CSM policy authorization

Unanswered Question
Sep 11th, 2009

I have a CSM server currtnely authenticating locally that I wish to change to authenticate against a Cisco ACS server.

The ACS server has the schema loaded for CSM. And the apps are all registered (Via the CiscoWorks config panel on the CSM server).

I have a user that's a member of a group that has SuperUser access or Systems Administrator access (Whichever is highest) of all the registered apps.

But when the user logs into CSM I can only view SOME of the firewall policies... I get 'You are not Authorized to view this policy' when trying to view SOME of the Access Rules policies...

Where exactly is this set? I can't find anywhere to even specify who has access to which policy.

Also the user can't see individual devices in the device view. And it would appear that this is somehow the cause of not being able to view SOME of the policies... Where a policy has been assigned to a device, the user can't see it.

Excatly what privileges does an ACS authenticated user require if SuperUser isn't enough?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
lchuser7680 Fri, 09/11/2009 - 06:53

OK.

I found one of the problems was due to the fact that CSM had FQDN's but ACS had short names that sometimes don't coincide with the actual box name... Sigh. So I've addressed that for the routers/switches.

However FWSM's with multiple contexts are causing somewhat of a problem.

We run the FWSM's in active/active with multiple contexts... However the hostnames defined have to be unique... CSM appends _CONTEXTNAME to a host to define a unique name for the context.

However now it doesn't match an entry in ACS and therefore doesn't show the device (Or it's policies) in CSM.

I can't add a second hostname for the device in ACS because the contexts are accessed via the admin context IP address. And I'd need to be having multiple devices on one IP. Which ACS doesn't like.

Has anyone else got a multi-context FWSM pair in active/active managed via CSM and authenticated with ACS? or am I unique here?

TIA

Actions

This Discussion