CiscoWorks with ACS - Different behavior b/w Campus Manager & Cisco View

Unanswered Question
Aug 9th, 2007

Hi,

The setup is as follows

Campus Manager = 4.0.8

Cisco View = 6.1.5

ACS Appliance = 4.0.1 (44)

In ACS there is a User Group defined as "Group A", which has privileges on "per NDG" basis.

NDG1 contains "Ciscoworks Servers, Master\Slave"

NDG2 contains "specific set of devices".

Privileges are as below

"CiscoWorks"

1. NDG1 --> View, View Devices

2. NDG2 --> View, View Devices

"CiscoView"

1. NDG2 --> Read-Only

"Campus Manager"

1. NDG 1, NDG2 --> Launch Topology Services, UT View, Port Attributes, VLAN Report

Cisco View works exactly as expected and the User is only able to View (Even List) only the devices contained in NDG 2.

However in Campus Manager, the User is able to

A. Launch the topology services window (as exepected)

B. But he can View ALL the devices from the DCR and can view Topology maps etc ?

Why is he Not being limited to viewing devices\topology maps etc for ONLY the devices in NDG2 (as was the case with Cisco View) ?

Thanks,

Naman

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Thu, 08/09/2007 - 07:53

This sounds like a bug. The user should be limited to only the matched devices based on their NDG membership. You should open a TAC service request so more analysis can be done.

Before that, though, double-check that you have the correct radio button checked to enforce NDG usage for the Campus Manager application (i.e. you're not accidentally allowing access to all devices). You might also try restarting ACS and dmgtd to see if that causes the two to properly synchronize.

mnlatif Thu, 08/09/2007 - 10:59

Thanks.

Radio button is selected correctly "Assign a Ciscoworks Campus Manager on a per Network Device Group Basis".

Re-starting the services didn't help, so i will go ahead and open a TAC Case.

Thanks,

Naman

mnlatif Tue, 08/14/2007 - 12:31

Apparently this is design limitation as per Cisco TAC

+++++ From TAC ++++++

I have tested the Campus Manager and confirmed with the developer on

this. It is the right behavior that the ACS can only control the Device

Selector screen when we are in NDG. Since the Topology Services section

is part of the java GUI, it is currently has no way to be controlled by

ACS yet.

Let me know if you have any further question.

Regards,

+++++++++++++++++++

Joe Clarke Tue, 08/14/2007 - 12:40

What is your service request number. There needs to be a bug associated with this.

frankzehrer Tue, 08/14/2007 - 22:43

Hi Joe,

i had a similiar issue months ago.

I wanted to setup different NDGs for different Usersgroups (SR 603890723). Everything worked fine except the Campus Manager Topology View.

I guess the main problem is the App itself.

Read the answer from the developers:

This is what DE's said regarding the restriction of access to devices in topology view:

It is not possible to restrict the topology view on a per user basis because the purpose of topology view itself is for viewing the entire set of devices that we are managing.Hence only the tasks that can be performed with the devices could be restricted and not the display of the device.

The reason why the display of the devices itself cannot be restricted is that if each user has the permission to view only a set of devices it is difficult to draw the map if in case these devices are not in sequence.It could be shown only as disconnected devices for that user.

I concluded that e.g. the Topology View is not able to show only a subset of devices.

It would be nice if this turns into a bug and get solved some day.

;-)

Best regards,

Frank

P.S. Your work for this forum is highly appreciated and gave me often the right hint!

Joe Clarke Wed, 08/15/2007 - 08:35

This is a bug as it violates the security implied by ACS integration and NDGs. Yes, drawing a topology map from an incomplete set of network devices MAY be messy, but we already offer that capability using OGS groups which may be arbitrary groupings of devices. Additionally, some networks may be so logically organized that all devices within an NDG are properly connected, and thus Campus can operate just fine.

As for limiting tasks based on NDG assignment, this is also broken. While most tasks are prohibited on unauthorized devices, the Device Attributes task works on all devices. This can reveal too much about a device to a particular user, and violates the principles of least privilege and privilege segregation.

frankzehrer Wed, 08/15/2007 - 22:10

Hi Joe,

many thanks for this clear wording!

But as you could read the TAC - or better the DEs - had a different opinion to this issue.

Thats the reason why some of my costumers are screw up about the LMS. They argued that several other tools are able to fulfill this task with a RADIUS and Cisco is not able to manage this with a CISCO NMS and Cisco ACS!

Is there a BUG ID availiable? Does it help to raise a TAC SR again?

Best regards,

Frank

Joe Clarke Thu, 08/16/2007 - 21:51

I have filed CSCsk11553 to track this issue. I feel it is important enough to fix due to its security implications.

Actions

This Discussion