12-01-2010 02:02 PM
Hi,
I am using the tacacs+ module in LMS 3.2 and my ACS 5.1 server for user authentication when logging into ciscoworks. I am aware that this is the extent of the support for ACS 5.1 in LMS 3.2.
I have found through reading that I need to create local LMS users that match my aaa user accounts in order to assign privileges in LMS. My question is, how do I stop other users from logging in? Currently, anyone with an account on my ACS box can login to LMS even if they don't have a local LMS account. I don't think they can change anything, but they can still view everything. Is there a way to lock them out?
Thanks.
12-02-2010 04:07 AM
I would say there is no way to lock them out using an external authentication module. This scenario works as designed as Joe describes here:
https://supportforums.cisco.com/message/658664#658664
With ACS 5.x full integration with LMS is not possible but it is described that with ACS 4.x and full integration it shouldwork (personally, I never tried to do it):
above thread and this one: https://supportforums.cisco.com/message/3226578#3226578
but there is also a thread that mention it is not working:
https://supportforums.cisco.com/message/659167#659167
To prevent this access, it seems your only solution would be to use the CiscoWorks login module instead of the external ACS.
12-09-2010 07:56 AM
Thank you for your help.
12-09-2010 08:18 AM
you can either:
- use ACS for authentication and set local users in CW for the privileges. Only users defined locally will gain access to CW and CW will still point to ACS (or AD if you have ACS pointing to AD) for the password.
or
- use the "Device Filter" option in ACS to deny the IP Addresses of your Ciscoworks servers to those users/groups that should not have access to it.
I use the first option and know it works but we use device filter in ACS for other devices and that should work for this.
12-09-2010 09:24 AM
Thanks Adam,
As Mermel mentioned, users with accounts on ACS (AD in my case) can still log in to LMS as helpdesk users, even if they do not have local accounts created. This is what I am trying to stop.
Interesting idea on the device filter option.. I will check that out.
12-09-2010 10:01 AM
Yeah I guess that's correct. I just tested it with one of my test accounts.
I guess the reason why it worked for us is because we have a group for Ciscoworks users in ACS and only that group has access to our mgmt network.
I'll have to keep this in mind. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide