LMS and ACS intergration
Currently we have a ACS 4.2 install in our infrastructure. We are rolling out Ciscoworks 3.1 and are thinking of upgrading to 4.0.
Is there a set of recommendations for SNMPv3 and AAA? More specifically, we are considering RBAC controls and wondering about standards for AAA authorization should be used? Also what standards for the read write views? Finally syslogging commands. Is logging informational too much or is logging events better.
Thanks
wharrison2000
If you are considering upgrading to LMS 4.0, then ACS isn't really a consideration. While LMS 4.0 can use any TACACS+ server for authentication (including ACS), the authorization will be handled internally to LMS. That is, no ACS integration is required.
There really isn't any leading practice when it comes to SNMPv3. It depends on what you want to protect. If protecting the credentials is sufficient, then you can stick with authNoPriv. In this case, the SHA-1 hash will offer a bit more security. If you do want to encrypt the SNMP payload, consider using AES-128 as the privacy algorithm as it is more standard.
With syslog, it really depends on the messages you need to log as to what logging level you should use. Are there any informational messages you need to log that are critical to your organization. If so, then you definitely need to go with logging level 6. If everything you need is sev 5 and higher, then stick notifications.
Similar Messages
-
Does Cisco LMS and CNC require what kind of access on device
I would like to know what kind of device access needs to collect information? I have another team trying to collect the information. I have given LMS server snmp access to Cisco Devices. It seems that snmp for LMS is not enough as per their comment. We have CNC server is different than LMS. Please advise. Thanks!!!
If you have sample output report for LMS and CNC will be also very much appreciated.You can check the credentials required by LMS for managing devices for different features here :
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_lan_management_solution/4.2/install/guide/prereq.html#wp1170227
Not sure about CNC. Let the other experts comments on it.
-Thanks -
Dynamic VLAN assignment with WLC and ACS for
Currently, using our autonomous APs and ACS, our users get separate VLANs per building based on their security level (students or staff). Basically, the student VLAN in one building is different from that of the student VLANs in other buildings on campus. Currently, we do this by filling the Tunnel-Private-Group-ID IETF RADIUS attribute with the VLAN name. This all works because each individual AP can map VLAN names to different VLANs like this:
dot11 vlan-name STUDENT vlan 2903
dot11 vlan-name FACSTAF vlan 2905
As we are working on our WiSM deployment, we see that the document below shows how to do the dynamic VLAN assignment on our WLAN controllers:
http://www.cisco.com/en/US/customer/products/sw/secursw/ps2086/products_configuration_example09186a00808c9bd1.shtml
However, we haven't figured out if it's possible to still provide our users with different VLANs for each building they're in.
With the instructions above, it looks like ACS uses a Cisco RADIUS Attribute to indicate the Air-Interface-Name, mapping an ACS/AD group to a single WLC interface which can only have one VLAN/subnet associated with it.
Does anybody know if what we're trying to accomplish is possible, or if we're really stuck with only one VLAN/subnet per mapped ACS group?We only have the one WiSM for all of campus, so it's handling everything. This Cisco docs do indicate how to put differnet users in different Vlans, but we don't currently see a way to also put them in different subnets per building.
This being the case, any suggestions on how best to handle more than a Class C subnet's worth of users? Should we just subnet larger than Class C, or is there a more elegant way of handling this? -
Wireless Virtual LAN - SSID and ACS User Mapping
Hi Everybody
We have the following senario:
- WLC 4402 and ACS 3.3
- 2 SSID's , One for Emploies - one for gests
- All users are (guest and emploies) are authentication against the ACS Server.
We would like to only permit Guest users to use the Guest SSID.
I've been reading the Wireless Virtual LAN Deployment Guide :
http://www.cisco.com/warp/public/cc/pd/witc/ao1200ap/prodlit/wvlan_an.pdf
and have tried to use methode 1.
- RADIUS-based SSID access control:
"Upon successful 802.1X or MAC address authentication, the RADIUS server
passes back the allowed SSID list for the WLAN user to the access point or bridge. If the user used an SSID on the allowed SSID list, then the user is allowed to associate to the WLAN. Otherwise, the user is disassociated from the access point or bridge."
