LMS 4.x -- Integration of ACS v5.x

Similar Messages

• Cisco Works LMS 3.1 Integration with ACS v5.2

  Hello Experts,
  our customer has a working integration with the Cisco Works LMS 3.1 and an ACS v3.3 as it is described in this document:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
  Now we are changing the old ACS Servers to the new ACS v5.2 platform. Is it possible to integrate the LMS to the new ACS Server? We want to use a granular user access restriction for SuperAdmins, Hotline Users an so on...
  Thanks,
  Florian

  Hi Florian,
  actually the ACS 5.2 is not supported in CS 3.2
  here is a list of the supported ACS servers under LMS 3.1
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.2/user/guide/admin.html#wp865998

• LMS 3.2 integration with ACS 5.1

  Hi
  Is it
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;
  mso-fareast-language:EN-US;}
  possible to integrate LMS 3.2 with ACS 5.1? I know it works with ACS 4.X, but I can't get it to work with ACS 5.1.
  Here is a link to how to do it with ACS 4.X:
  http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html
  Regards
  Reidar

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
  mso-para-margin-top:0cm;
  mso-para-margin-right:0cm;
  mso-para-margin-bottom:10.0pt;
  mso-para-margin-left:0cm;
  line-height:115%;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  Thanks Reidar.... hmm very strange. I really wish an expert would respond to this thread as it will help a lot of people who might be planning to deploy these versions and they can help put this matter to rest once and for all. Not sure why LMS 3.2 will not support ACS 5.1 and it might help to know when it will (updates etc). Kindly let me know if you get any further information. My deployment is so large that setting a local username and password on all the devices is not an option unfortunately .......

• LMS PRIME 4.2 integrating with ACS 4.2

  Hello,
  i would like to integrate new lms prime 4.2 with acs.4.2 . .. !!
  is there document or user guide for this version of lms?
  Thanks in advance.
  Marwan

  IN LMS 4.2 there is nothing which is known as Integration (like LMS 3.x), since it added feature RBAC.
  Now ACS can just be used as PAM to have ciscoworks authenticated for Tacacs+ or Radius. After the auth is done, you should have a authorization set in LMS locally for user, else it will be given a default HELP DESK access.
  For more details check :
  Authentication Using Login Modules - Overview
  -Thanks

• Cisco Prime NCS integration with ACS 5.1

  Hello,
  We've an issue with authorization on NCS system. NCS successfully integrated witch ACS, but there is a problem with one user. All users have equivalent rights under root. There is shell profile with all possible tasks (exported from NCS server) configured on ACS. All users exept this one (unlucky one:)) authorizes successfully.  In  ACS logs, authentification and authorization status for this user is passed and all attributes (policy, profile, AV-pairs e.t.c.) is the same as for another users. This 'unlucky' user gets a following message:
  There is surely no browser or network issue. Tried from different PCs with same result. There is no any local info related to this username on the NCS server. When i change one charecter in the username on his ACS account, everything works well. What could be a possible reason of this behaivour?  Thanks!
  Our ACS v
  Version 5.1.0.44.X
  And NCS
  Version : 1.1.2.X

  this question should be moved to the Security > AAA forums as this sounds more like an ACS issue than NCS.
  HTH,
  Steve
  Please remember to rate useful posts, and mark questions as answered

• Integrated CSM + ACS - DCR Device Wizard

  Hi there,
  I've integrated CSM v3.3.1 into ACS v4.1.4 within Common Services/AAA Setup and setup a Bulk Import of Devices from ACS into Common Services.  Have also setup default device credentials.
  This seems to be working fine, in that I can login to CSM using credentials from ACS and the CSM Device and Credentials list shows all my network devices imported from ACS.
  Again I've logged into the CSM Client using credentials from ACS but I don't seem to be able to "Add Devices From DCR", the only option I have is to import from an export file from DCR.   The problem here is that the export file contains all the default device credentials which I don't want users to know.
  Have I missed something?
  BAsed on the User Guide I'm expecting there to be an "Add Devices From DCR Wizard".
  Thanks
  Michael

