Full LMS-ACS Integration Vs Loose LMS-ACS Integration

Answered Question
Sep 7th, 2008

If you are a enterprise and not a service provider it seems to me that FULL LMS-ACS integration just over complicates LMS deployments especially when you have multiple LMS and ACS deployments from various companies you acquired over the years but never fully integrated.

In the past all the enterprises I worked at deployed LMS with only user authentification via ACS. Now I am at a company where we have multiple LMS-ACS deployments and there seems to be more pain because of this.

Our eventual goal is to get down to two fully redundant multi-sever deployments of LMS for the entire enterprise and a fully integrated ACS.

If you are an enterprise using LMS with a consolidated network engineering group, and not a service provider, what does Cisco recommend in regards to ACS integration -- full LMS-ACS integration or loose integration for only user authentification to LMS ?

Any opinions on this topic would be most appreciated. Thx.

I have this problem too.
0 votes
Correct Answer by Joe Clarke about 8 years 1 month ago

Point 4 is a show stopper. LMS cannot manage devices from two different ACS servers. Point 3 shouldn't have any thing to do with ACS integration.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Joe Clarke Sun, 09/07/2008 - 07:58

I don't think we offer an official recommendation in either case (SP vs. enterprise). However, we have many "true enterprise" customers running with full ACS integration. Besides centralizing passwords and roles for multi-server deployments, ACS integration offers the unique features of being able to do role customization and device access filtering. The latter is probably more important to MSPs, but we do have quite a few enterprise customers filtering devices on a department basis.

When I present to customers on LMS, I recommend full ACS deployment across all nodes in a multi-server LMS environment, period. Why bother with trying to manually synchronize users and roles across servers? Let ACS hold all of that information. It makes user management much easier, and there is a less chance of a security issue.

GERARD PUOPLO Sun, 09/07/2008 - 12:16

Thanks for your recommenation. That helps me believe we are doing the right thing.

Your recommendation is based on the added value of:

1) eliminating the need to specify user and roles definition manually within LMS and

2) to restrict LMS device access on a per user or department basis.

The complexity basically from a LMS prespective seems to me to be:

1) making sure devices are defined in ACS otherwise CS will not be able on discovery to add them to the DCR.

2) making sure devices are first deleted from ACS before deleting for LMS DCR

3) the fact the LMS device verification report never seems that clean anymore after LMS integration is enabled

4) The difficulties involved in having LMS manage devices from two independent ACS as per our case due to a acquisition that is not yet fully integrated.

Negatives 1 and 2 are no biggies but am I correct about negative items 3 and 4 ?


Correct Answer
Joe Clarke Sun, 09/07/2008 - 13:58

Point 4 is a show stopper. LMS cannot manage devices from two different ACS servers. Point 3 shouldn't have any thing to do with ACS integration.


This Discussion