"This is configured by enableling the ?[026/009/001] cisco-av-pair? option. On the ACS Server
- Enable and configure Cisco IOS/PIX RADIUS Attribute,
009\001 cisco-av-pair
- Example: ssid=LEAP_WEP"
I've tried this, but regardless of wich SSID the user(-group) has configured, it sill can access all SSID's?
Does anyone have any idea of what I'm doing wrong?
Does this setting only apply to Accesspoint, or is it also valid for the WLC 44xx series?
Greetings
JarleHi I'm sorry but this still does not help.
We have now upgraded ACS to version 4.0 and I'm still having the same problems.
This is what i have configured:
WLC:
- WLAN
- SSID : Public
- WLAN id = 3
- L2 Security : 802.1x
- Interface Name : GuestVLAN
- Controller - Interface
- management - Untagged
- GuestVLAN - VLAN 112
- Security
- RADIUS Servers
When authenticating a Guest(belonging to the proper group in acs) - the right VLAN is used, IP Adresses from DHCP is recieved, and the Guest can access internet.
Switch:
- Port connected to WLC uses Trunking.
- Guests are connected to VLAN 112 and "native VLAN" is used to connect the Private Users.
ACS:
- AAA Client is the WLC, Authenticating using Cisco Airespace
- Guest Users are member of Group 11
- Private Users are member of Group 1
Group 11
- Use Per Group NAR to only allow WLAN Access
- Cisco Airespace RADIUS Attributes
x 14179\001 - Aire-WLAN-ID = 3
- Cisco IOS / PIX RADIUS Attributes
x 009\001 Ciso-av-pair = "ssid=Public"
- IETF Radius Attributes
x 006 Service Type = Login
x 007 Framed-Prot = ppp
x 064 Tunnel-Type = VLAN
x 065 Tunnel-Medium-tye = 802.1x
x 081 Tunnel-Private-Group-ID = 112
Group (default Group)
- Cisco Airespace RADIUS
x 14179\001 Aire-WLAN-ID = 1
- Cisco IOS/PIX Radius Attrib
x 009\001 Cisco-av-pair = "ssid=Private"
- IETF RADIUS
x 008 Service-type = Login
x 064 Tunnel-Type = VLAN
x 065 Tunnel-Medium-tye = 802.1x
x 081 Tunnel-Private-Group-ID = 1
Do you have any idea of what i should change?
Greetings
Jarle -
802.1x between Switch 3750 and ACS 4.2 Authentication faild --need help
I configured the Switch 3750 and ACS for 802.1x authentication.
when I used the windows as the 802.1x client, it prompted "click here to enter user name and pasword for the network " as normal.
The problem is that after I entered username and password (i am sure i enter the identical username and password as in ACS) the authentication failed,
What is the most possibly problem?
Thx in advance!!!
The configuration is Sw3750 is:
aaa new-model
aaa authentication login default local
aaa authentication enable default line
aaa authentication dot1x default group radius
aaa authorization network default group radius
dot1x system-auth-control
interface GigabitEthernet1/0/18
description Link to test 802.1x
switchport access vlan 119
switchport mode access
dot1x pae authenticator
dot1x port-control auto
spanning-tree portfast
radius-server host 10.1.1.333 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key keepopen0
In the ACS:
Network Configuration -->aaa client ip address: 10.1.119.1(the vlan 119's ip address), shared secret: keepopen0
user setup -->real name:test1, password: test1.
Attached is the debug informationWhat do you see in acs failed attempts?
-
Incompatibility issue - WLC 5508 and ACS 5.4
Hi,
This is my scenario:
Cisco WLC 5508 firmware 7.4.110.20 and ACS 5.4, two WLAN eap/tls, many client can't connect to WLAN and on ACS i receive the following error:
Authentication failed : 11051 RADIUS packet contains invalid state attribute
workaround:
1 -Check the network device or AAA Client for hardware problems.
2-known RADIUS compatibility issues.
3-Check the network that connects the device to ACS for hardware problems
there are some incompatibility issue between WLC and ACS ? the compatibility matrix document for wireless imposes the 7.5 firmware for WLC.
