cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1366
Views
0
Helpful
2
Replies

LMS 4.0 User management with Cisco ACS 5.x

alex.dersch
Level 4
Level 4

Hello,

i would like to ask if i can use the Cisco ACS to manage the user authentication process for LMS 4.0 suite. If yes could you please provide a guide thow to integrate LMS in ACS.

I found only a integration guide for ACS 4.

thanks for any feedback

alex

2 Replies 2

Martin Ermel
VIP Alumni
VIP Alumni


the process of gaining access to LMS is a 2 step process,
    1) authentication
    2) authorization

the first checks your username and password and determines if you are allowed to login, the second defines what you are allowed to do;


AUTHENTICATION can be done localy (on the LMS server) or externaly (like AD, TACACS, radius and a few more)

with LMS 4.x AUTHORIZATION can (or better must) be done locally in LMS with the RBAC model (role based access control). There you can define groups and assign access rights to LMS tasks as well as to devices. At the end you can add users to the groups to give these users the level of access they need.

This changed in comparison to LMS 3.x where authorization in a granular manner could only be done by integrating LMS in ACS 4.x. - which means that this process (integration of LMS in ACS) is no longer necessary for authorization in LMS 4.x

On the other hand, it also means, that you can use any of the supported external modules (like ACS 4.x, ACS 5.x or any other tacacs server) for authentication but for authorization only RBAC is used.

Also, if you have an external source for authentication, there must be a mechanism to assign the configured privilege levels in LMS (RBAC) to a user that login. This is done very simple: the user MUST exist on the LMS server also and must have assigned the correct privilege levels in RBAC.


[...]
The CiscoWorks Server determines user roles. Therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role).
[...]
from:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/security.html#wp1055708

here are some links to the LMS 4.x admin guide:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/security.html

http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.0/user/guide/admin/security.html#wp1056335

Yes, in other words, Cisco seems to be backing away from ACS integration in 4.0.

That's unfortunate as one essentially has to manage users in two places - one for authentication and one for authorization - if one wants to (continue) using TACACS in conjunction with LMS.

I'm sure there was some reasoning behind this but it's not apparent to this end user what it was. We are holding off on ACS 5.x implementation since they changed he whole product (including the licensing model).

If anyone from the product team is listening - it's two steps backwards from my perspective.

Review Cisco Networking for a $25 gift card