LMS and ACS Intergration, authentication fallback option

Unanswered Question
May 25th, 2009
User Badges:

Hi there,

i have recently integrated LMS 3.0 with ACS appliance 4.I am facing one issue,whe the ACS is down i am unable to login to the LMS with the system id user account or any other user that exists in the LMS local database. The documentation says to change the aaa mode to Non-ACS but i can only do this when i login to the LMS. One method i came across is to reset the login module on the LMS using a builtin script.I wanted to know if there is any fallback options

Thanks for your answers


can get solve this issue of fall back.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Joe Clarke Mon, 05/25/2009 - 11:13
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Run the following command:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

This is the only workaround if login fallback was not configured. All this script does is reset the authentication and authorization modes to local. You can then login using one of the local accounts, and reconfigure the TACACS+ login module for fallback to a local user.

Once everything is working, then you can re-enabled ACS integration.

sheikh ahmed zubedi Tue, 05/26/2009 - 06:43
User Badges:

hi clarke,

Thanks for your response,i did configure the login fallback under ->non-ACS->TACACS+->allow local login option.

i wanted to know how i can simulate an ACS appliance failure.i am just stopping the acs service from ->system configuration->service control.Is this ok or do i need to unplug the cable for the ACS as i am unable to login with the local users on the LMS after shutting the service.


Joe Clarke Tue, 05/26/2009 - 09:06
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

A failure when doing FULL ACS integration (i.e. not just authentication) is a hard failure. You will need to reset to a local login module to recover. If you're just doing authentication, then you should be able to login as allowed fallback users using local credentials (e.g. admin).

You can simulate an ACS failure by taking ACS off of the network. This can be done by putting in an access-list for tcp/49, unplugging the appliance, etc.

Velin Georgiev Wed, 06/10/2009 - 04:49
User Badges:


I was wondering the same thing about the fallback option. I just don't understand how to configure only ACS authentication and not full ACS integration?

Marvin Rhoads Wed, 06/10/2009 - 09:09
User Badges:
  • Super Silver, 17500 points or more
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

There is a white paper on CW-ACS integration posted here: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

You can unregister CiscoWorks applications from being ACS-integrated by a command line interface command, e.g.:

"java ACSRegCli unregister All"


"java ACSRegCli unregister "

Joe Clarke Wed, 06/10/2009 - 09:58
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The ACSRegCli command is a Perl script, and cannot be run through Java. The white paper has the correct details here, but messes things up in the FAQ. The actual commands are:

NMSROOT/bin/perl AcsRegCli.pl -unregister


This Discussion