01-19-2009 10:09 AM
Hello,
I did the ACS integration on LMS 3.1.
Our ACS version is 4.1.
All looks fine I think, but the problem is that all users which are configured on the ACS have access to the LMS now!
The users I didn't configure for LMS have access, but can't do anything because of missing rights.
But I want to configure, that only special users have access to the LMS portal and not all!
Thanks for helping!
Sven
Solved! Go to Solution.
01-20-2009 10:10 PM
If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.
To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.
If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:
AAA Client Port Address
NDG:LMS Servers * *
This will completely disable the user from being able to login to LMS.
01-19-2009 10:15 AM
This may be a side-effect of external authentication in ACS. Are these non-LMS users mapped to an external authenticator in ACS?
01-20-2009 12:24 AM
Hello,
no, all users are configured directly in ACS.
All parts of LMS are not marked in ACS for this group, but they have still access to connect to LMS.
01-20-2009 12:49 AM
01-20-2009 10:10 PM
If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.
To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.
If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:
AAA Client Port Address
NDG:LMS Servers * *
This will completely disable the user from being able to login to LMS.
01-21-2009 02:56 AM
Hi Joe,
I'm so thankful!
With the NAR it works!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide