LMS and ACS

Unanswered Question
Oct 15th, 2009
User Badges:

Hi,


We have 4 Ciscoworks servers using an acs user id and password to allow ciscoworks to do

it's various activities. We are not ACS integrated.

We are trying to develop a process where we can expire the Ciscoworks ACS user id's

password every 90 days. We envision to avoid problems is to reset the password every 60 or 70 days prior to expiry.


I want to know what would be the best process to facilitate this.


Running LMS 3.01 with CS/RME/CAMPUS on windows 2003 SP1 ACS - 4.1 on Windows 2003 Server SP1.


Please check.


-Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Thu, 10/15/2009 - 12:40
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

You mean you're using an ACS account in DCR in order to connect to the devices, and you want to change this in DCR for all devices on a monthly basis?

georgeef1 Thu, 10/15/2009 - 12:57
User Badges:

Hi Jclarke,


Thanks.


Yes, we want the credentials in DCR should be changed every couple of months of a specified amount of time.


We have a large number of devices and it is impossible for us to change those

manually. So we want something which can udate the credentials in DCR as per ACS.


We are also, looking same for LMS as well, that the password for them to expire after specified time.


I think, for LMS that has to be done throgh ACS, right?


But if a LMS server has nothing to do with ACS (Standalone), is there is way we can set password

policies for password expiry for users?


Please advise.


-Thanks

Joe Clarke Thu, 10/15/2009 - 13:03
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If the ACS is administering your users (that is, you're using the TACACS+ or Radius login module in LMS), then you don't have to worry about user passwords. All of that will be handled in ACS, and the user will just need to know to use the new password when next logging into LMS.


As for updating DCR, this cannot happen automatically. Whenever your ACS device account password changes, you will either need to go to Common Services > Device and Credentials > Device Management in the GUI, then select all the devices, and click the Edit Credentials button. Then update the password for the telnet/SSH user.


You could also do this using dcrcli, by first exporting the device list using the dcrcli "exp" command. Then search and replace the old password with the new, then use the impFile command with the "cr=file" argument to import the changes back into DCR.

georgeef1 Thu, 10/15/2009 - 14:22
User Badges:

Thank you very much jclarke.


One last question, is there any plans to include such utility to have the DCR also in sync so that we dont have to do it manually.


The current procedure is okay for a few devices, but a 9-10k deviced LMS user will be at a mess.


-Thanks

Joe Clarke Thu, 10/15/2009 - 14:25
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

There is going to be a lot more ACS integration in LMS 4.0, but I haven't seen where this specific type of integration will be there. However, if all of your devices use the same ACS account, the overhead for a user with one device vs. one with 10K devices is the same. The credential update can be done universally in one step.

georgeef1 Wed, 10/21/2009 - 12:11
User Badges:

Thanks jclarke,


So finally, right now there is no possibility of - if a user has changed the password for login to ACS and if the same previous tacacs pwd was configured for DCR devices, LMS will not be able to give notification or sync the password with the user, right?


The only way we can do it is doing it manually.


-Thanks

Joe Clarke Wed, 10/21/2009 - 21:32
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

This is correct. LMS has no way of synchronizing DCR passwords with ACS in an automated fashion. However, you could configure job policies to require job-based passwords (under RME > Admin > Config Mgmt > Config Job Policies), and that would force users to specify a username and password at job creation time.

Actions

This Discussion