Ciscoworks LMS and ACS

Unanswered Question
Mar 6th, 2008
User Badges:

What does

"Devices not configured in ACS" actually mean

The explaination in the CS User Guide says

"Number of devices not configured in ACS

Displays the number of devices that are added in DCR but not authorized in the ACS Server.

This field appears only when you have configured your CiscoWorks Server on ACS mode."

Strangely enough this doesn't seem to help me very much.

I haven't specifically configured any routers and switches in ACS. Rather just configured an NDG that covers all our IP Ranges.

Devices that are list as not authorised in ACS are within this NDG so why are they listed as this.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Thu, 03/06/2008 - 08:29
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Devices not in ACS lists devices whose IP addresses or hostnames within LMS DCR are not covered by ranges or explicitly listed devices known to ACS.


So, if you've created NDG ranges to cover all devices, but you still see devices in the DCR report, then those devices must be added to DCR by different IPs, or they are added only by hostname. In the latter case, you must explicitly add each hostname to ACS.

chrisayres Fri, 03/07/2008 - 05:29
User Badges:

I have taken the inventory from my old cw2000

(which specifies our devices by host name and resolves against a host file)

and I have imported this into LMS.

All I want ACS to do is manage user access to LMS and control the level of access that specific users get.

So are you saying to do this I need to put 2000+ device names into ACS ?

Joe Clarke Fri, 03/07/2008 - 08:03
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If DCR only has the hostnames, then yes, you need to add one entry for every hostname into ACS. You can automate this using the dcrcli expAcs function. This will export all devices from LMS into ACS based on some configurable parameters. This command is documented in the LMS online help.

chrisayres Mon, 03/10/2008 - 07:19
User Badges:

Hi,

I re-enabled ACS mode on my LMS and did as you suggested, the result is below



**********************************************************

***************** EXPORT DEVICE COMPLETED **************

**********************************************************

* Number of Exported Devices = 14

* Number of Duplicate Devices = 1139

* Number of Error Devices = 0

**********************************************************

Refer d:\PROGRA~1\CSCOpx\log\dcrimpexp.log for more details.


Example entry from log file

Mon Mar 10 09:56:24 GMT 2008 ] INFO [DCRImpExpLogger : info] : DCRACSEngine Device PORCSC_GBE3_68 is NOT exported to ACS. ERROR:0x0101:Device Already exists


The 14 devices that were exported were ones which were not included in the address range specified in the NDG.

The 1139 that failed were devices that are in the address range in the NDG (10.x.x.x).

LMS is showing "Devices not configured in ACS 1153"

So if they were not exported because they already existed in ACS (ie are covered by the range 10.x.x.x) why does LMS say they are not configured in ACS.

Joe Clarke Mon, 03/10/2008 - 09:20
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There must be something else wrong with your ACS configuration (or a bug somewhere). First, check to make sure the LMS System Identity User is properly defined in ACS, and has all rights to all LMS tasks. Depending on the version of LMS, you may have to create custom roles to accomplish this. Next, check to make sure the user that is logging into LMS has access not only to the set of devices, but also to the LMS server itself (if you are using NDGs).


If that checks out, the next set of troubleshooting steps are not very straight-forward, so it would be best to open a TAC service request, and have them walk you through it.

Actions

This Discussion