10-15-2009 12:37 PM
Hi,
We have 4 Ciscoworks servers using an acs user id and password to allow ciscoworks to do
it's various activities. We are not ACS integrated.
We are trying to develop a process where we can expire the Ciscoworks ACS user id's
password every 90 days. We envision to avoid problems is to reset the password every 60 or 70 days prior to expiry.
I want to know what would be the best process to facilitate this.
Running LMS 3.01 with CS/RME/CAMPUS on windows 2003 SP1 ACS - 4.1 on Windows 2003 Server SP1.
Please check.
-Thanks
10-15-2009 12:40 PM
You mean you're using an ACS account in DCR in order to connect to the devices, and you want to change this in DCR for all devices on a monthly basis?
10-15-2009 12:57 PM
Hi Jclarke,
Thanks.
Yes, we want the credentials in DCR should be changed every couple of months of a specified amount of time.
We have a large number of devices and it is impossible for us to change those
manually. So we want something which can udate the credentials in DCR as per ACS.
We are also, looking same for LMS as well, that the password for them to expire after specified time.
I think, for LMS that has to be done throgh ACS, right?
But if a LMS server has nothing to do with ACS (Standalone), is there is way we can set password
policies for password expiry for users?
Please advise.
-Thanks
10-15-2009 01:03 PM
If the ACS is administering your users (that is, you're using the TACACS+ or Radius login module in LMS), then you don't have to worry about user passwords. All of that will be handled in ACS, and the user will just need to know to use the new password when next logging into LMS.
As for updating DCR, this cannot happen automatically. Whenever your ACS device account password changes, you will either need to go to Common Services > Device and Credentials > Device Management in the GUI, then select all the devices, and click the Edit Credentials button. Then update the password for the telnet/SSH user.
You could also do this using dcrcli, by first exporting the device list using the dcrcli "exp" command. Then search and replace the old password with the new, then use the impFile command with the "cr=file" argument to import the changes back into DCR.
10-15-2009 02:22 PM
Thank you very much jclarke.
One last question, is there any plans to include such utility to have the DCR also in sync so that we dont have to do it manually.
The current procedure is okay for a few devices, but a 9-10k deviced LMS user will be at a mess.
-Thanks
10-15-2009 02:25 PM
There is going to be a lot more ACS integration in LMS 4.0, but I haven't seen where this specific type of integration will be there. However, if all of your devices use the same ACS account, the overhead for a user with one device vs. one with 10K devices is the same. The credential update can be done universally in one step.
10-21-2009 12:11 PM
Thanks jclarke,
So finally, right now there is no possibility of - if a user has changed the password for login to ACS and if the same previous tacacs pwd was configured for DCR devices, LMS will not be able to give notification or sync the password with the user, right?
The only way we can do it is doing it manually.
-Thanks
10-21-2009 09:32 PM
This is correct. LMS has no way of synchronizing DCR passwords with ACS in an automated fashion. However, you could configure job policies to require job-based passwords (under RME > Admin > Config Mgmt > Config Job Policies), and that would force users to specify a username and password at job creation time.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide