cw LMS and ACS

Unanswered Question
Oct 20th, 2008


i am trying to let cw administrators authenticated and authorized by ACS.

i changed the authentication from local to ACS/tacacs and i choose the option :Register all installed applications with ACS .


-authentication is ok

-i obtained in groups new tables concerning cw such as : cwhp/Custom attributes ; ciscoview/custom attributes...

i added devices to these tables.

now, in cw i can see the list of devices i am responsible of.

my problem is that in device center i am not getting the same interface as before. many things disappeared.

i am afraid this is because i did not put any things in "custom attributes".

any help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Joe Clarke Tue, 10/21/2008 - 09:18

ACS integration is tricky. You should go through the document in this post:

And verify the settings are correct. In particular, the LMS System Identity User must have access to all devices in ACS, and its group must have access to perform all LMS tasks.

ohassairi Tue, 10/21/2008 - 21:26

thank you very much for the link. unfortunally my LMS is 2.6 and not 3.0.

i think that's why Super Admin group does not exist in my ACS. should i create it manually?

Joe Clarke Tue, 10/21/2008 - 21:30

The instructions I gave you are for 2.6. Yes, you must create the Super Admin role manually in LMS 2.6 for each LMS application. This is documented in the HTML file.

ohassairi Wed, 10/22/2008 - 01:33

thanks again.

ok i followed the instructions and i am getting the authentication ok and authorization is ok for only 1 group (cw group is ok too).

i am getting this error when trying to access device center:You are not authorized to request the Action associated with screenID: "/".

when i look to reports/failed attempts in ACS i find:authorization failed with authorization data: service=cwhp authorize-device= cmd*cmf_dc.

strange problem.

Joe Clarke Wed, 10/22/2008 - 09:01

This indicates a problem with the role configuration, or possibly the group configuration for your ACS user group. Troubleshooting this over the forum is quite tedious. It would be faster if you opened a TAC service request, and had your engineer review your ACS settings over WebEx. This could probably be solved in a matter of minutes once all of the ACS screens can be analyzed.


This Discussion