cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1109
Views
0
Helpful
9
Replies

Re-register ACS when upgrading from LMS2.6 to LMS3

simon.bell
Level 1
Level 1

We're doing a new install of LMS3 while we run LMS2.6 in parallel. We're ACS integrated on ver 2.6 and have quite a few customized groups configured in ACS. When I switch my LMS3 install to ACS, do I need to reregister with ACS? I'd hate to recreate all those customized groups if I don't have to.

Also, will this have any impact on my 2.6 install? I wouldn't think so, but if anyone can confirm, that'd be great.

TIA

9 Replies 9

Joe Clarke
Cisco Employee
Cisco Employee

You will need to re-register LMS with ACS after upgrading to LMS 3.0. There are quite a few new tasks (and a new role) that needs to be added to ACS. This will remove your current customized roles, but one role, the Super Admin role, is now built into LMS 3.0, and will not need to be recreated. Other custom roles will need to be recreated.

Thanks for the prompt reply. Are there still issues with ACS servers running on VMWare boxes?

I'm not certain if this is supported. I don't deal with the support of ACS beyond what is required for LMS. You might try asking on one of the security forums. That said, all of our NMS ACS servers (in our lab) are run on the physical machine.

thanks again. One last question if you don't mind. We have 3 ACS servers, I'm assuming I should put all three in so CW will properly register with each one, is that correct? Should I do them individually, or all @ once?

sb

If they are replicating, then you only need to register applications with one server, and that will replicate the the others. Then you can add the other two servers to LMS (but don't register applications).

If they are not replicating, then you will need to register applications with all servers, so it's best to add them all at the same time.

do you know if there are any compatibility issues with having both versions of LMS integrated on the same ACS Servers? i.e. after registering lms3 applications in acs, will there be any issues with the same ACS server handling AAA for LMS2.6?

No, both servers can share the same ACS.

Thanks for you help so far. I opened a TAC case (608264265) because when I attempt to register I get the following:

Primary ACS Verification Status (acs1)

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Not Configured

Secret Key Verification : Not Applicable

System Identity User : Not Applicable

Secondary ACS Verification Status (acs2)

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Not Configured

Secret Key Verification : Not Applicable

System Identity User : Not Applicable

Tertiary ACS Verification Status ( acs3 )

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Configured

Secret Key Verification : Success

System Identity User : Not configured properly for - (cwhp,cwportal,CiscoView,rme,CM,dfm)

ACS 1 and 2 are both running on VMWare ESX 3.5 servers

ACS 3 is on real hardware

ACS1 replicates down to 2 & 3 but not visa/versa.

When we were on a older version of ESX we had problems running jobs so we moved our current LMS 2.6 install to ACS3. However, ACS 1 and 2 both have the CW information registered.

Any thoughts as to what the problem could be? Are there still issues with CW and ACS while ACS is running on VMWare ESX?

Thanks again,

Simon

As I said before, I do not know if ACS is supported on VMWare. You need to either check on one of the security forums, or have your SR requeued to the ACS team to find out. If ACS is supported on VMWare, you should follow the instructions in the following thread to make sure LMS can properly register with ACS. That said, if ACS1 replicates to ACS2 and ACS3, you should only do the registration to ACS1 initially. Once the applications are registered and replicated, then add ACS2 and ACS3 to LMS.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00950

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco