03-19-2008 09:49 AM
When trying to verify what devices aren't in LMS, I've found that DCR will tell me a device already exists if I try to add it. Its apparently in LMS 'somewhere' but doesn't show up anywhere in DCR when I drill down through all groups. If I search DCR or Device Manager by name or IP, its empty. However, I may be lucky to find that its listed in the 'Devices that need to be added to ACS' report. What alternate method am I missing that will show me these devices?
thanks!
03-19-2008 12:09 PM
Since you are integrated with ACS, you need to make sure that device's IP address and/or hostname is known to ACS. If you look at the Devices not in ACS report, you'll see the IP address and hostname of the device. Add the device as an ACS client using those values (or adjust an existing client's IP address range accordingly), then restart ACS, and logout and back into LMS.
03-19-2008 04:20 PM
Cool, well that fixed a problem for a few of my devices. I do have several (all) MSFC modules that are still showing up as "not in ACS" even though I've verified they are. The credential test checks out and I can access the device using the same creds as what CW is set up to use. The only thing that may be different is these devices do have many IPs associated with them in ACS since they act as gateways to multiple networks. Not sure if that's an issue or not but they are all the same model. But they are in fact, on the same ACS server.
03-19-2008 04:32 PM
Exactly how do they appear in the Not in ACS report, and how are they configured as clients of ACS?
03-19-2008 04:39 PM
The display name on left column is the IP address. The attributes list the IP Address as the actual DNS/host name and the Host Name = the IP address.
Yes, I've fully checked that these are all ACS clients. But you do raise an interesting point as these devices were the only ones that reverse the IP and Host Name data on the Attributes column.... not sure why.
03-19-2008 04:49 PM
Since the device shows up by IP address, and that IP address is a TACACS+ client in ACS (or that IP address is in a range of client addresses), then everything should work. Of course, this assumes you are not using NDGs in ACS. If you are using NDGs, then your System Identity User as well as the current logged in user need to have access to the NGD which contains this device.
07-15-2008 01:05 PM
Following up on that, if you do see a device "not in ACS" in the report, how do you go about just deleting it entirely? Say, I put in a device that was never in ACS but is now retired and want to remove its existence in CW.
07-15-2008 01:12 PM
You can either temporarily break ACS integration to delete the device, or add a bogus record to ACS, delete the device, then delete the ACS entry.
You might also be able to delete the device using dcrcli, but I do not have an LMS/ACS setup at the moment, so I cannot test.
07-17-2008 09:47 AM
Thanks. I can't break ACS integration but if you find any more info using the DCRCLI please let me know.
07-17-2008 10:38 AM
You can try this:
dcrcli -u admin cmd=lsids all
If you see the hidden device there, try:
dcrcli -u admin cmd=del id=ID
Where ID is the ID you see in the lsids command.
07-17-2008 11:51 AM
thanks, I found and deleted two of the four devices. Any idea where I could find the other two?
07-17-2008 12:13 PM
If they are not being shown via dcrcli, then the only way would be to break the ACS integration. If they are still not showing up, this may point to a corrupt CMF database.
05-21-2009 09:44 AM
Going back to this Jclarke. I'm accumulating more and more in the "not in ACS" report that don't show up in DCRCLI and am getting into some secondary issues with aliasing in DFM on devices I can't delete in CS.
Short of rebuilding a new CW install, what would you recommend I do to clean these devices up? thanks
05-21-2009 09:45 AM
Going back to this Jclarke. I'm accumulating more and more in the "not in ACS" report that don't show up in DCRCLI and am getting into some secondary issues with aliasing in DFM on devices I can't delete in CS.
Short of rebuilding a new CW install, what would you recommend I do to clean these devices up? thanks
05-21-2009 09:50 AM
Follow my previous instructions. You either need to add the devices showing up in this report to the ACS server to which LMS is integrated, or temporarily break ACS integration, remove the devices from DCR, then setup filters so that they do not get re-added. Once DCR is to your liking, you can then re-enable ACS integration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide