LMS integration with ACS

Unanswered Question
Jul 16th, 2009
User Badges:

HI ALL, I had successfully integrated LMS3.0.1 with ACS4.2 & it was working fine. but I noticed it was very slow after integration each window was taking time to open...& HUM front page was not able to seen properly..was not able to view cpu utilization & interface error reports on front page...so I removed the integration of LMS with ACS now its working fine & its fast also. HUM is also viewable...but want to integrate with ACS. Does any body has idea why its slow after integration & why I was not able to view HUM front page (even though systemID account was configured properly was getting passed authentication in ACS.)..is there any solution for this..also when i shut down acs then i was not able to login into LMS..local authentication was not working...any kind of help will be appreciated..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Thu, 07/16/2009 - 13:15
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You need to add an entry for the ACS server into the LMS server's local hosts file. that will correct the performance problem. If pieces of HUM were not working with ACS integration, then I imagine you did not integrate correctly. Make sure that your System Identity User and your login user both have the necessary tasks rights and device access in ACS. For the System Identity User, you must grant all access for HUM for all devices.

Note: there is also a bug in HUM 1.0 if the System Identity User is not admin where jobs can fail to work. The bug is CSCsr93292, and is fixed in 1.0.2 (available from http://www.cisco.com/cgi-bin/tablebuild.pl/cw2000-hum ).

Local authentication is not meant to work when ACS is unreachable. In that case, you have maybe one fallback user (configured in the TACACS+ login module) who can login, and make emergency changes. Typically, though, the solution is to [temporarily] set the login module back to local using the NMSROOT/bin/ResetLoginModule.pl script. A better alternative is to setup multiple ACS servers for redundancy.


This Discussion