Authorization trouble

Unanswered Question
Nov 13th, 2008

I have had nagging authorization issues with Ciscoworks LMS 3.0.1 and ACS 3.3

Out of the blue now I can't do data collection on devices in layer 2 view...

I get the message "User is not authorized to perform data collection on devices (or) your session has timed out"

A few other permision issues I have 3 reports that I have had configured forever now those reports fail with CDAJOB009: Either the owner of this job does not exist, or the owner does not have the required permission to run this job.

I have a cwsuperuser with access to everything. I have re-registered all my appliacations. I have double checked that every checkbox in every shared profile componnent is checked.

This is so frustrating... Please help...

TIA

Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Thu, 11/13/2008 - 12:17

This sounds like a bug I filed a while ago (CSCsg00563). However, this bug is fixed in LMS 3.0. It sounds more like either a problem with your System Identity User not being authorized, or you are using NDGs in ACS, and your user does not have access to the NDG which contains the LMS server.

You may want to open a TAC service request so they can walk through your ACS setup on a WebEx, and see if they can spot the problem.

jbarger Thu, 11/13/2008 - 12:22

Yeah but I am not paying for support for Ciscoworks...

Anyhow ACS is set "Assign a Ciscoworks for any network device" for every Ciscoworks application. Should I assign every device group instead of trusting that the above settings is allowing them all...

Heck I will just test it.

Joe Clarke Thu, 11/13/2008 - 12:26

No. The second radio button is definitely the way to go, especially for the System Identity User. You might check the ACS Failed Attempts log to see if anything jumps out at you. If you've double-checked all ACS and LMS security settings to be correct, try restarting ACS and CiscoWorks Daemon Manager.

jbarger Thu, 11/13/2008 - 12:33

I found that the user for system identity is not a user in ACS! And when you test the connection you see...

Note:

- Make sure the configured System Identity User is availablle in ACS Server.

Restarting the daemon manager...

Joe Clarke Thu, 11/13/2008 - 12:40

That would do it. This user must be in a group which gives all access to all LMS-managed devices, and all LMS tasks.

jbarger Thu, 11/13/2008 - 13:27

Well I think that I have the system identy user setup correctly and still get the trouble with can't do device discovery.

and I can't view this job report...

2205 Device Discovery Failed Device Discovery Job Thu Nov 13 11:24:00 MST 2008

I do see authorization failed in ACS failed attempts when trying device discovery but I don't see anything for the job report in failed attpempts.

Going to go through it all again and make sure I have it right. The acs mode setup and the system identy setup have the same username and password, previously they were different with acs being a local user and system being built on acs.

It makes sense that it would be screwey setup like it was before but now they are both the same and both full network admins...

BLEH

Joe Clarke Thu, 11/13/2008 - 13:49

The report jobs may be a casualty of CSCsv55522 or CSCsm77700. You can test for this by adding a local LMS user for your current username, and give that user full rights. Please post screenshots illustrating how your System Identity User is configured in LMS and in ACS.

jbarger Thu, 11/13/2008 - 14:31

I have deleted my local user and recreated my local user just to be certain the password is the same as the domain... still no luck on the reports.

Attachment: 
Joe Clarke Thu, 11/13/2008 - 20:16

Okay, the SIU is in ACS, but what are the properties of the Network Admins group? Please post screenshots showing each LMS task, and the associated task access.

Joe Clarke Mon, 11/17/2008 - 16:49

Everything checks out. I cannot say what is causing this without more detailed debugging. In cases like this, I would typically opt to troubleshoot via a WebEx session. This isn't something that can be easily analyzed on the forum.

jbarger Wed, 11/19/2008 - 09:20

Thanks for the help even though we didn't figure it out I will update this thread if I ever do.

jbarger Thu, 12/04/2008 - 13:02

I finally got back to fixing this... I just re-registered all applications with ACS even though I checked and they were all updated. I suppose a combination of things fixed it but the final piece was to go to AAA mode and select "Register all installed applications with ACS" and submit.

Previously when I did this my topology map was scrambled THANKFULLY it did not screw it up so I am happy :)

Actions

This Discussion