Multi-Server Setup ACS Mode Question

Unanswered Question
Sep 12th, 2008
User Badges:

We have LMS 3,0.1, HUM and DFM on seperate servers. The System Identity User and the Peer Server user are the same and are defined in the ACS as an Admin with Full Control on ACS and also SuperAdmin rights to all CiscoWorks Apps (HUM not defined).

Users with Cisco Admin rights defined in ACS cannot access Report Generation Buttons in HUM nor can they access certain admin screens in DFM.

We configure CS-Server-Security-Multiserver Trust Management.

But on the DFM and HUM boxes we so far we did not configure AAA Mode Setup. Don't we need to do that and set it to ACS mode ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Joe Clarke Fri, 09/12/2008 - 23:08
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You must configure ACS integration on ALL servers in a Single Sign On domain (I assume you're doing SSO here as that would explain the problem you're seeing). If you do not, while the ACS user will be allowed to login to the second server, they will only have Help Desk access. SSO only supports authentication. Authorization must be handled either by the local LMS user database, or by ACS.

GERARD PUOPLO Sat, 09/13/2008 - 04:07
User Badges:

All servers are in a SSO domain.

I do a Server Settings->Security Settings on both the LMS Master and the DFM slave I see both are using the same system identity user and the same SSO domain with correct master slave settings

Then on the master I see Authentification Mode = TACACS+ and Authorization mode =ACS. On the DFM slave I see Authentification Mode = Ciscoworks Local and Authorization mode = CMF.

Now DFM is defined as a ciscoworks application in our ACS.

On another location where we have a similiar LMS, DFM, ACS configuration I do Server settings->Security settings and I see we have DFM slave Authentification Mode = TACACS+ and Authorization Mode = ACS which I believe was set when that site ran the Ciscoworks Assistanct setup wizard.

I believe the site that works has an invalid configuration which seems to work and the site that doesn't work has a valid conf that doesn't work.

Joe Clarke Sat, 09/13/2008 - 06:44
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Since the site that is not working is using local authorization, every user that logs into that server MUST have a local account configured with the appropriate rights. This account doesn't need a password as authentication is occurring on the SSO master.

Since the other server is using ACS for authorization, it stands to reason why the users are allowed to perform the tasks in question.

GERARD PUOPLO Sat, 09/13/2008 - 10:24
User Badges:

My thoughts too but thanks for confirming this. On our DFm and HUM boxes I will make sure Authentification Mode is set to ACS.

We had a tac case open on this that's taking awhile. First we wanted to know what was the "right" thing to do and second one of our guys has trouble doing this for HUM since HUM wasn't defined yet in our ACS as a Ciscoworks App.

We can't user local admin accounts from HUM because lots of users need to be able to generate HUM reports and if they are not HUM admins the GO button is greyed out.

Again, thanks.

Joe Clarke Sat, 09/13/2008 - 12:45
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

When you register your HUM server with ACS, you will need to check the box for registering applications with ACS. That will push the HUM tasks to the ACS server, and allow you to add those tasks to user groups.


This Discussion