LMS 3.1 integration with ACS4.1

Unanswered Question
Aug 9th, 2009


I get the following error when i change the authentication mode to ACS

"Not Reachable

- ACS Admin credentials may be wrongly configured in "AAA Setup Mode".

- IP Filtering may be configured in ACS.

See the "Reports and Activity" -> "Administration Audit" in ACS for more details."

I have configured all privileges for the ACS admin account and can also reach the ACS server using http from the CW Server. Please advise.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Joe Clarke Sun, 08/09/2009 - 01:30

You need to be able to reach both the HTTP port (default is tcp/2002), but also the TACACS+ port (tcp/49). Make sure both of those ports are reachable from the LMS server. If you are using HTTPS on the ACS server, make sure you check the HTTPS checkbox in LMS.

There is another caveat as well. Even though tcp/2002 is used for the initial connection to ACS, ACS will choose another TCP port for the session. This port range is adjustable within ACS. But you need to make sure the LMS server can reach those administrative TCP ports as well.

jaisonjose Sun, 08/09/2009 - 01:37

i can access the acs using port 2002 . Sorry for my ignorance but how do i know what port is being used by the acs for the session between them.

Joe Clarke Sun, 08/09/2009 - 01:40

You also need to check tcp/49. As for the administrative port range, that is configured under Administration Control > Access Policy in ACS. By default, all ports greater than 1023 are available.

jaisonjose Sun, 08/09/2009 - 01:48

I have the following configured on the ACS

"Allow any TCP ports to be used for Administration HTTP Access"

i am pasting the failure attempt registed on the acs since the username being displayed there looks strange to me . The acs admin account name is admin while the CW server seems to be using a name secret user to authenticate.

08/09/2009 12:25:43 Authen failed secretuser Default Group (Default) ACS user unknown .. .. .. .. .. .. .. .. cwlms1 ..

Joe Clarke Sun, 08/09/2009 - 09:50

There are two usernames required for ACS integration. One is the LMS System Identity User. This user must be created as a user account within ACS (under User Setup). The second is an ACS admin user. This user needs to be created under Administration Control, and must be granted full access to all ACS admin rights. This user must NOT be the appliance administrator (if this is an ACS appliance).

You must also make sure your LMS server is a valid TACACS+ client of the ACS. This is done under Network Configuration within ACS.

This document should help get you started:


jaisonjose Sun, 08/09/2009 - 12:23

Thanks but i had already configured the acs considering the points you have mentioned. I am using the ACS software and not the appliance. Are there any known issues with the integration if the CWLMS server is a virtual machine. Also note that I am using the Change to ACS mode from the server setup and not AAA mode setup.

Joe Clarke Sun, 08/09/2009 - 12:41

No, there are no issues. Working from with CiscoWorks Assistant or the Common Services > Security interface are the same.

One of these key points is not correct:

* The ACS admin user specified in LMS is not properly configured on the ACS server.

* The LMS server cannot reach the ACS server on TCP port 49.

* The LMS server is not defined as a TACACS+ client in ACS.

Here is another document created by TAC to assist with basic ACS integration. It was written for LMS 2.5, but the same points exist in LMS 3.1. Go step-by-step to make sure your config is correct.



This Discussion