LMS Authentication with ACS 5.1

Answered Question
Apr 19th, 2010
User Badges:

Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...


Let me know if I missed something.


Thanks

Ninja

Correct Answer by Joe Clarke about 7 years 1 month ago

Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Joe Clarke Mon, 04/19/2010 - 00:35
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

jain.nitin Mon, 04/19/2010 - 02:43
User Badges:

thanks it worked. but need to ask one thing password should match with acs password for an user ?? caz i know mine password but dont know other users passwords which are on ACS so just wanted to check..LMS will check only username or password as well before giving authorization to a user.

Joe Clarke Mon, 04/19/2010 - 08:24
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

If you are using an external authentication module, you do not need to specify a password for your users in LMS.  LMS will use the external login module for authentication.  All you need to specify in LMS are the roles the user will require.

ROMAN TOMASEK Fri, 04/08/2011 - 05:07
User Badges:

Hello Joe,


I have one question about authorization. Is possible to use an AV pair or shell in ACS 5 (Radius or Tacacs) for assigning role (defined in LMS4.0) to the users? Like following: shell:admin=SuperAdmin default-domain. I think that the creation a lot of same users in LMS like in ACS when different roles are assigned to these users. is horrible for my customers. Thank you.

Roman

Joe Clarke Fri, 04/08/2011 - 09:05
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

Unfortunately, this is not possible.  All authroization in LMS 4.0 must be done locally.  There is no way to inject authorization data from an AAA server into LMS 4.0.

Actions

This Discussion