LMS 3.0, ACS 4.2 and TACACS

Unanswered Question
Mar 23rd, 2009

Excuse me if I am missing the point here but...we have installed LMS on two servers, server one runs the Portal, CS, CM, Assistant and IU; the second server runs RME, CV, IPM and DFM (as well as the default CS, Portal and Assistant). I have run through the workflow for server setup and set up the two servers to use our ACS server for TACACS. Now this is where I may ne missing the point - when I sign into server one, and click on a ling to an applet on server two it asks me to authenticate again....I thought that with a multi server setup, and TACACS then I would only need to authenticate once to access applets across both servers.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
MICHEL.HEGERAAT Mon, 03/23/2009 - 05:43

I would think (haven't tried this) that you would not need to set tacacs on the SSO slave server. Rather keep the authentication module on "local"

Have you tried this?

Cheers,

Michel

Sven Hruza Mon, 03/23/2009 - 07:25

You have to configure the two servers equal at "AAA Mode Setup" for ACS.

On the "Single Sign-On Setup" is the difference -> Master and Slave server.

Paul Williams Mon, 03/23/2009 - 07:53

The point here is that I used the workflow>server setup assistant and would have suspected that the system would have known to set this as it needed to make it work. I did find a patch for ACS integration and Common Services which I have now installed, but it has made no difference.

Sven Hruza Mon, 03/23/2009 - 08:59

I don't use the setup assistant, sry.

But you can look for the ACS configuration by checking the setup under "Common Services" -> "Server" -> "Security" -> "AAA Mode Setup"

There you have to configure the ACS servers IP addresses, the admin-user for LMS to configure the ACS and the applications of LMS which you want to register on ACS. Normally you will select all applications.

This configuration you have to do on both servers, no matter if it is the slave or the master.

After that you have to configure the single sign-on.

Master:

Select "Master (SSO Authentication Server)"

Slave:

Select "Slave (SSO Regular Server)"

and put the whole server name of the master in the field and the port (by default 443).

Sven Hruza Mon, 03/23/2009 - 09:08

Is it possible to get screenshots of the ACS configuration and the single sign-on?

Sven Hruza Mon, 03/23/2009 - 10:05

Is it possible, that you are looking on the equal common services?

Because on my system the address field on the bottom (the server name) is different on each of the servers.

In all the screenshots it is the same...

You have one Common Services on every server which you have to configure seperate!

Server2 should be the SSO slave?

MICHEL.HEGERAAT Mon, 03/23/2009 - 12:50

You have not configured single sign on.

Both server1 and 2 are master in the screen shots

One should be master the other slave

And slave should be using the local module and the other tacacs

Cheers,

Michel

Sven Hruza Mon, 03/23/2009 - 13:16

I don't think that it is right to use the local module at the slave.

If you don't use the ACS integration on the slave, you will not be able to select the permissions for those parts of LMS which are installed on the slave.

To have full permission control on the ACS it is important to integrate all modules of LMS, no matter where they are installed!

Here you can find a whitepaper for integration:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.pdf

MICHEL.HEGERAAT Tue, 03/24/2009 - 04:49

As I read his story I see he wants to use tacacs for authentication, not authorization.

Maybe I misunderstood this. Otherwise the slave will ask the master to handle authentication.

Looking at the shots he is indeed trying the ACS integration indeed.

I have not tried that yet.

Cheers,

Michel

Sven Hruza Tue, 03/24/2009 - 15:35

You configured the port 443 on the slave server in the SSO.

But you are not using HTTPS, so it should be the port 1741 (default).

But I think it is not a bad idea to change to HTTPS from HTTP ;-)

Paul Williams Wed, 03/25/2009 - 03:33

tried to change the 443 to 1741 - however when I hit apply it says that it is unable to connect to the server on that port.

I will say that none of these settings were input by me - I used the server setuo workflow and it did it all itself

Sven Hruza Wed, 03/25/2009 - 04:24

Did you try to change from HTTP to HTTPS?

You can find it under

CS -> Server -> Security -> Browser-Server Security Mode Setup

Perhaps the workflow doesn't work for that part.

I think the port for the SSO and the port for web access should be the same.

Paul Williams Wed, 03/25/2009 - 05:22

Changed that (although I did have reservations as it is listed under the "single server setup" heading)....but I changed it on the second server anyway - and now cannot access the server at all - just get 403 forbidden...anyone know how to reset the browser security setting from the command line????

Actions

This Discussion