What do you think is possibile ?Are there any other errors shown in the details of the failed authentication?
We may need to look at service logs in debug mode, opening a TAC case would be the best way to go about this.
Javier Henderson
Cisco Systems -
Using Active Directory and ACS for Concentrator 3000 VPN
Has anyone gone down the path of using Cisco ACS for network access control AND authenticating it with their W2K Active Directory for VPN 3000 concentrators? I did some research on Google, Cisco web, and this group, I did not find a definite answer on the best practice for the architecture and design, can anyone share your experience how you approached this?
Below is my understanding, I appeciate any help to piece some or all the below together
(1) The end state is once a VPN user is successfully authenticated, it is assigned to certain network access privilege based on its group's policy. How to accomplish this?
(2) AD stores a central user database for user authentication. Each user may belong to one or more groups on the AD; ACS is reponsible for network access control for the specific groups and enforces these controls to the users via the concentrators.
(3) Concentrator is the NAS, and ACS is the RADIUS server
http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a00800949b4.shtml
(4) Concentrator can link to the AD as an external database: http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_1/gs/gs3mgr.htm
(5) A single "Tunnel Group" is created on the concentrator
(6) Mulpile Groups, per corporate infosec policies are created on the AD
(7) Mulpile Groups, per corporate infosec policies are also created on ACS, need to match with what're in the AD
TIA.In order to restrict access for a specific AD group to specific SSID this is what you need to perform.
When the WLC sends an authentication request to the ACS, it will include the SSID that the user is connecting to, in the attribute Calling-Station-Id(31). We can use this information to create multiple rules in ACS 5.x in order to take actions based on the information contained in the attribute.
Under the Users and Indetity Stores > click on Directory Groups > select > check the group name you want to add and hit ok. Save the changes.
We just need to create a DNIS rule that includes the name of the SSID and use it as a condition in any rule that we create for authentication. The * is required because the attribute not only contains the SSID but also a MAC address so the * is use as a regular expression.
Now go to access-policies > default-network access > identity should be AD1.
Go to authorization > click on customize > move the AD1:ExternalGroups and end-station filter attribute on the right side and hit ok.
After that slect the appropriate ad group for teachers and end-station filter.
Save changes.
Jatin Katyal
- Do rate helpful posts - -
How to create guest access in wireless by WISM and WCS and ACS?
dear sir
i neeed to know the steps of how we can make guest access to our network like hotels by using our WISM v 7.0.220 and wireless control system and ACS ?You need to define your requirements a little bit. The WLC can do WebAuth and an employee can access either the WLC or WCS to put in the username and password credentials, but you would need to figure out what's best for you.
Here is a support doc that you can reference.
https://supportforums.cisco.com/docs/DOC-13954
Sent from Cisco Technical Support iPhone App -
Hye
Can you please le tme know what is MM and PM intergration
thanksHi,
The integration aspects of MM-PM are:
1) for non stock materials requirement, purchase requsition can be created from the plant maintenance order. PR is converted to the Purchase order. when ever goods receipt is done , the cost is directly booked to the plant maintenace order.
2) for stock materials requirement,,reservation can be created from the plant maintenance order and the material can be issued to the order against the reservation.
3) Like materials , for services also PRs can be created from the plant maintenace order.
Another integration is BOM - Bill Of Material.
With Equipment BOM, you can create a list of material through which equipment is created or in othre words you can mention the spares that you may require during the maintenance of the equipment.
Regards,
Vikas -
Prime Infrastructure 1.1 LMS and NCS installation.
Dear all
I have purchase below mention product. Now my question is that.
A> 1). Prime (2). LMS 4.2 (2). NCS 1.1 are they different software and has to install them separately ?
B> or The prime is the only virtual(.ova) software where there LMS and NCS works as a feature?
C> Please help me with the download link and installation guide..
