LMS and ACS Intergration, authentication fallback option

Unanswered Question
May 25th, 2009

Hi there,

i have recently integrated LMS 3.0 with ACS appliance 4.I am facing one issue,whe the ACS is down i am unable to login to the LMS with the system id user account or any other user that exists in the LMS local database. The documentation says to change the aaa mode to Non-ACS but i can only do this when i login to the LMS. One method i came across is to reset the login module on the LMS using a builtin script.I wanted to know if there is any fallback options

Thanks for your answers

Ahmed

can get solve this issue of fall back.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Joe Clarke Mon, 05/25/2009 - 11:13

Run the following command:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

This is the only workaround if login fallback was not configured. All this script does is reset the authentication and authorization modes to local. You can then login using one of the local accounts, and reconfigure the TACACS+ login module for fallback to a local user.

Once everything is working, then you can re-enabled ACS integration.

sheikh ahmed zubedi Tue, 05/26/2009 - 06:43

hi clarke,

Thanks for your response,i did configure the login fallback under ->non-ACS->TACACS+->allow local login option.

i wanted to know how i can simulate an ACS appliance failure.i am just stopping the acs service from ->system configuration->service control.Is this ok or do i need to unplug the cable for the ACS as i am unable to login with the local users on the LMS after shutting the service.

Thanks

Joe Clarke Tue, 05/26/2009 - 09:06

A failure when doing FULL ACS integration (i.e. not just authentication) is a hard failure. You will need to reset to a local login module to recover. If you're just doing authentication, then you should be able to login as allowed fallback users using local credentials (e.g. admin).

You can simulate an ACS failure by taking ACS off of the network. This can be done by putting in an access-list for tcp/49, unplugging the appliance, etc.

Velin Georgiev Wed, 06/10/2009 - 04:49

Hi,

I was wondering the same thing about the fallback option. I just don't understand how to configure only ACS authentication and not full ACS integration?

Joe Clarke Wed, 06/10/2009 - 09:58

The ACSRegCli command is a Perl script, and cannot be run through Java. The white paper has the correct details here, but messes things up in the FAQ. The actual commands are:

NMSROOT/bin/perl AcsRegCli.pl -unregister

Actions

This Discussion