04-29-2011 05:41 AM
I'm currently using LMS 3.2 and would like to integrate it via TACACS+ with an ACS 4.2.I hope this is the right place to ask my question.
I encountered a problem while configuring AAA mode in LMS: after setting "AAA Mode Setup" to ACS (instead of non-ACS) and filling the Server Details and Login information, I am presented with a problem: after pressing Apply, in the Validation popup, the application states: "Secret Key Verification : Mismatch Detected".
Now that would be expected if there was a mismatch between the shared secret key entered in LMS (shared secret for ACS server) or in the ACS (shared secret under AAA clients). However I have doublechecked that they are correct. I get the same results with common phrases such as "cisco" or "1234", even with slightly more complex ones such as "CIsco987#@!". The ACS itself reports the same shared secret mismatch.
I am certain there's no other AAA client with the same configured IP address, I've restarted the ACS, I've even reinstalled LMS, but I am still unable to get LMS to validate and use the ACS server.
I'd appreciate any hints that may help me solve this particular situation.
04-29-2011 05:59 AM
Hi ,
The Shared Secret Key that you enetr while you configuring the ACS Mode in ACS should be SAME as where you have Defined Cisco works server as AAA client in ACS ..
Try to give any other shared key..
Please attached the Screen shot of the Error In case you get the same Error .
Thanks--
Afroj
04-29-2011 06:17 AM
Hello
Of course the shared secret is the same. Whenever changing it (for testing), I changed it in both places (used Submit+Apply on ACS to modify secret key).
I.e. if I set the shared secret to "Cisco" for the AAA client on the ACS (then click submit+Apply), then try to set the same secret in LMS ACS page, I get the following validation screen:
04-29-2011 06:03 AM
04-29-2011 06:18 AM
Straightforward document; I did just that, using the SAME secret key on both ends (ACS/LMS) every time I checked.
04-29-2011 06:54 AM
Hi ,
System Identity user > NOT APPLICABLE ??
Have you configured the systemIdentity user ? if not please add the sysidentity user in cisco works and in ACS
Thanks--
Afroj
04-29-2011 07:35 AM
The System Identity is configured on the LMS. No idea why it would show up like that. Bottom line is that the pre-shared key MATCH yet the two applications both report non-matching shared keys. Why is that and how can I fix it?
04-29-2011 07:54 AM
HI,
* Step 1: Setup up a System Identity User
-Common Services > Server >Security >Multi-Server Trust Management >System Identity Setup 
* Step 2: Ensure that System Identity User is a local User with all the roles 
Common Services -Server >Security >Single-Server Management >Local User Setup
ON ACS
=======
* Step 3: Define a group for CW Admin Users in ACS
-Go to GROUP SETUP
-Rename an available Group to something suitable such as CWAdmins
-Edit Settings
-Sessions available to user = unlimited
* Step 4: Add the CW system identity user (and other Admin users in CW) to ACS 
-Go to USER SETUP
-Create Users for Ciscoworks including the System Identity User in ACS
-password
-Assign all these Admin users to the Group created in Step 3
Please make sure the systemId user has been configred with Super Admin Rights
Thanks--
Afroj
05-02-2011 01:52 AM
Greetings
Based on your post, I followed the EXACT steps, as outlined above. Nothing changed. I get the same error message: both LMS and ACS report a pre-shared key mismatch.
Also, please note that the tests in the LMS ACS Validation window are run in succession: if one fails, all the ones BELOW that test will report as "Not Appliable". Which is probably why the SysIDUser is being reported as such despite proper configuration.
Why won't the ACS and LMS communicate? What's wrong with the preshared keys?
05-02-2011 02:52 AM
Hi ,
Are you using proxy distribution feature  on ACS   ?
If yes, then check the secret key configured for the proxy server. It has to be similar to the one configured in LMS server.
Thanks--
Afroj
05-02-2011 07:08 AM
Hello
Only the (Default) entry is on the Proxy Distribution Table. It contains no additional settings, other then listing the acs itself as an AAA server.
EDIT: I did try with or without the ACS listed as an AAA server under the (Default) entry. No change.
On a sidenote, IOS and PixOS authentication do work flawlessly with the same ACS server (using different groups, IPs etc.).
Anything short of contacting TAC?
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide