We've now finished testing CIscoWorks LMS 3.01 with ACS 4.1.4 in our test environment and ready to deploy into a production environment.
Currently we have a few outstanding concerns, specifically on the security of accounts in ACS.
The LMS/ACS Integration White Paper (along with various other instruction on web etc) states that LMS requires:
1> An ACS Admininstrator account with ALL privileges (white paper explicitly states "grant all").
2> An ACS User account with same credentials as System Identity with SA rights.
Our network security team are EXTREMELY concerned with the first, Cisco Secure ACS by its very name should be secure. Creating an admin account with ALL rights has got to be a bad idea. Currently we only have one account with this level of rights which is never used and credentials locked in a safe. All others are only given the rights actually required.
Ultimately there has got to be some rights here that aren't required (e.g. changing group setups, changing server settings). Is there anything documented of the exact rights needed by the LMS ACS Admin account?
During the Application Registration we're finding that the ACS Administrator account is making changes to other Administrator accounts (specifically removing anyones rights to IPM) - this is surely outside the scope of what its supposed to be doing.....
As for the second one, again I'd like something documented as to precise rights required and what this is used for. During some test ACS application registrations from LMS the verification keeps throwing up errors about not having correct rights for components, however registration is still succesful anyhow?
Does the identity account need any shell or IOS level rights or just ACS components?
Its also surely a bit "chicken and egg" as you can't provide rights until the applications are registered etc, we do have a previously aborted installation of LMS 2.6 so I'm guessing that the registration is trying to check rights to the LMS2.6 application registration which obviously fails?
PS - Any news on release date for LMS 3.1 - will I need to reregister application and thus loose all the custom profiles I've just spent weeks developing?