Re-register ACS when upgrading from LMS2.6 to LMS3

Unanswered Question

We're doing a new install of LMS3 while we run LMS2.6 in parallel. We're ACS integrated on ver 2.6 and have quite a few customized groups configured in ACS. When I switch my LMS3 install to ACS, do I need to reregister with ACS? I'd hate to recreate all those customized groups if I don't have to.

Also, will this have any impact on my 2.6 install? I wouldn't think so, but if anyone can confirm, that'd be great.

TIA

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Tue, 03/25/2008 - 11:02

You will need to re-register LMS with ACS after upgrading to LMS 3.0. There are quite a few new tasks (and a new role) that needs to be added to ACS. This will remove your current customized roles, but one role, the Super Admin role, is now built into LMS 3.0, and will not need to be recreated. Other custom roles will need to be recreated.

Joe Clarke Tue, 03/25/2008 - 11:25

I'm not certain if this is supported. I don't deal with the support of ACS beyond what is required for LMS. You might try asking on one of the security forums. That said, all of our NMS ACS servers (in our lab) are run on the physical machine.

Joe Clarke Tue, 03/25/2008 - 13:41

If they are replicating, then you only need to register applications with one server, and that will replicate the the others. Then you can add the other two servers to LMS (but don't register applications).

If they are not replicating, then you will need to register applications with all servers, so it's best to add them all at the same time.

Thanks for you help so far. I opened a TAC case (608264265) because when I attempt to register I get the following:

Primary ACS Verification Status (acs1)

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Not Configured

Secret Key Verification : Not Applicable

System Identity User : Not Applicable

Secondary ACS Verification Status (acs2)

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Not Configured

Secret Key Verification : Not Applicable

System Identity User : Not Applicable

Tertiary ACS Verification Status ( acs3 )

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Configured

Secret Key Verification : Success

System Identity User : Not configured properly for - (cwhp,cwportal,CiscoView,rme,CM,dfm)

ACS 1 and 2 are both running on VMWare ESX 3.5 servers

ACS 3 is on real hardware

ACS1 replicates down to 2 & 3 but not visa/versa.

When we were on a older version of ESX we had problems running jobs so we moved our current LMS 2.6 install to ACS3. However, ACS 1 and 2 both have the CW information registered.

Any thoughts as to what the problem could be? Are there still issues with CW and ACS while ACS is running on VMWare ESX?

Thanks again,

Simon

Joe Clarke Thu, 03/27/2008 - 12:35

As I said before, I do not know if ACS is supported on VMWare. You need to either check on one of the security forums, or have your SR requeued to the ACS team to find out. If ACS is supported on VMWare, you should follow the instructions in the following thread to make sure LMS can properly register with ACS. That said, if ACS1 replicates to ACS2 and ACS3, you should only do the registration to ACS1 initially. Once the applications are registered and replicated, then add ACS2 and ACS3 to LMS.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00950

Actions

This Discussion