Solved: LMS and ACS configuration

cmartinvalle · ‎10-26-2009

Hi,

we want to integrate LMS and ACS, as not all the devices are added in ACS, we want to use DCR local credentials, so we don't want to configure devices as AAA clients in ACS, but if we don't do this, devices are not managed by LMS modules, so is there any configuration that allow us to authenticate and authorized via ACS (TACACS+) but using DCR credentials?

Regards.

Joe Clarke · ‎10-26-2009

Add all of the devices under Network Configuration. What we did for our lab was to create an NDG called NMS Devices. In that NDG, we created one "device" with IP address ranges to match all of our network devices:

14.32.*.*

172.18.123.*

This way, when LMS asks ACS if a device is authorized for management, ACS replies, "yes".

As for the devices themselves, we still have local authentication configured. For example:

enable password PASSWORD

line vty 0 15

password PASSWORD

The devices have no concept that there is any ACS server.

View solution in original post

Joe Clarke · ‎10-26-2009

Yes, LMS ALWAYS uses the credentials in DCR. Whether or not the device will authenticate those credentials against ACS or its own internal database is up to the config on the devices.

No, LMS NEVER uses the credentials directly from ACS.

View solution in original post

Joe Clarke · ‎10-26-2009

Absolutely. Don't get caught up with thinking that devices in ACS MUST use ACS for authentication. All you need to do is make ACS AWARE of the devices LMS wishes to manage. You do not actually have to configure the devices to use ACS for AAA services.

So, add your devices as TACACS+ clients to ACS, but configure them to use local authentication, and you'll be set.

cmartinvalle · ‎10-26-2009

Yes but how?

In "AAA setup" we have to choose ACS, isn't it?

And where do we have to configure devices to use local authentication?

After the integration all our devices were unmanaged because they weren't managed from ACS.

I'm a bit lost...

Joe Clarke · ‎10-26-2009