Posted in AAA but no response, maybe more of an LMS/Network Management question so posting here......
We have setup CiscoWorks LMS 3.01 to integrate with Cisco Secure ACS 4.1.
We succesfully get accounting information for:
> Login to LMS
> Login to LMS Application (e.g. CM or RME)
> Failed authentications and attempts
We also recieve the AAA accounting from the end devices for any changes made.
However there is no direct correlation of these to LMS.
User JoeBloggs logs into LMS - Recorded in ACS
User JoeBloggs accesses RME - Recorded in ACS
User JoeBloggs accesses ConfigEditor and Deploys a configuration change - No logs recorded in ACS
LMS logs into the end device using default credentials and makes the change - AAA logs from device
How do I tie the change made by LMS using the default credentials to the job submitted by JoeBloggs?
The only way I can see is to look at the Job Browser on LMS and compare dates/times, but this is both clunky and means we have to disable the ability for people to delete job history.
Surely there is a way of making LMS send TACACS+ accounting information recording job submission.
When integrated with ACS, LMS tasks send authorization requests to the ACS server for everything that is done. Therefore, you should see something in the successful attempts log at the very least.
Each LMS application maintains its own audit log. To access the RME audit log, go to RME > Reports > Report Generator > Audit Trail > Standard Report.