LMS 2.6 / ACS 4.1.4 Integration Question

Answered Question
Apr 11th, 2008

Hi,

We have an existing implementation of Cisco Secure ACS 4.1.4 providing AAA functions for all our network devices.

ACS is using RSA SecurID for authentication.

With ACS we use command authorisation sets to define what IOS commands different engineering roles can perform, roughly as follows:

NMC Engineer - Can reconfigure interfaces but nothing else

Field Engineer - Can configure most elements but some security elements (e.g. AAA commands) disabled so they can't remove device from ACS authentication

Implementation Engineers - Full rights to all commands

We are implementing LMS 2.6 and want to maintain these same roles.

We have setup LMS 2.6 and integrated with ACS as per the instructions within the user guides/this forum etc.

We have imported the devices from ACS into DCR using BulkImport facility.

Within DCR we have set device telnet/ssh credentials with an account "cwadmin" and setup this user in ACS and given it full permissions to IOS commands.

The problem is that when an NMC engineer logs into LMS (authenticated from ACS) and uses the ConfigEditor it allows him/her to make changes to the whole config because LMS uses the "cwadmin" user which has full rights to IOS.

How can I configure LMS so that when an NMC engineer submits a job in ConfigEditor LMS checks ACS for the rights of the LOGGED ON USER as opposed to just using the rights of the "cwadmin" account configured in DCR?

Thanks

Michael

PS - Is there a way to import all the NDG from ACS into LMS?

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 8 months ago

Yes, all device credentials can be set at one time by going to Common Services > Device and Credentials > Device Management. Select all your devices, then click the Change Credential button.

No, JBP works just the same in LMS 3.0. JBP was actually designed for rotating security tokens like SecureID, but since those tokens have a short lifespan, scheduling jobs in the distant future (i.e. more than a minute) is not possible.

What LMS 3.0 does bring is more comprehensive internal auditing. So you should be able to get a handle on everything that is going on within LMS.

Correct Answer by Joe Clarke about 8 years 8 months ago

If you have a unique user that is only used by CiscoWorks, then auditing becomes a little easier. When you see that the CiscoWorks user made a config change, you can go to RME's change audit report, and find out exactly what was changed, and by whom.

There is no way to tie NDGs to LMS OGS groups. You would need to recreate the OGS groups with either dynamic membership rules, or statis device lists.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Joe Clarke Fri, 04/11/2008 - 14:42

The only way to do this is to remove the per-device credentials from DCR, and enable the user of Job-Based Passwords. JBP requires that the user scheduling the job enter his/her credentials at the time the job is scheduled. JBP are available for Netconfig and Config Editor as well as Archive Mgmt deployment options. You can enable them under RME > Admin > Config Mgmt > Config Job Policies.

I'm not sure I understand your PS. LMS doesn't care about NDGs, only devices. You can import devices from ACS into LMS by going to Common Services > Device and Credentials > Device Management > Bulk Import. One of the options will be Remote NMS. If you click that radio button ACS will be one of the NMS Types.

Mike Bailey Sat, 04/12/2008 - 00:06

Thanks,

I thought as much, the problem with Job-Based passwords is that we have Cisco Secure ACS authenticating via RSA SecurID.

RSA SecurID is a "one time password" (e.g. code displayed on the fob at that time) and therefore cannot be used for scheduling a job.

As for the PS again you've confirmed my thoughts. I was thinking about being able to pull the NDG's from ACS as user-defined groups for organising the devices within LMS for ease.

e.g. we have an NDG per region and I'd like to setup user-defined groups for each region, so its easy to find the device you want to manage.

Many thanks for the responses.

Correct Answer
Joe Clarke Sat, 04/12/2008 - 08:36

If you have a unique user that is only used by CiscoWorks, then auditing becomes a little easier. When you see that the CiscoWorks user made a config change, you can go to RME's change audit report, and find out exactly what was changed, and by whom.

There is no way to tie NDGs to LMS OGS groups. You would need to recreate the OGS groups with either dynamic membership rules, or statis device lists.

Mike Bailey Sat, 04/12/2008 - 22:17

Thanks, I thought so.

It was just that the appendix of the LMS/ACS integration guide:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

Specifically says:

HTTP/HTTPS protocol is used for the following operations between the CiscoWorks server and Cisco Secure ACS:

• Import/export device groups

Thanks for the responses.

Joe Clarke Sat, 04/12/2008 - 22:37

When LMS contacts the ACS, it gets a list of NDGs allowed for the given user. It then proceeds to get the device lists from those NDGs in order to authorize device access. One can also export devices from LMS into ACS using the dcrcli command. You can choose to group those devices in NDGs configured in ACS.

Mike Bailey Mon, 04/14/2008 - 01:01

Thanks,

Two further questions.

1) Is there a way of setting the device credentials for ALL devices somewhere (e.g. once System Admin has configured the master credentials all future devices imported from ACS inherit these)?

2) Does LMS 3.0 improve any of these features (e.g. the ability to use RSA SecurID in Job based Credentials or other areas)?

Correct Answer
Joe Clarke Mon, 04/14/2008 - 09:28

Yes, all device credentials can be set at one time by going to Common Services > Device and Credentials > Device Management. Select all your devices, then click the Change Credential button.

No, JBP works just the same in LMS 3.0. JBP was actually designed for rotating security tokens like SecureID, but since those tokens have a short lifespan, scheduling jobs in the distant future (i.e. more than a minute) is not possible.

What LMS 3.0 does bring is more comprehensive internal auditing. So you should be able to get a handle on everything that is going on within LMS.

Mike Bailey Mon, 04/14/2008 - 10:47

Thanks, unfortunately as we are in the middle of building a very large network I'd like new devices as they are implemented to inherit some default credentials rather than setting again.

Looks like LMS3.0 includes a default credential feature, so will promptly download an eval version of LMS3.0 to try it out.

Joe Clarke Mon, 04/14/2008 - 12:48

Yes, LMS 3.0 offers a default credential feature as well as a secondary credential feature so that applications such as RME can fallback if the primary set does not work.

Actions

This Discussion