cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
638
Views
0
Helpful
1
Replies

LMS 3.01 / ACS 4.1 - Device Management Permission / Issue

Mike Bailey
Level 1
Level 1

Hi there,


We run a secured network where all devices use TACACS+ to ACS and users have different permisisons on the end devices from read only, limited changes (port up/down) to full admin.

We have LMS 3.01 integrated to ACS and again different users have different permissions with LMS to match their rights on the network.

We have an issue where we keep getting devices in conflicting, alias or pre-deployed state.


Within the RME home page they show up on the left hand side and our users want to be able to click on the numbers and open up the Device Management centre list of devices in each state - see first attachment.

Working in a development environment and looking at the 'failed attempts' in ACS I can see the permission it needs is "Devicve Management' - see 2nd attachment.

If I enable this, when a user clicks on an entry withi nthe Device Management Status window in the RME homepage it opens up the Device Management window BUT (and this is a big but) it allows EXPORT of the devices and credentials - see last attachment.

This is categorically unacceptable - exporting from the DCR would export the ACS credentials used by LMS which have full rights on the network and exposing these to any users blows away all the security we have with different users having different permissions.

Is there any way to get a list of devices in the various states without enabling the RME 'Device Management' permission and destroying our security model?

Thanks

Michael

1 Reply 1

Joe Clarke
Cisco Employee
Cisco Employee

Unfortunately, the Export feature is tied to this role and cannot be separated.  There is no other way to get the specific list of devices in each state.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: