Modify ACS Network devices

Unanswered Question
May 11th, 2007

We have an ACS box with all network devices configured to use TACACS for authentication.

If the switches and routers are configured to point to the ACS device,

can you delete the existing devices and add them with a differnet name with no issues?

As long as the device is configured to point to ACS and there is an account for it, it should use TACACS correct?

My thinking is I don't want to loose access to the device if it is remote and I cannot get to it right away.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Fri, 05/11/2007 - 13:30

I'm not sure I understand your last sentence as it relates to your question, but you are correct. As long as the device is a client of the ACS server, and the device is properly configured to us that ACS server, authentication and authorization will work. If you change the client entry for the device in ACS, make sure you retain the same secret key.

wilson_1234_2 Fri, 05/11/2007 - 13:32

Do I have to stop and restart the service for the changes to be implemented?

Joe Clarke Fri, 05/11/2007 - 13:34

Yes, you will have to click the Submit+Restart button when making your changes. If your making a few changes at once, just click Submit, then Submit+Restart when you make the last change.

wilson_1234_2 Fri, 05/11/2007 - 15:05

You gave me before the procedure written by TAC on how to set up the ACS to LMS integration.

It shows that the local and multiple server admin user should be the same.

In my case they are different, if I create a new user account with admin priviledges and give both accounts that user, is there any danger that I could break the applications?

Joe Clarke Fri, 05/11/2007 - 15:17

As long as the ACS admin user specified in LMS has FULL admin privileges in ACS, then you're fine in terms of integration.

If you are asking about a CiscoWorks admin user that is different from the admin user in ACS, that is fine as well. The keys to remember that are vital for ACS integration to work are that the ACS admin user you specify in LMS must have full administrative rights to ACS, and the CiscoWorks System Identity User must exist in ACS and have full CiscoWorks rights for all applications.

As long as those two things are good, then the users you create in ACS for use in CiscoWorks should be fine.

wilson_1234_2 Fri, 05/11/2007 - 15:35

The admin users I was talking about are the Local admin and the multi server admin, both in Cisco works, what about those two?

Also Where do I verify what you are talking about as far as the Amin user in ACS having full CiscoWorks rights,

And CiscoWorks admin user having full admin right to ACS?

Joe Clarke Fri, 05/11/2007 - 15:41

The multi-server user is the same as the System Identity User. This can be different from the actual admin user that a person would use to login to CiscoWorks. The key is that both of these users need to have full CiscoWorks rights in ACS. This is done by creating a custom role under Shared Profile Components in ACS. This is documented in that write-up I pointed you to. Basically, you want a role that gives all access (i.e. all boxes checked) to every component in each of the LMS applications.

Then, assign that role to the group (or groups) that will contain your admin user and your System Identity User. Be sure to assign that role for all LMS applications.

To verify the ACS admin user that you specified in LMS has full ACS rights, go to Administration Control in ACS, and click on that username. In the screen that follows, EVERY box must be checked. If so, then that user is a full ACS admin user.

wilson_1234_2 Fri, 05/11/2007 - 16:39

Hey dude,

The tacacs server is denying all authentication requests and the csauth service is stuck in the "stopping" mode.

What can I do?

Actions

This Discussion