We've now finished testing CIscoWorks LMS 3.01 with ACS 4.1.4 in our test environment and ready to deploy into a production environment.
Currently we have a few outstanding concerns, specifically on the security of accounts in ACS.
The LMS/ACS Integration White Paper (along with various other instruction on web etc) states that LMS requires:
1> An ACS Admininstrator account with ALL privileges (white paper explicitly states "grant all").
2> An ACS User account with same credentials as System Identity with SA rights.
Our network security team are EXTREMELY concerned with the first, Cisco Secure ACS by its very name should be secure. Creating an admin account with ALL rights has got to be a bad idea. Currently we only have one account with this level of rights which is never used and credentials locked in a safe. All others are only given the rights actually required.
Ultimately there has got to be some rights here that aren't required (e.g. changing group setups, changing server settings). Is there anything documented of the exact rights needed by the LMS ACS Admin account?
During the Application Registration we're finding that the ACS Administrator account is making changes to other Administrator accounts (specifically removing anyones rights to IPM) - this is surely outside the scope of what its supposed to be doing.....
As for the second one, again I'd like something documented as to precise rights required and what this is used for. During some test ACS application registrations from LMS the verification keeps throwing up errors about not having correct rights for components, however registration is still succesful anyhow?
Does the identity account need any shell or IOS level rights or just ACS components?
Its also surely a bit "chicken and egg" as you can't provide rights until the applications are registered etc, we do have a previously aborted installation of LMS 2.6 so I'm guessing that the registration is trying to check rights to the LMS2.6 application registration which obviously fails?
PS - Any news on release date for LMS 3.1 - will I need to reregister application and thus loose all the custom profiles I've just spent weeks developing?
We do not document the exact rights required. However, if I'd have to guess based on what we do with integration, the admin user would need "Setup of these groups", "Network Access Restriction Sets", "Network Access Filtering Sets", access to all the CiscoWorks components, "Password Validation", and "Global Authentication Setup".
The second item really is not required. The System Identity User MUST have access to all LMS-managed devices in ACS in addition to being allowed to perform all LMS tasks, but this other user is more of a convenience. It would be akin to "admin" in LMS (i.e. an uber system admin).
Every time you choose to register applications (this should only be done ONCE per version of LMS) you will overwrite role customization which could lead to ACS dropping rights.
The System Identity User account does not need any shell or IOS access. It just needs to be allowed to manage the devices for each of the LMS components.
LMS 3.1 is scheduled for release on July 1, and will include new tasks, so an application re-registration will be required.
We've got some serious performance issues with the ACS-mode AAA implemetation on LMS 3.01 windows and ACS 4.1 appliance.
We've got plenty of resources on the machine, same network, followed the whie paper for implementation, use http instead of https, we use Ip adres for ACS server. It seems to work fine, except the peformance is bad. Did you ran into that kind of problems? We use NDG's, is that a performance killer?