Joe Clarke Mon, 07/28/2008 - 13:27
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to configure your System Identity User (as seen under Common Services > Server > Security > System Identity Setup) in ACS, and give it access to the Super Admin group for all LMS applications.

chillymac47 Mon, 07/28/2008 - 16:47
User Badges:

I may not be doing this correctly. For now I am only interested in having ACS do the authentication with a local user ids providing the authorization. What is the procedure to do this? Thanks.

Joe Clarke Mon, 07/28/2008 - 16:56
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Simply configure the TACACS+ login module under Common Services > Server > Security > AAA Mode Setup. Do NOT select the ACS radio button.

chillymac47 Tue, 07/29/2008 - 04:42
User Badges:

OK that worked until I rebooted the system. After rebooting the LMS server, the authentication via TACACS still works, but I no longer have administrative authority. I have to reset the login module back to local in order to get in with administrative authority.

Joe Clarke Tue, 07/29/2008 - 06:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It sounds like you're still integrated with ACS for authorization. If you're just using the TACACS+ login module ONLY, authorization should be handled by the local database. Of course, every user in the TACACS+ server must have a local entry in the LMS database. Make sure the username in TACACS+ matches exactly with one under Common Services > Server > Security > Local User Setup.

chillymac47 Tue, 07/29/2008 - 07:14
User Badges:

The usernames match exactly. Is there anyway to validate how it is trying to do the authorization with some debugging option so we can determine if it may be hanging on to some configuration from the failed attempt at using ACS for authorization, as you suggested? Thanks for your quick responses.

Joe Clarke Tue, 07/29/2008 - 07:23
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You can look in NMSROOT/MDC/etc/regdaemon.xml. If the AdminModule is set to ACS, then it is still using ACS for authorization. If set to CMF, then it's using the local database.

Actions

This Discussion