AAA accounting of LMS Events

Answered Question
Jun 7th, 2008

Posted in AAA but no response, maybe more of an LMS/Network Management question so posting here......

We have setup CiscoWorks LMS 3.01 to integrate with Cisco Secure ACS 4.1.

We succesfully get accounting information for:

> Login to LMS

> Login to LMS Application (e.g. CM or RME)

> Failed authentications and attempts

We also recieve the AAA accounting from the end devices for any changes made.

However there is no direct correlation of these to LMS.

For example:

User JoeBloggs logs into LMS - Recorded in ACS

User JoeBloggs accesses RME - Recorded in ACS

User JoeBloggs accesses ConfigEditor and Deploys a configuration change - No logs recorded in ACS

LMS logs into the end device using default credentials and makes the change - AAA logs from device

How do I tie the change made by LMS using the default credentials to the job submitted by JoeBloggs?

The only way I can see is to look at the Job Browser on LMS and compare dates/times, but this is both clunky and means we have to disable the ability for people to delete job history.

Surely there is a way of making LMS send TACACS+ accounting information recording job submission.

Thanks

Michael

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 5 months ago

When integrated with ACS, LMS tasks send authorization requests to the ACS server for everything that is done. Therefore, you should see something in the successful attempts log at the very least.

Each LMS application maintains its own audit log. To access the RME audit log, go to RME > Reports > Report Generator > Audit Trail > Standard Report.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Joe Clarke Sat, 06/07/2008 - 09:25

When integrated with ACS, LMS tasks send authorization requests to the ACS server for everything that is done. Therefore, you should see something in the successful attempts log at the very least.

Each LMS application maintains its own audit log. To access the RME audit log, go to RME > Reports > Report Generator > Audit Trail > Standard Report.

Martin Ermel Sun, 06/08/2008 - 23:35

I do not understand what you mean with:

'Surely there is a way of making LMS send TACACS+ accounting information recording job submission.'

and perhaps it is the same what I suggest:

Change the job policies and mark the check-box 'Enable Job Password' AND remove the mark from the according 'User configurable' check box in RME > Admin > Config Mgmt > Confi Job Policies.

In the 'Application' drill-down you can select the different jobs for which you want to change the settings.

Now every user needs to enter its own credentials with which the job will be executed (instead of the LMS default credentials) and you should see the user in this line instead of 'LMS':

[...]

'LMS logs into the end device using default credentials and makes the change - AAA logs from device '

[...]

Mike Bailey Mon, 06/09/2008 - 10:44

Unfortunately we cannot use job based passwords as our ACS instance is integrated to RSA SecurID (one time password) and with 30 second tokens and separate login/enable credentials required its not possible to submit a job using SecurID details as they will have expired!

I think original post solves problem - looking at the Audit Reports.

Actions

This Discussion