LMS 3.1 with ACS 4.1

Unanswered Question
Aug 15th, 2008
User Badges:
  • Bronze, 100 points or more


I want to integrate LMS 3.1 with ACS 4.1.

We have two servers and the Master/Slave configuration works fine.

I read the whitepaper for this task and configured all the steps at both servers.

All fine at first, but on the slave the authentication tells "Ciscoworks local" instead of TACACS+.

The failed attempts in ACS log tells, that both servers want to login with a user called "secretuser"!

I didn't configure such a user and I didn't know where the user is in the LMS configuration?!?

Is it a default user in the depth of the configuration?

I thought that the systemiduser is configured for this part...

Okay, the workaround is to configure this user in the ACS with the same password *g*

And what shall I say, no failed attempts and the slave tells TACACS+ for authentication!

The second problem is, that I can't configure the rights for users because There are two entries for every part of LMS (CM, RME, CWHP, Portal,...). I thought that is okay because I have to servers.

But if I configure the first CWHP and then the second, the first is empty again. Configure the first once again, than the second is empty.

It looks like that the authorization on the second server does not work. On the Master I have rights for helpdesk and on the slave it is full authorization.

The third problem is, that I can't disable users on ACS to login in LMS.

I Thought setting up a user on all the ciscoworks entries to "none" in ACS the user has no rights to access to the LMS.

But he can with helpdesk rights.

Thanks for your help!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Fri, 08/15/2008 - 08:54
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The secretuser user must be your System Identity User. This user is configured under Common Services > Security > System Identity Setup. It must be a user with full rights to ALL LMS tasks. Therefore, this user must exist in ACS, and it must be allowed the Super Admin role for all LMS applications. This user must be the same on both LMS servers.

Both LMS servers must be integrated with the same ACS server; therefore both LMS servers must first be added as clients of the ACS server. Once integration has been configured properly in LMS, the login module will change to TACACS+, and ACS will be used for both authentication and authorization.

If something goes wrong, you can use the RestLoginModule.pl script to revert to local authentication and authorization:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl


This Discussion