03-10-2011 12:05 PM
Hi there,
Currently I am able to almost setup cisco works server with the acs server.
I verified the secret keys match. And even went as far as changing them aswell to another. The secret shared keys match.
but i get the below provided error. The 10.x.x.x have susituded the actual ips for this example. Is ther something that I am not doing?
Your incite is greatly appreciated.
Thanks
Blair
10.X.X.X | Failed |
Primary ACS Verification Status ( 10.X.X.X ) | |
Tacacs+ Connectivity | Reachable |
HTTP/HTTPS Connectivity | Reachable |
AAA Client | Configured |
Secret Key Verification | Mismatch Detected |
System Identity User | Not Applicable |
03-10-2011 12:30 PM
Hi Blair,
Is Proxy server configured on the ACS, in that case check the shared key for the proxy server ?
Thanks,
Arshdeep
03-10-2011 12:41 PM
ACS also uses inheritance setting from the parent group, so if the LMS server is in a group for example like
NMS Servers -> LMSserver1Make sure you check the shared secret key setting for "NMS Servers", it will take precedence. I believe once inside NMS Servers and you see all the servers , scroll to bottom of the list where there will be a button to edit NMS Servers settings.03-11-2011 05:00 AM
thanks for the swift response,
I verified that there is no proxy server. we currently only have one server which is under "not assigned" ndg group.
In addition to that I cant see a field with a shared secret key on the ndg groups.
Just a note shared keys are same all around.
Just to give you guys a run down of what has been done:
1.on acs server.have created two accounts - a. aaa client account which gives lms server access to devices as we give network administrators. done
b. acs server super account which gives the lms server access to acs https link. done
2a) Under cisco network assistant portlet /LMS Server/change acs setup,= there is a section to setup acs access mode. done with mismatch
b) Under CS portlet/aaa mode setup/ = there is a section to setup acs access mode. done with mismatch
thanks
Blair
03-11-2011 05:06 AM
In that case, i would recommend you to try to start afresh in ACS.
Try to make a new NDG, say LMSServer and then add your ciscoworks server as a AAA client in it.
Make sure while adding new NDG and AAA you put the same Secret key in both. I guess this document will help you bigtime in ACS and LMS integration:
-Thanks
03-11-2011 08:54 AM
Thanks.. it was Success recreating the group. However please check the following table
TACACS+ Connectivity With ACS | Reachable |
HTTP/HTTPs Connectivity With ACS | Reachable |
CiscoWorks System Identity User Configuation in ACS | Not all privileges assigned |
i created highest priveldge acs accounts and aaa client accounts but i still get this error.
Any suggestions?
03-11-2011 10:35 AM
System Identity User name and password must be synchronized with LMS server CS -> Server -> Security -> System Identity Setup
System Identity User must be a user of ACS, not administrator of ACS.
You should build a new group and place system Identity user in this group. If you have the LMS applications listed in Shared Profile components, then they should also be a part of the group configuration. Enable each application and then assign a Role to that application which should be SuperAdmin from the pull down menu under "Assign a XXXXX for any network device"
This is a fairly important step and is sometimes over looked.
But you first must go through the AAA Mode Setup and APPLY with " Register all installed applications with ACS" check marked the first time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide