Cool, well that fixed a problem for a few of my devices. I do have several (all) MSFC modules that are still showing up as "not in ACS" even though I've verified they are. The credential test checks out and I can access the device using the same creds as what CW is set up to use. The only thing that may be different is these devices do have many IPs associated with them in ACS since they act as gateways to multiple networks. Not sure if that's an issue or not but they are all the same model. But they are in fact, on the same ACS server.

Exactly how do they appear in the Not in ACS report, and how are they configured as clients of ACS?

The display name on left column is the IP address. The attributes list the IP Address as the actual DNS/host name and the Host Name = the IP address.

Yes, I've fully checked that these are all ACS clients. But you do raise an interesting point as these devices were the only ones that reverse the IP and Host Name data on the Attributes column.... not sure why.

Since the device shows up by IP address, and that IP address is a TACACS+ client in ACS (or that IP address is in a range of client addresses), then everything should work. Of course, this assumes you are not using NDGs in ACS. If you are using NDGs, then your System Identity User as well as the current logged in user need to have access to the NGD which contains this device.

Following up on that, if you do see a device "not in ACS" in the report, how do you go about just deleting it entirely? Say, I put in a device that was never in ACS but is now retired and want to remove its existence in CW.

You can either temporarily break ACS integration to delete the device, or add a bogus record to ACS, delete the device, then delete the ACS entry.

You might also be able to delete the device using dcrcli, but I do not have an LMS/ACS setup at the moment, so I cannot test.

Thanks. I can't break ACS integration but if you find any more info using the DCRCLI please let me know.

You can try this:

dcrcli -u admin cmd=lsids all

If you see the hidden device there, try:

dcrcli -u admin cmd=del id=ID

Where ID is the ID you see in the lsids command.

thanks, I found and deleted two of the four devices. Any idea where I could find the other two?

If they are not being shown via dcrcli, then the only way would be to break the ACS integration. If they are still not showing up, this may point to a corrupt CMF database.

Going back to this Jclarke. I'm accumulating more and more in the "not in ACS" report that don't show up in DCRCLI and am getting into some secondary issues with aliasing in DFM on devices I can't delete in CS.

Short of rebuilding a new CW install, what would you recommend I do to clean these devices up? thanks

Going back to this Jclarke. I'm accumulating more and more in the "not in ACS" report that don't show up in DCRCLI and am getting into some secondary issues with aliasing in DFM on devices I can't delete in CS.

Short of rebuilding a new CW install, what would you recommend I do to clean these devices up? thanks

Follow my previous instructions. You either need to add the devices showing up in this report to the ACS server to which LMS is integrated, or temporarily break ACS integration, remove the devices from DCR, then setup filters so that they do not get re-added. Once DCR is to your liking, you can then re-enable ACS integration.