CISCO
R-PI-1.1-K9
Cisco Prime Infrastructure 1.1
CISCO
R-PI-1.1-100-K9
Prime Infrastructure 1.1 Software - 100 Device Base Lic
CISCO
L-PILMS42-100
Prime Infrastructure LMS 4.2 - 100 Device Base Lic
CISCO
L-PINCS11-100
Prime Infrastructure NCS 1.1 - 100 Device Base Lic
CISCO
L-PINCSW11-100
Prime Infrastructure NCS WAN 1.1 - 100 Device Base Lic
With Regards
Tanmay
[email protected]SOme of the similar discussion happened here, which would be helpful.
To answer your questions :
A.> Yes all three of them are separate software.
LMS :--> Ciscoworks Prime LMS is about to be end-of-life software which will phase out in favour of its successor Cisco Prime Infrastructure. This Software was the key application from Cisco to help manage the entire Wired Infrastructure for cisco devices, like Routers, switches, VPN, FW's, etc.
NCS:--> Wireless Control System (WCS) was the LMS equivalent software to manage Cisco's wireless infrastructure. It evolved as a new Generation Network Control System (NCS).
Cisco Prime Infrastructure :--> Cisco felt market demand to have a unified experience to manage both Wired and Wireless Infrastructure, hence Cisco Prime Infrastructure was introduced which is NCS+LMS. Not all features of LMS are migrated, hence customer's are allowed to use LMS latest version 4.2.x for wired network devices, if required.
B.> Prime is now provided with an inbaked Linux kernel to remove dependency from Windows or Unix (Solaris) OS, hence it is only available as OVA deployment image to be used under virtualized environment and can take benefit of virtualized infrastructure.
FOllowing are the download links :
Download LMS 4.2 here
Download PI 2.1 here
-Thanks
Vinod
**Encourage Contributors. RATE Them.** -
Communicating with LMS and System Users
Thanks in advance for your help. I am looking for a solution and wondering if my request is even possible. Our training module needs to be able to communicate with our clients LMS and determine whether a user has taken our course previously or not. This functionality should guide the user to a specific path depending on their history. Is this even possible!? if so PLEASE HELP! Thanks again in advance!
Hines,If you manage to get the LMS to send this information in the form of a URL variable (e.g. www.mycourse.com?userName=Fred&doneCourseBefore=1) then there are ways to get that information from the URL via Javascript and then ActionScript into the course.
I think Jim Lechlitner wrote a post on something similar a while back on these forums. He's the JavaScript guru around here. I couldn't find the exact post, but here's one that should get you some useful info about using JS with Captivate: http://forums.adobe.com/message/3645857#3645857 -
Hi,
I would like your help in the following scenario, we currently have a setup of CAS CAM, LDAP, WISM and ACS,
The main point I'm focusing on is the ACS and WISM.
Users are to obtain wireless access using a single SSID, and upon validation of credentials, they should gain access to one of 3 vlans, guest, data and voice, the use of separate SSID per vlan was highly discouraged by customer.
Would appreciate your advice on the best feasible way to implement this.
Regards,Hi,
You can have single SSID in your setup. You need to set up feature called Dynamic VLAN Assignment.
Check out this link,
http://www.cisco.com/en/US/partner/tech/tk722/tk809/technologies_configuration_example09186a008076317c.shtml
Regards,
~JG
Please rate if that helps ! -
Still struggling with Captivate 6, Oracle LMS and SCORM 2004
Still can't get this course tracking with scores. Herewith the screen shot. Does anyone know if the settings I have chosen for the quiz are correct. When I load the published course into the lms and test it, it shows "not attempted" prior to opening it and it gives the final score on the last quiz slide. There is a slide after the last quiz slide. It still seems not to transfer the scores to the lms. I recently found out that we have Scorm 2004 version 4, so I changed the configuration setting as it was defaulted to version 3, but that still hasn't helped with the scores. Under the start and end settings, I have chosen close project for the end. I have been through a week of torture with this course! Please can anyone assist as I'm not sure what to do anymore!
Oh no. Now I'm panicking! I will try it. Thanks
Mrs T Cassisa
Oracle Learning Management Practitioner
Tel: 27 (21) 403 3069
Fax: 27 (21) 403 3333
www.parliament.gov.za
>>> RodWard <[email protected]> 2/26/2014 11:20 AM >>>
Re: Still struggling with Captivate 6, Oracle LMS and SCORM 2004
created by RodWard in Quizzing/LMS - View the full discussion
This sounds like you have some major issue in this course project file.
