Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
577
Views
0
Helpful
1
Replies

LMS / Cisco ACS Integration.

dazza_johnson
Level 5
Level 5

‎05-10-2010 04:54 PM

Hi all, really hope someone can help on what I hope to be a basic question.

I have a CiscoWorks server integrated with Cisco ACS. When a user tries to access CiscoWorks, they must authenticate using a username/password that is held centrally on the Cisco ACS server (I have authorisations configured here to allow certain users access to select devices). All this is working fine.

When I add devices to the DCR, I need to add Device Credentials. Do I need to tell the CiscoWorks the username/password or does it 'automatically' use the same username/password that the user typed in to aunthenticate to the CiscoWorks login page initially? I'm kinda confused. Not sure if I have to configure a general username/password for all devices in the DCR. The problem here though is when I check the ACS for reports regarding who has accessed a specific device (through NetShow for example), it will not tell me the 'real' user but will use the general username/password used for all devices (as set in the DCR). I hope this makes sense, please someone help clarify for me!

Many thanks in advance

Darren

Labels:
0 Helpful
1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

‎05-10-2010 10:39 PM

The LMS login credentials are completely independent of the credentials used for device access.  If you want users to be able to authenticate to devices using their own credentials, do not add telnet/SSH credentials to DCR, but instead enable job-based passwords (under RME > Admin > Config Mgmt > Config Job Policies.  Then, when users run Netconfig, Netshow, etc. jobs, they will be prompted for THEIR credentials at job creation time.  Your ACS reports should then reflect the proper user.  If you make Job-based passwords mandatory (i.e. do not check the "User configurable" box), then users must enter their credentials before a job can be scheduled.

To make these settings truly effective, you should only select telnet or SSH for your configuration deployment protocols.  You should also note that config fetch will not use job-based passwords, so either configure the config fetch protocol to be TFTP, or you will need to add a global username/password to DCR.  If job-based passwords are mandatory, this global set of credentials should only be used for configuration fetch operations.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card