  OK,
  I have got to the bottom of this now.
  I was reading the CSM 3.1 User Guide which I'd downloaded in the past, assuming that Cisco wouldn't remove a feature in a later release, just add/improve/fix features.
  Obviously not, having downloaded the CSM 3.3 User Guide it is obvious that the "Add Devices from DCR" option has been replaced with "Add Devices from File".
  To double-check this I've done a clean install of CSM 3.1 and the different outputs from the client showing the change are attached.
  The function does still exist in Performance Monitor however.....
  Therefore the only options are to either:
  Export the devices/credentials from DCR and import into CSM
  Means that people with access to the server (e.g. IT Department) have potential access to the export files containing master device credentials of firewalls which obviously is no use in a secure environment 
  Have the firewall/security administrators manually add each device to CSM supplying necessary credentials
  This is OK to an extent, except that we are trying to maintain a secure environment with "role seperation" and traceable named accounts, hence the integration to ACS.
  Rather than being able to set a complex "default credential" once which would then be destroyed/forgotton, this now means that the Firewall/Security administrator needs to know the master/generic admin account which is used by CSM to access the devices, which he/she could use instead of their named ACS account!
  None of this is very "secure" for a supposed security product
  Is there a way to re-instate the "Add Devices from DCR" option in client versions CSM 3.2+ ?
  Is there a way to set "default credentials" in CSM like you can in Common Services, so that administrators don't need to know them (e.g. have them written down) so they can be set each time a device is added ?
  Thanks
  Mike

• LMS 3.1 Slow after integrating with ACS

  Dear All, have any one faced issue of slowness after integrating LMS3.1 with ACS4.2. I dont know how can I resolve this issue. Is there any patch to resolve it...
  Any kind of help will be very helpful.

  I'm using LMS 3.2 into ACS 4.0 and it actually seemed a bit faster after ACS integration. Nothing I measured but subjectively it seems faster. Both my servers are on Windows and the ACS is across the WAN from my CiscoWorks.
  How do your devices fare with their ACS? You can debug tacacs at the router/switch level as one tool. I'm sure one of the cisco guys on here will point you to one of the many logs that LMS generates, possibly with debugging activated, to dig deeper there also.

• MARS 5.2.7 integration with ACS 4.1

  Hello
  I cannot find any documentation I can follow to integrate MARS with ACS. I mean I want to use ACS to authenticate user in MARS.
  Any of you know if MARS 5.2.7 has this feature? If yes can please give some info where to find docs?
  Thank you really much
  Best regards Antonello.

  HI ,
  LMS 4.0 no longer integrates with ACS the way that LMS 3.x did.  You  can still use ACS for authentication in LMS 4.0, but for authorization,  each user must have a local account in LMS, and the roles will be  assigned using LMS 4.0's new RBAC.  Users are defined under Admin >  System > User Management > Local User Setup, and roles are defined  under Admin > System > User Management > Role Management  Setup.
  By default, if a user does not have an account in LMS, they will receive the Help Desk role
  Please check the below link:
  http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/user/guide/admin/security.html#wp1100379
  Thanks-
  Afroz
  [Do rate the useful post]

• Prime NCS: TACACS+ Integration into ACS 5.1

  Hello,
  i'd like to integrate TACACS+ Integration into NCS.
  I configured my ACS 5.1 correctly, but I get an "Access is denied to NCS" at the web login page. In the ACS i see a successful authentication.
  Any ideas?
  regards
  Alex
  Here is my Shell Profile Configuration

  I finally could log in, but not the default Ambassador view.
  Thats really strange. Here is the authorization result from my ACS server.
  {Type=Authorization; Author-Reply-Status=PassAdd; AVPair=role0=Lobby Ambassador; AVPair=task0=GLOBAL; AVPair=task1=Lobby Ambassador User Preferences; AVPair=task2=Basic; AVPair=task3=Configure Guest Users; AVPair=task4=Check License; AVPair=virtual-domain0=ROOT-DOMAIN; }

• All the devices not showing after CSM integration with ACS

  Hi all
  I integrated ACS with CSM and added all the security devices into ACS as client devices.But after integration with with ACS only few devices are shown in the CSM when i logged in as super admin.for all other users (system admin,network operator etc.),no devices are shown in the CSM.Please give me a solution to solve this.

