LMS application register in ACS not working properly

Answered Question
Aug 20th, 2009
User Badges:

Good day,


I have a strange problem,

I've changed LMS to ACS mode and registered all applications without errors, but when I go to ACS then I don't see any options under Group Setup that allows me to select what privilege the group has, however, when I go to "Shared Profile Components" then I see the following:


Network Access Filtering

RADIUS Authorization Components

Network Access Restrictions

Shell Command Authorization Sets

PIX/ASA Command Authorization Sets

Cisco Security Manager

Ciscoworks Common Services

CiscoWorks Portal

CiscoView

Resource Manager Essentials

Ciscoworks Campus Manager

Device Fault Manager

Internetwork Performance Monitor


I've tried to do this manually with ACSRegCli.pl and everything comes out successful, but still I can't select privileges in Group Setup. What could I be missing?


Here is output from command prompt where I tried to register the applications..


C:\Program Files (x86)\CSCOpx\bin>perl AcsRegCli.pl -listNotRegApp


List of applications not registered with ACS from this server:

CM (Campus Manager)

cwhp (CiscoWorks Common Services)

rme (Resource Manager Essentials)

ipm (Internetwork Performance Monitor)

dfm (Device Fault Manager)

CiscoView (CiscoView)

cwportal (LMS Portal)



C:\Program Files (x86)\CSCOpx\bin>perl AcsRegCli.pl -register all


WARNING: If you have already registered the applications with ACS, any custom ro

les you have created in ACS for these applications will be lost.

Do you want to continue(Y - register, N - do not register)?Y

INFO: Running command "ACSRegCli registerAll"

- Application cwhp registration :

Primary ACS server - successful

Secondary ACS server - successful


- Application cwportal registration :

Primary ACS server - successful

Secondary ACS server - successful


- Application CiscoView registration :

Primary ACS server - successful

Secondary ACS server - successful


- Application rme registration :

Primary ACS server - successful

Secondary ACS server - successful


- Application CM registration :

Primary ACS server - successful

Secondary ACS server - successful


- Application dfm registration :

Primary ACS server - successful

Secondary ACS server - successful


- Application ipm registration :

Primary ACS server - successful

Secondary ACS server - successful



C:\Program Files (x86)\CSCOpx\bin>

Correct Answer by Joe Clarke about 7 years 7 months ago

You could try since you say the applications do show up under shared profile components. But I've never seen this particular behavior before. What settings do you have under Interface Control > Advanced in ACS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Joe Clarke Thu, 08/20/2009 - 06:42
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

What versions of LMS and ACS are you using?

Joe Clarke Thu, 08/20/2009 - 06:52
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Make sure the ACS admin user you specified in LMS is NOT the ACS appliance admin. If it is, create a new admin user in ACS (under Administration Control) with full rights, then use that user when integrating LMS to ACS. Then try re-registering the applications.

gudvardur Thu, 08/20/2009 - 06:54
User Badges:

I've already checked that... The ,,Appliance Administrator" is root and I'm using administrator that I created called cw-admin with full rights, and yes I've enabled LMS to allow special chars in username....

Joe Clarke Thu, 08/20/2009 - 07:23
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Go under Interface Configuration > TACACS+ (Cisco), and make sure the checkbox under the Group column is checked for all of the CiscoWorks "New" services. Attached is a screenshot from my ACS server.



Attachment: 
gudvardur Thu, 08/20/2009 - 07:28
User Badges:

The New Service list is empty, shall I create it by hand?

Correct Answer
Joe Clarke Thu, 08/20/2009 - 07:33
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You could try since you say the applications do show up under shared profile components. But I've never seen this particular behavior before. What settings do you have under Interface Control > Advanced in ACS?

gudvardur Thu, 08/20/2009 - 07:38
User Badges:

I manually added all of these, and now I see the option under Group Setup....


I've attached a screenshot of the Advanced settings under Interface Control....


Now I just have to login and confirm this working.... Any other info you want me to post here regarding this?



Joe Clarke Thu, 08/20/2009 - 07:41
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You have a few settings which differ from my server, but none that should account for this. Go ahead, and configure the missing LMS applications, then setup your System Identity User and group in ACS, and see what LMS says.

gudvardur Thu, 08/20/2009 - 08:05
User Badges:

This works like a charm! :D Thank you so much jclarke

Actions

This Discussion