We have an existing implementation of Cisco Secure ACS 4.1.4 providing AAA functions for all our network devices.
ACS is using RSA SecurID for authentication.
With ACS we use command authorisation sets to define what IOS commands different engineering roles can perform, roughly as follows:
NMC Engineer - Can reconfigure interfaces but nothing else
Field Engineer - Can configure most elements but some security elements (e.g. AAA commands) disabled so they can't remove device from ACS authentication
Implementation Engineers - Full rights to all commands
We are implementing LMS 2.6 and want to maintain these same roles.
We have setup LMS 2.6 and integrated with ACS as per the instructions within the user guides/this forum etc.
We have imported the devices from ACS into DCR using BulkImport facility.
Within DCR we have set device telnet/ssh credentials with an account "cwadmin" and setup this user in ACS and given it full permissions to IOS commands.
The problem is that when an NMC engineer logs into LMS (authenticated from ACS) and uses the ConfigEditor it allows him/her to make changes to the whole config because LMS uses the "cwadmin" user which has full rights to IOS.
How can I configure LMS so that when an NMC engineer submits a job in ConfigEditor LMS checks ACS for the rights of the LOGGED ON USER as opposed to just using the rights of the "cwadmin" account configured in DCR?
PS - Is there a way to import all the NDG from ACS into LMS?
Yes, all device credentials can be set at one time by going to Common Services > Device and Credentials > Device Management. Select all your devices, then click the Change Credential button.
No, JBP works just the same in LMS 3.0. JBP was actually designed for rotating security tokens like SecureID, but since those tokens have a short lifespan, scheduling jobs in the distant future (i.e. more than a minute) is not possible.
What LMS 3.0 does bring is more comprehensive internal auditing. So you should be able to get a handle on everything that is going on within LMS.
If you have a unique user that is only used by CiscoWorks, then auditing becomes a little easier. When you see that the CiscoWorks user made a config change, you can go to RME's change audit report, and find out exactly what was changed, and by whom.
There is no way to tie NDGs to LMS OGS groups. You would need to recreate the OGS groups with either dynamic membership rules, or statis device lists.