Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
0
Helpful
4
Replies

Cisco Prime LMS 4.2 TACACs Auth ACS 5.4

Brian Saunders
Level 1
Level 1

‎07-11-2014 08:30 AM

Hello,

We have authentication established between LMS 4.2 and ACS 5.4 but having issues associating users with the Super Admin role.  Currently the default role configured on LMS is the Help Desk role and that's what users are getting associated with when getting authenticated via ACS.  I attempted to configure ACS to send back a custom shell profile with "role0 = Super Admin" (similar to Prime Infrastructure 2.1) but that doesn't appear to be working.  How do I need to configure ACS 5.4 to send back the appropriate role?

Thanks,

Brian

Labels:
0 Helpful
4 Replies 4

AFROJ AHMAD
Cisco Employee
Cisco Employee

‎07-11-2014 11:00 AM

Hi Brian,

 

kindly follow the below links for ACS integration:


https://supportforums.cisco.com/docs/DOC-17909

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1112433

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1136882

 

Hope it will help

 

Thanks-

Afroz

***Ratings Encourages Contributors***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful

Brian Saunders
Level 1
Level 1
In response to AFROJ AHMAD

‎07-11-2014 11:05 AM

Thanks for the links but those don't appear to be applicable to LMS 4.2.  I attempte to create a Shell Profile that sent back role0=Super Admin but it doesn't appear to take.

0 Helpful

Vinod Arya
Cisco Employee
Cisco Employee
In response to Brian Saunders

‎07-11-2014 12:16 PM

What you are trying to do was applicable till LMS 3.x. From LMS 4.x onwards this changed as we don't depend on ACS anymore for authorization.

It would be correct to say that ACS developers removed that portion from ACS 5.x onwards where Integration between LMS and ACS was done for both Authentication and Authorization.

Now you can only have Authentication part from ACS as a RADIUS server, Authorization OR what role a user will have, needs to be configured on LMS itself.

So LMS 4.x onwards it has Role Based Access-Control (RBAC) inbuilt. It can have following Roles :

Help Desk—Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network.

Network Operator—Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network.

Approver—Can approve all tasks.

Network Administrator—Can perform all Network Operator tasks. Can perform tasks that result in a network configuration change.

System Administrator—Can perform all system administration tasks.

Super Admin—Can perform all operations including the administration and approval tasks.

You can also add customized roles to control each feature authorization as well.

For details on how to create role see document here.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **
0 Helpful

AFROJ AHMAD
Cisco Employee
Cisco Employee

‎07-11-2014 04:33 PM

Hi Brian,

what Vinod said is absolutely correct , I think I overlooked the problem and thought you are trying to Integrate PI with ACS.

 

From LMS 4.x onwards Integration with ACS has changed as we don't depend on ACS anymore for authorization.it is done locally through the LMS ONLY.

 

Thanks-

Afroz

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents