10-23-2010 04:36 PM
Hi:
We configured LMS in ACS mode with fallback.
The integration works fine, but when we try to take the ACS (4.2) down to try the fallback login in LMS, it does not work.
First we try stopping ACS services, but we realized that the server answered with TCP RESETs.
Then we disabled the NIC and so no IP conectivity was available.
But as you can see in the image, LMS still thinks that ACS is reachable, although HTTP or HTTPS are not. And never activates the fallback mode.
The funny stuff is that trying from the CLI, with ACSTestTool.pl, it considers no conectivity to the server.
Any suggestions?
Thanks a lot
Julio
Solved! Go to Solution.
10-24-2010 01:07 PM
You have enabled full ACS integration. In this mode, fallback will not work. If you set the type to Non-ACS mode, then just use the TACACS+ login module for authentication, then you will be able to use fallback.
10-23-2010 10:54 PM
It looks like your integrated with ACS vs. just using TACACS+ for authentication. With full integration, fallback does not work.
10-24-2010 08:31 AM
Hi Joseph:
I'm sorry, but I don´t fully understand your response.
Login Module for LMS is TACAC+, allowing certain user(s) to fallback to the CiscoWorks Local login if preceding login fails.
And then, the AAA Mode Setup ACS for Current Login Module: TACACS+
As far as I know ACS performs authentication and authorization (that is to say that the local roles are not considered any more after the integration).
And I believe that in case the connection with ACS is not available, the fallback means that the users configured in the Login Module could be authenticated locally, with their respective local roles enabled for authorization. Is it like this?
I don´t about other integration different from full betwenn LMS and ACS. Please, could you explain this?
Thank you very much.
Julio
10-24-2010 09:57 AM
When you go to Common Services > Server > Security > AAA Mode Setup, what is the current Type? Is it Non-ACS or ACS mode?
10-24-2010 12:07 PM
10-24-2010 01:07 PM
You have enabled full ACS integration. In this mode, fallback will not work. If you set the type to Non-ACS mode, then just use the TACACS+ login module for authentication, then you will be able to use fallback.
10-24-2010 02:02 PM
Ok Joseph,
Thank you very much. I see I had misunderstood the feature.
Thanks a lot.
Julio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide