LMS and ACS configuration

Answered Question
Oct 26th, 2009
User Badges:

Hi,

we want to integrate LMS and ACS, as not all the devices are added in ACS, we want to use DCR local credentials, so we don't want to configure devices as AAA clients in ACS, but if we don't do this, devices are not managed by LMS modules, so is there any configuration that allow us to authenticate and authorized via ACS (TACACS+) but using DCR credentials?

Regards.

Correct Answer by Joe Clarke about 7 years 9 months ago

Yes, LMS ALWAYS uses the credentials in DCR. Whether or not the device will authenticate those credentials against ACS or its own internal database is up to the config on the devices.


No, LMS NEVER uses the credentials directly from ACS.

Correct Answer by Joe Clarke about 7 years 9 months ago

Add all of the devices under Network Configuration. What we did for our lab was to create an NDG called NMS Devices. In that NDG, we created one "device" with IP address ranges to match all of our network devices:


14.32.*.*

172.18.123.*


This way, when LMS asks ACS if a device is authorized for management, ACS replies, "yes".


As for the devices themselves, we still have local authentication configured. For example:


enable password PASSWORD

line vty 0 15

password PASSWORD


The devices have no concept that there is any ACS server.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Joe Clarke Mon, 10/26/2009 - 13:36
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Absolutely. Don't get caught up with thinking that devices in ACS MUST use ACS for authentication. All you need to do is make ACS AWARE of the devices LMS wishes to manage. You do not actually have to configure the devices to use ACS for AAA services.


So, add your devices as TACACS+ clients to ACS, but configure them to use local authentication, and you'll be set.

cmartinvalle Mon, 10/26/2009 - 13:42
User Badges:

Yes but how?

In "AAA setup" we have to choose ACS, isn't it?

And where do we have to configure devices to use local authentication?

After the integration all our devices were unmanaged because they weren't managed from ACS.

I'm a bit lost...

Correct Answer
Joe Clarke Mon, 10/26/2009 - 13:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Add all of the devices under Network Configuration. What we did for our lab was to create an NDG called NMS Devices. In that NDG, we created one "device" with IP address ranges to match all of our network devices:


14.32.*.*

172.18.123.*


This way, when LMS asks ACS if a device is authorized for management, ACS replies, "yes".


As for the devices themselves, we still have local authentication configured. For example:


enable password PASSWORD

line vty 0 15

password PASSWORD


The devices have no concept that there is any ACS server.

cmartinvalle Mon, 10/26/2009 - 14:55
User Badges:

So, in this case, ACS only says LMS if the device is authorized for management and nothing else; and CiscoWorks ALWAYS uses the credentials configured in DCR, is this right?

I thought that, after the integration between LMS and ACS, device credentials from Common Services DCR weren't used anymore and those from ACS were the valid ones.

Correct Answer
Joe Clarke Mon, 10/26/2009 - 15:13
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Yes, LMS ALWAYS uses the credentials in DCR. Whether or not the device will authenticate those credentials against ACS or its own internal database is up to the config on the devices.


No, LMS NEVER uses the credentials directly from ACS.

Actions

This Discussion