  Did you have devices already in CSM when you integrated it into ACS ? Did you make sure that the hostname of the devices is exactly the same in acs and csm ?

• Juniper SSG TACACS+ Integration with ACS 5

  Hi,
  I'm working on TACACS+ integration on Juniper SSG firewall with ACS 5, but failed login on the SSG. After checked the log on ACS, it passed the authentication. Do I need to import any dictionary file on the ACS 5 first?
  Please advice,
  Cheers,
  Ryan

  I was able to config SSG authenticate using RADIUS.  In order to work with RADIUS, I have to create RADIUS dictionary using netscreen dictionary found @ Juniper.  Attach the dictionary.
  I'm not sure how to import, but I create the dictionary manually.

• Cisco Security Manager integration with ACS

  Has anybody got this working yet.
  I have tried but as yet have been unsucessful in registering csm with the ACS server.
  I am following the the instructions however, nothing seems to work all i get is failed to registar.
  Any help would be appreciated
  Regards
  Jason

  Check out this link...
  http://www.cisco.com/en/US/products/ps6498/prod_troubleshooting_guide_chapter09186a00806e23e3.html

• Call Manager/LMS 3.2 Integration

  Hello,
  I am building CiscoWorks LMS 3.2 from scratch and my two Call Managers come up as unreachable devices.  I've done some searches and found plenty of Cisco documentation speaking about CDP settings for Call Manager but nothing that tells me where to view it or change it.  Can someone tell me what menus I should be looking at in Call Manager in order to verify the SNMP settings?
  Any other reason CiscoWorks would be unable to reach these CMs?
  Thanks,
  Mike

  if the CallManager is marked "unreachable" it is not a problem with CDP. CDP is necessary to find the hardware - this step passed (because it is listed). The next thing that must work is SNMP reachabiliy and this fails. So either the Call Manager has no SNMP community configured or LMS does not know the correct community to use.
  If both are ok, access-lists or firewalls are typically blocking SNMP traffic.
  here is the documentation for the Call Manager that covers this
  Simple Network Management Protocol Configuration
  see the section Configuring SNMP Security

• Integration of ACS with two different Domain in different forest

  Hi
  We have two Domain Controllers in two different forests. One forest is X.IN and other is Y. In X.IN forest we have a tree called PPP.IN.
  Is it possible to integrate ACS with both PPP.IN and Y? Please confirm ASAP.
  Thanks
  Ritesh

  It is possible in ACS 4.2 to do machine and user authentication over cross forest trusts. See Resolved Caveats here:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/release/notes/ACS42_RN.html
  HTH
  Jeremy

• Integrating Cisco ACS and Cisco NAC Manager - Downloadable ACL

  Hi There
  I have Cisco NAC setup in my environment. These are all working fine. The users will get themselves authenticated via Cisco NAC Manager. The Cisco NAC Manager talks to the Cisco ACS for the user database portion. These are all working fine. I would like to enable Downloadable ACL. I have tried using the CISCO-AV-PAIR method and creating a downloadable ACL entry in Shared Components, but nothing works. It's either I'm doing it wrongly or this setup of mine doesn't support downloadable ACL? Please kindly advice.
  Regards,
  Ram
  +6-012-2918870

  Hi,
  That is not possible.
  You cannot push ACLs into the NAC manager.
  If you are doing Radius authentication from NAC manager, what you can do is to create Roles on the NAC manager, and on those roles you define traffic policies.
  Using Radius attributes you can then map users to Roles.
  Please take a look into this:
  http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cam/m_auth.html#wp1158789.
  HTH,
  Tiago
  If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.