Re: LMS 3.2 unable to validate ACS server connection

D-N · ‎04-29-2011

I'm currently using LMS 3.2 and would like to integrate it via TACACS+ with an ACS 4.2.I hope this is the right place to ask my question.

I encountered a problem while configuring AAA mode in LMS: after setting "AAA Mode Setup" to ACS (instead of non-ACS) and filling the Server Details and Login information, I am presented with a problem: after pressing Apply, in the Validation popup, the application states: "Secret Key Verification : Mismatch Detected".

Now that would be expected if there was a mismatch between the shared secret key entered in LMS (shared secret for ACS server) or in the ACS (shared secret under AAA clients). However I have doublechecked that they are correct. I get the same results with common phrases such as "cisco" or "1234", even with slightly more complex ones such as "CIsco987#@!". The ACS itself reports the same shared secret mismatch.

I am certain there's no other AAA client with the same configured IP address, I've restarted the ACS, I've even reinstalled LMS, but I am still unable to get LMS to validate and use the ACS server.

I'd appreciate any hints that may help me solve this particular situation.

AFROJ AHMAD · ‎04-29-2011

Hi ,

The Shared Secret Key that you enetr while you configuring the ACS Mode in ACS should be SAME as where you have Defined Cisco works server as AAA client in ACS ..

Try to give any other shared key..

Please attached the Screen shot of the Error In case you get the same Error .

Thanks--

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

D-N · ‎04-29-2011

Hello

Of course the shared secret is the same. Whenever changing it (for testing), I changed it in both places (used Submit+Apply on ACS to modify secret key).

I.e. if I set the shared secret to "Cisco" for the AAA client on the ACS (then click submit+Apply), then try to set the same secret in LMS ACS page, I get the following validation screen:

AFROJ AHMAD · ‎04-29-2011

Hi ,

Also I have attached a Text documnet , please check if you have missed any of the step during the Integration !!

Thanks--

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

D-N · ‎04-29-2011

Straightforward document; I did just that, using the SAME secret key on both ends (ACS/LMS) every time I checked.

AFROJ AHMAD · ‎04-29-2011

Hi ,

System Identity user > NOT APPLICABLE ??

Have you configured the systemIdentity user ? if not please add the sysidentity user in cisco works and in ACS

Thanks--

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

D-N · ‎04-29-2011

The System Identity is configured on the LMS. No idea why it would show up like that. Bottom line is that the pre-shared key MATCH yet the two applications both report non-matching shared keys. Why is that and how can I fix it?

AFROJ AHMAD · ‎04-29-2011

HI,

* Step 1: Setup up a System Identity User
-Common Services > Server >Security >Multi-Server Trust Management >System Identity Setup
* Step 2: Ensure that System Identity User is a local User with all the roles

Common Services -Server >Security >Single-Server Management >Local User Setup

ON ACS
=======
* Step 3: Define a group for CW Admin Users in ACS
-Go to GROUP SETUP
-Rename an available Group to something suitable such as CWAdmins
-Edit Settings
-Sessions available to user = unlimited
* Step 4: Add the CW system identity user (and other Admin users in CW) to ACS
-Go to USER SETUP
-Create Users for Ciscoworks including the System Identity User in ACS
-password
-Assign all these Admin users to the Group created in Step 3

Please make sure the systemId user has been configred with Super Admin Rights

Thanks--

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

D-N · ‎05-02-2011

Greetings

Based on your post, I followed the EXACT steps, as outlined above. Nothing changed. I get the same error message: both LMS and ACS report a pre-shared key mismatch.

Also, please note that the tests in the LMS ACS Validation window are run in succession: if one fails, all the ones BELOW that test will report as "Not Appliable". Which is probably why the SysIDUser is being reported as such despite proper configuration.

Why won't the ACS and LMS communicate? What's wrong with the preshared keys?

AFROJ AHMAD · ‎05-02-2011

Hi ,

Are you using proxy distribution feature on ACS ?

If yes, then check the secret key configured for the proxy server. It has to be similar to the one configured in LMS server.

Thanks--

Afroj

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****

D-N · ‎05-02-2011

Hello

Only the (Default) entry is on the Proxy Distribution Table. It contains no additional settings, other then listing the acs itself as an AAA server.

EDIT: I did try with or without the ACS listed as an AAA server under the (Default) entry. No change.

On a sidenote, IOS and PixOS authentication do work flawlessly with the same ACS server (using different groups, IPs etc.).

Anything short of contacting TAC?