Buy or Renew
Buy or Renew
COMING SOON: Umbrella and Secure Access release notes are coming to Cisco Community. The community will be in read-only August 16 – 19. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
0
Helpful
5
Replies

LMS 3.2 and ACS 5.1 integration

redman
Level 1
Level 1

‎12-01-2010 02:02 PM

Hi,

I am using the tacacs+ module in LMS 3.2 and my ACS 5.1 server for user authentication when logging into ciscoworks. I am aware that this is the extent of the support for ACS 5.1 in LMS 3.2.

I have found through reading that I need to create local LMS users that match my aaa user accounts in order to assign privileges in LMS. My question is, how do I stop other users from logging in? Currently, anyone with an account on my ACS box can login to LMS even if they don't have a local LMS account. I don't think they can change anything, but they can still view everything. Is there a way to lock them out?

Thanks.

Labels:
0 Helpful
5 Replies 5

Martin Ermel
VIP Alumni
VIP Alumni

‎12-02-2010 04:07 AM

I would say there is no way to lock them out using an external authentication module. This scenario works as designed as Joe describes here:
    https://supportforums.cisco.com/message/658664#658664
With ACS 5.x full integration with LMS is not possible but it is described that with ACS 4.x and full integration it shouldwork (personally, I never tried to do it):
above thread and this one: https://supportforums.cisco.com/message/3226578#3226578

but there is also a thread that mention it is not working:
https://supportforums.cisco.com/message/659167#659167

To prevent this access, it seems your only solution would be to use the CiscoWorks login module instead of the external ACS.

0 Helpful

redman
Level 1
Level 1
In response to Martin Ermel

‎12-09-2010 07:56 AM

Thank you for your help.

0 Helpful

adam benigar
Level 1
Level 1

‎12-09-2010 08:18 AM

you can either:

- use ACS for authentication and set local users in CW for the privileges.  Only users defined locally will gain access to CW and CW will still point to ACS (or AD if you have ACS pointing to AD) for the password.

or

- use the "Device Filter" option in ACS to deny the IP Addresses of your Ciscoworks servers to those users/groups that should not have access to it.

I use the first option and know it works but we use device filter in ACS for other devices and that should work for this.

0 Helpful

redman
Level 1
Level 1
In response to adam benigar

‎12-09-2010 09:24 AM

Thanks Adam,

As Mermel mentioned, users with accounts on ACS (AD in my case) can still log in to LMS as helpdesk users, even if they do not have local accounts created. This is what I am trying to stop.

Interesting idea on the device filter option.. I will check that out.

0 Helpful

adam benigar
Level 1
Level 1

‎12-09-2010 10:01 AM

Yeah I guess that's correct. I just tested it with one of my test accounts.

I guess the reason why it worked for us is because we have a group for Ciscoworks users in ACS and only that group has access to our mgmt network.

I'll have to keep this in mind.  Thanks

0 Helpful
Customers Also Viewed These Support Documents