Breaking it up into smaller files might not fix your issue.
I suggest you create a new blank CPTX project file, add one true/false quiz question, set it to report to LMS with the settings you have above, publish as a single SCO package zip file, and upload to both your LMS and SCORM cloud.
If this file doesn't even work, your installation of Captivate would have to be suspect and nothing you do in course module is going to fix that until you work out what the problem is. If this very simple single-SCO lesson plays OK and reports successfully to the LMS, then we need to figure out what is lacking in your current file.
It could be that your current file has somehow become corrupted. See the suggestions here for how to debug general corruption issues:
http://www.infosemantics.com.au/adobe-captivate-troubleshooting/basic- troubleshooting-techniques
Please note that the Adobe Forums do not accept email attachments. If you want to embed a screen image in your message please visit the thread in the forum to embed the image at http://forums.adobe.com/message/6158090#6158090
Replies to this message go to everyone subscribed to this thread, not directly to the person who posted the message. To post a reply, either reply to this email or visit the message page: http://forums.adobe.com/message/6158090#6158090
To unsubscribe from this thread, please visit the message page at http://forums.adobe.com/message/6158090#6158090. In the Actions box on the right, click the Stop Email Notifications link.
Start a new discussion in Quizzing/LMS at Adobe Community
For more information about maintaining your forum email notifications please go to http://forums.adobe.com/thread/416458?tstart=0. -
Hi guys
Can anyone send me any goodl inks that provide SAP LMS documentation and e-learning modules?? If you have any good material on the same, pls send it to [email protected]
whats the future prospects for LMS and e-learning?
regards
M A
Message was edited by:
ShakirHi shakir!
please go through this documentation:
http://help.sap.com/erp2005_ehp_01/helpdata/de/30/e63a3c24b4a00ae10000000a11402f/frameset.htm
The future prospects are that the LMS will be evaluated so far that it can deal with the highest technology from the content provider side.
The e-learning plays even more role within the huge organisations.
If you would like to know more about please send me direct questions.
Have a very nice day and I hope I was able to direct you to the right way!
Best regards,
Zsolt -
1100 AP and ACS 3.1 with LEAP
Anyone been able to get this to work? I saw the link on how to configure LEAP with the 352 AP and ACS but dont see anything for the 1100. Been following the documentation for the 1100 and ACS and still no Joy.
1120 AP latest Firmware
ACS 3.1 win2k
Client ACU latest softwareTo configure LEAP on AP1100, you need to enable WEP & enable EAP and Open authentication. Here is the link which explains what you need to configure on AP and on Client based on security feature.
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/ap11icg/ivicgaut.htm#xtocid4
On top of that link, it explains what to configure on AP1100 too.
For other config on AP1100, visit
http://www.cisco.com/univercd/cc/td/doc/product/wireless/airo1100/accsspts/ap11icg/index.htm
Maybe you are looking for
-
How Do I revert to Snow Leopard from Lyon? The backups prior to Lyon install are not available... the restore button is not active. thanks!
-
BAPI_ACC_***_RETIREMENT_CHECK
HI I have BAPI_ACC_***_RETIREMENT_CHECK to Post and I need test run on that before post it. I mean that i have to check controls totals each asset number which i have post that. Is there any standard BAPI or Program which will give control totals o
-
XI domain..logging...QOS
Hello , Could any one give answers to these .... 1.What is XI domain? 2. Web application server 6.2 has an integration engine. Why is this so? 3. In BPM Async-Sync bridge, does the QOS change? 4. List 4 ways to enable logging / trace? 5. What is logg
-
Application Architecture - Any Suggestions?
I am in the process of setting up a wireless application sandbox, and a few things are unclear to me. What does the architecture / configuration look like between the 9i WE the Wap Gateway and the Wireless Network. How is the Wap Gateway found from t
-
i am suppose to face the client interview. Can any one help me to know what kind of questions we can expect from client on Oracle Data Integrator? Thanks in advance... Regards, Gokul V