I'm trying to add an ASA to CSM. I have CSM configured with ACS integration.
I have the ASA in ACS and I can log in to the ASA successfully with my own credentials, so I know it's in ACS and it works.
I'm trying to add the device in CSM and I have the "Display Name" set identically to what I have in ACS (I copied and pasted the name just to be sure), but when I go to click Next, I get the following:
Device Not Authorized
The device is not in the Cisco Secure ACS.
Please ensure that this device has been added/created within Cisco Secure ACS prior to adding/creating this device in Common Services or Cisco Security Manager.
can you send me a screenshot of the panel in CSM (when you try to add the device) and the panel in ACS where you added the device?
Just to be sure all the steps for ACS integration are in place, make sure you followed this document:
Having exact same issue here.
Have checked local account, system identity account and equivalent in ACS and all look ok.
Checked that the ACS admin account is setup correctly.
User has Administrator rights to CSM shared profile components.
No failures in any ACS logs
Interestingly if you tick "System Context" it seems to get further and starts discovery then dies at about 10%.
Relevant screenshots/errors attached
Now solved was a permissions issue in ACS.
However this raises an interesting "issue" with CSM and its interaction with ACS.
According to the CSM 4.1 Installation Guide:
ACS Changes Not Appearing in Security Manager
When you are using Security Manager with Cisco Secure ACS 4.x, information from ACS is cached when you log in to Security Manager or CiscoWorks Common Services on the Security Manager server. If you make changes in the Cisco Secure ACS Network Configuration and Group Setup while logged in to Security Manager, the changes might not appear immediately or be immediately effective in Security Manager. You must log out of Security Manager and Common Services and close their windows, then log in again, to refresh the information from ACS.
If you need to make changes in ACS, it is best practice to first log out of and close Security Manager windows, make your changes, and then log back in to the product.
The problem here as I see it is is as follows:
1) BEcause CSM caches a copy of credentials when you get a permissions error such as the one above you don't get any failure in the ACS logs (as you would expect) because CSM is using its cached copy, not very helpful for troubleshooting, not very good for security as you are not getting any logs for people attempting to do things they aren't allowed to.
2) Surely for a secutity product (as CSM is supposed to be) caching the details from ACS is bad practice. This means if someones permissions are revoked, as long as they continue to remain logged into CSM they can still do things using the cached copy of ACS permissions - surely a very bad thing for a security product.
Could someone please help me adding muilti-context ASA using CSM with complete ACS integration. It is not working and giving the "authorization" failed. I am using CSM with full ACS options. Not non-ACS mode.
First of all CSM does not like "/" in the hostname field when I try to define the name of the admin-context. I believe this is the main issue. If I create admin-context on ACS with a dummy name such as "asa1-admin" the CSM finds this and adds it but then it does not add the other contexts and gives "authorization failure" error.
Thanks in adv.