properly after ACS failed.

Have a look here how to use: http://www.cisco.com/en/US/products/sw/cscowork/ps2425/products_installation_guide_chapter09186a0080722ad0.html#wp1033901

The phenomenon you have (you are logged in but no app is working) is depending on the login method. Reset the Login Method and you are in business again. Maybe you can open "Common Services -> Server -> Security -> AAA Mode Setup" and change the Login Module with your curren credentials

The ResetLoginModule.pl is the fallback solution.

I hope that helps and good luck.

;-)

Frank

ogor
Level 1
Level 1
In response to frankzehrer

‎03-23-2007 05:21 AM

Hi Franck,

I've ever done this configuration and for me it's working.

On the ACS side, I've made the "full admin" for CM (like for the others) role that give ALL the rights.

I have a display problem when I want to disply the CM Topologies Services, CM Path Analysis ...

In fact the LMS server reply me that "Your session has either timed out or you are not authorized to access this page. "

Do you have any idea of this problem ? my LMS version is 2.6 and ACS 4.0

Brgds

Olivier

Customers Also Viewed These Support Documents