LMS 2.6: not authorized to "/loginModule"

yjdabear · ‎06-28-2007

There's been erratic problems with the Cisco Secure ACS box refusing/rejecting logon attempts. Currently, my LMS 2.6 is configured in TACACS+ fallback mode, which means it now takes a long time to log [local] users on. In addition, the LMS "admin" gets the following error when trying to access the "AAA Mode Setup" screen (because I'd like to switch the auth mode to "local" temporarily), which strangely is only found on the Common Services homepage but doesn't show up under Common Services > Server > Security > TOC as online Help indicates:

You are not authorized to request the Action associated with screenID: "/loginModule".

So my questions are:

1) Is the above error encountered by LMS "admin" related to the TACACS issue? I'm assuming there's an "admin" user defined on ACS as well. Does it make a difference if there's no "admin" user on ACS?

2) Why is the LMS "admin" user not seeing "AAA Mode Setup" under Common Services > Server > Security > TOC?

Joe Clarke · ‎06-28-2007

1. The error may be related to fallback problems. You do not need an admin user in ACS. In fact, when in ACS mode it is recommended to create another admin-equivalent user, and not login as "admin" to CiscoWorks.

2. This almost certainly has to do with the role assigned to the current "admin" user. If you want an easy way to temporarily restore local login, just run the NMSROOT\bin\resetLoginModule.pl command.

yjdabear · ‎06-28-2007

Just to clarify, LMS is not fully AAA-integrated with ACS, just using the latter for authentication (non-ACS, TACACS fallback mode). That's why I'm puzzled by the oddities exhibited when ACS goes snafu.

Joe Clarke · ‎06-28-2007

I would agree with that, then. The roles should be the local roles, and you as admin you should have access to everything. In any event, the same script will reset your login module back to local.