Showing results for 
Search instead for 
Did you mean: 

LMS / Cisco ACS Integration.

Level 5
Level 5

Hi all, really hope someone can help on what I hope to be a basic question.

I have a CiscoWorks server integrated with Cisco ACS. When a user tries to access CiscoWorks, they must authenticate using a username/password that is held centrally on the Cisco ACS server (I have authorisations configured here to allow certain users access to select devices). All this is working fine.

When I add devices to the DCR, I need to add Device Credentials. Do I need to tell the CiscoWorks the username/password or does it 'automatically' use the same username/password that the user typed in to aunthenticate to the CiscoWorks login page initially? I'm kinda confused. Not sure if I have to configure a general username/password for all devices in the DCR. The problem here though is when I check the ACS for reports regarding who has accessed a specific device (through NetShow for example), it will not tell me the 'real' user but will use the general username/password used for all devices (as set in the DCR). I hope this makes sense, please someone help clarify for me!

Many thanks in advance


1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

The LMS login credentials are completely independent of the credentials used for device access.  If you want users to be able to authenticate to devices using their own credentials, do not add telnet/SSH credentials to DCR, but instead enable job-based passwords (under RME > Admin > Config Mgmt > Config Job Policies.  Then, when users run Netconfig, Netshow, etc. jobs, they will be prompted for THEIR credentials at job creation time.  Your ACS reports should then reflect the proper user.  If you make Job-based passwords mandatory (i.e. do not check the "User configurable" box), then users must enter their credentials before a job can be scheduled.

To make these settings truly effective, you should only select telnet or SSH for your configuration deployment protocols.  You should also note that config fetch will not use job-based passwords, so either configure the config fetch protocol to be TFTP, or you will need to add a global username/password to DCR.  If job-based passwords are mandatory, this global set of credentials should only be used for configuration fetch operations.