cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
923
Views
0
Helpful
6
Replies
juliocarossella
Beginner

No fallback login in CiscoWorks LMS 3.1

Hi:

We configured LMS in ACS mode with fallback.

The integration works fine, but when we try to take the ACS (4.2) down to try the fallback login in LMS, it does not work.

First we try stopping ACS services, but we realized that the server answered with TCP RESETs.

Then we disabled the NIC and so no IP conectivity was available.

But as you can see in the image, LMS still thinks that ACS is reachable, although  HTTP or HTTPS are not. And never activates the fallback mode.

The funny stuff is that trying from the CLI, with ACSTestTool.pl, it considers no conectivity to the server.

Any suggestions?

Thanks a lot

Julio

1 ACCEPTED SOLUTION

Accepted Solutions
Joe Clarke
Hall of Fame Cisco Employee

You have enabled full ACS integration.  In this mode, fallback will not work.  If you set the type to Non-ACS mode, then just use the TACACS+ login module for authentication, then you will be able to use fallback.

View solution in original post

6 REPLIES 6
Joe Clarke
Hall of Fame Cisco Employee

It looks like your integrated with ACS vs. just using TACACS+ for authentication.  With full integration, fallback does not work.

Hi Joseph:

I'm sorry, but I don´t fully understand your response.

Login Module for LMS is TACAC+, allowing certain user(s) to fallback to the CiscoWorks Local login if preceding login fails.

And then, the AAA Mode Setup ACS for Current Login Module: TACACS+

As far as I know ACS performs authentication and authorization (that is to say that the local roles are not considered any more after the integration).

And I believe that in case the connection with ACS is not available, the fallback means that the users configured in the Login Module could be authenticated locally, with their respective local roles enabled for authorization. Is it like this?

I don´t about other integration different from full betwenn LMS and ACS. Please, could you explain this?

Thank you very much.

Julio

Joe Clarke
Hall of Fame Cisco Employee

When you go to Common Services > Server > Security > AAA Mode Setup, what is the current Type?  Is it Non-ACS or ACS mode?

First I configure NON-ACS --> TACACS+ --> LOGIN MODULE OPTIONS (please see figure)

And then AAA mode setup ACS --> please see figure.

Thanks a lot

Julio

Joe Clarke
Hall of Fame Cisco Employee

You have enabled full ACS integration.  In this mode, fallback will not work.  If you set the type to Non-ACS mode, then just use the TACACS+ login module for authentication, then you will be able to use fallback.

View solution in original post

Ok Joseph,

Thank you very much. I see I had misunderstood the feature.

Thanks a lot.

Julio