CUOM and AAA / ACS Integration v2.2

Unanswered Question
Sep 14th, 2009
User Badges:
  • Silver, 250 points or more

Hi Guys,


I've been looking around but really found little docco or info on this.


We configured a lab build of CUOM 2.2 in stand alone mode.. discovered devices and Service level view populated fine.


Switched the lab mode over to integrate with ACS 4.2 and it all worked as before just with AAA authentication now.


We've done the same thing in production, but now when we integrate with ACS I lose visibility of devices from service level view.


I've ensured devices are added to ACS (I definitely couldnt find any docco on adding the voice servers to ACS - this would be of interest)


I believe we have the rights setup correctly. But I also think this is probably where the issue is.


I'm not really sure on the key area to focus on.


Is it the CUOM System Identity user and his rights that are the most likely culprit? What should I verify?


Is it my actual user account and something to do with device based filtering - again didnt find too much info on this one.


I also checked AAA logs and didnt find anything. Just about to try and dive into CUOM / CW logs now.


Any ideas or pointers would be appreciated.


Cheers,


Tim.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Tue, 09/15/2009 - 07:01
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If you have devices missing from CUOM, check the Common Services > Device and Credentials > Reports > Devices not configured in ACS report. If the devices show up there, then those devices are not clients of the ACS server to which CUOM is integrated. It would be a good idea to review this whitepaper on ACS integration. It was written for LMS, but all of the bits apply to CUOM since CUOM uses Common Services.


http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

Tim Smith Tue, 09/15/2009 - 14:48
User Badges:
  • Silver, 250 points or more

Sorry should have mentioned that one. I did face that problem in the beginning, but now they are all configured in ACS, so that isnt the problem.


Cheers,


Tim

Joe Clarke Tue, 09/15/2009 - 15:22
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Just to be clear, you aren't seeing any devices in the Devices not configured in ACS report?

Tim Smith Tue, 09/15/2009 - 15:32
User Badges:
  • Silver, 250 points or more

Thats correct. I originally had problems with this. So I reset back to local login.

Deleted everything from CUOM and DCR.


Rolled back to ACS mode.


Discovered everything again.


Everything I discovered is all authorized by ACS, and there are 0 devices in the not configure report.


The devices show up in DCR.

They also show as monitored in CUOM device list.

The CUCM clusters dont show in Service Level View.


The devices show up in the left hand pane, but they are greyed out, and they do not show in the topology map itself (this is blank)


Cheers,


Tim.

Joe Clarke Tue, 09/15/2009 - 15:54
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I don't see any known issues with CUOM 2.2 and ACS integration, and since you say SLV was working prior to ACS integration, something must be wrong with ACS. The most likely candidate is your login user's ACS profile. Verify that the group to which this user belongs has the right roles for all CiscoWorks applications (especially qovr and iptm). Also, make sure that the correct devices are assigned to these applications for this user group. If you are using NDGs in ACS, make sure that you have access to both the device NDGs as well as the NDG which contains the LMS server itself.

Tim Smith Tue, 09/15/2009 - 15:59
User Badges:
  • Silver, 250 points or more

Yep I agree.. I think it is something to do with ACS permissions as well. I'll check the NDG setup.


Is there any logs that might help on the CUOM side for this?


Cheers,


Tim

Joe Clarke Tue, 09/15/2009 - 16:04
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

All of the ACS integration flows through Common Services. If you enable debugging for the Core Admin Module under Common Services > Server > Admin > CS Log Configurations, then logout, log back in, and reproduce the problem, the Core log should have information about the ACS interactions.

Tim Smith Mon, 10/12/2009 - 04:47
User Badges:
  • Silver, 250 points or more

Thanks for your help on this one!


As it turns out, problem was dual NIC's on the server.


We believe that the authentication was going through the right nic to the ACS server, but we think the authorization was not going out the same path, and was failing.


As a side note.. we were aware that dual NIC's with different IP's were not supported. We were waiting to see if we ran into any issues. I guess this was the first!


Cheers,


Tim.

Joe Clarke Mon, 10/12/2009 - 06:17
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Dual NICs are supported, but you need to make sure ALL IP addresses for the CiscoWorks server are added to ACS as allowed TACACS+ clients (really, you only create one client definition, but you add all of the server's IPs).

Tim Smith Mon, 10/12/2009 - 14:05
User Badges:
  • Silver, 250 points or more

Ah ok, that is contrary to the documentation and the ipc management alias guys. But definitely good advice.


It's all working now, but I will add the other IP to the ACS just in case of any changes down the track.


Cheers,


Tim.

Joe Clarke Mon, 10/12/2009 - 14:09
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Common Services supports dual NICs. There may be further restrictions imposed by CUOM, but for purposes of integration, as long as all IPs are known to ACS there should not be a problem from the Common Services/ACS side.

Tim Smith Mon, 10/12/2009 - 14:11
User Badges:
  • Silver, 250 points or more

Yep, its the CUOM docco that states dual NICs are supported, but multiple IP addresses are not.

Actions

This Discussion