Cisco Security Manager - ACS Integration

Unanswered Question
Nov 24th, 2009

I have a few questions regarding CSM's ACS integration.

1) What's the difference between using ACS mode and non-ACS TACACS+?

2) I've been testing with ACS mode and it seems that there is a delay in the time a device is added to ACS and CSM's ability to add it?  Whenever I add a device in ACS and then try to add it in CSM, I get an error that the device is not authorized.  However, if I manually restart the Daemon service, then I can add it without a problem.  It seems that CSM does not immediately check ACS, but some local database of authorized devices that is updated at some interval.  What is that interval?

3) I understand that when I switch to ACS mode, any devices previously entered in CSM will disappear because they are not authorized in ACS yet.  But if they disappear, how can I change the settings???  Then it seems like there would be multiple versions of the same devices set up in CSM.

Any help or direction here would be greatly appreciated.

Also, we're running CSM 3.3.0 and ACS 4.2

Thanks.

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Tue, 11/24/2009 - 14:08

1.ACS Mode will allow more granular control of user/groups and their access rights to devices in CSM.

2.I have also experienced this "timer", actually i found that logging out/back in to CSM with the client will update it, so i have come to the conclusion that this might be cached in the client.

3.The only reason they dissapear from CSM is because the devices are not in ACS yet, be aware that if you use a display name in CSM other than the actual devicename, it is this name that must be in ACS, not the devicename. Just put in the devices already in CSM in your ACS, and they will show up when you change to ACS Mode.

Jan

jason.williams@... Wed, 11/25/2009 - 06:10

So, can I set CSM to non-ACS mode and still use ACS, through TACACS+ to control user authorization as well as access rights (helpdesk, approver, etc.)?  I have already configured ACS mode for testing, so all of the CSM settings have been installed in ACS.

I need ACS to be able to control this, but I really don't want ACS mode because we have A LOT of devices that are added as AAA clients with wildcards.  I don't really want to have to create over 3000 new clients.

Thanks.

Jason

Actions

This Discussion