10-26-2009 01:35 PM
Hi,
we want to integrate LMS and ACS, as not all the devices are added in ACS, we want to use DCR local credentials, so we don't want to configure devices as AAA clients in ACS, but if we don't do this, devices are not managed by LMS modules, so is there any configuration that allow us to authenticate and authorized via ACS (TACACS+) but using DCR credentials?
Regards.
Solved! Go to Solution.
10-26-2009 01:51 PM
Add all of the devices under Network Configuration. What we did for our lab was to create an NDG called NMS Devices. In that NDG, we created one "device" with IP address ranges to match all of our network devices:
14.32.*.*
172.18.123.*
This way, when LMS asks ACS if a device is authorized for management, ACS replies, "yes".
As for the devices themselves, we still have local authentication configured. For example:
enable password PASSWORD
line vty 0 15
password PASSWORD
The devices have no concept that there is any ACS server.
10-26-2009 03:13 PM
Yes, LMS ALWAYS uses the credentials in DCR. Whether or not the device will authenticate those credentials against ACS or its own internal database is up to the config on the devices.
No, LMS NEVER uses the credentials directly from ACS.
10-26-2009 01:36 PM
Absolutely. Don't get caught up with thinking that devices in ACS MUST use ACS for authentication. All you need to do is make ACS AWARE of the devices LMS wishes to manage. You do not actually have to configure the devices to use ACS for AAA services.
So, add your devices as TACACS+ clients to ACS, but configure them to use local authentication, and you'll be set.
10-26-2009 01:42 PM
Yes but how?
In "AAA setup" we have to choose ACS, isn't it?
And where do we have to configure devices to use local authentication?
After the integration all our devices were unmanaged because they weren't managed from ACS.
I'm a bit lost...
10-26-2009 01:51 PM
Add all of the devices under Network Configuration. What we did for our lab was to create an NDG called NMS Devices. In that NDG, we created one "device" with IP address ranges to match all of our network devices:
14.32.*.*
172.18.123.*
This way, when LMS asks ACS if a device is authorized for management, ACS replies, "yes".
As for the devices themselves, we still have local authentication configured. For example:
enable password PASSWORD
line vty 0 15
password PASSWORD
The devices have no concept that there is any ACS server.
10-26-2009 02:55 PM
So, in this case, ACS only says LMS if the device is authorized for management and nothing else; and CiscoWorks ALWAYS uses the credentials configured in DCR, is this right?
I thought that, after the integration between LMS and ACS, device credentials from Common Services DCR weren't used anymore and those from ACS were the valid ones.
10-26-2009 03:13 PM
Yes, LMS ALWAYS uses the credentials in DCR. Whether or not the device will authenticate those credentials against ACS or its own internal database is up to the config on the devices.
No, LMS NEVER uses the credentials directly from ACS.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: