07-11-2014 08:30 AM
Hello,
We have authentication established between LMS 4.2 and ACS 5.4 but having issues associating users with the Super Admin role. Currently the default role configured on LMS is the Help Desk role and that's what users are getting associated with when getting authenticated via ACS. I attempted to configure ACS to send back a custom shell profile with "role0 = Super Admin" (similar to Prime Infrastructure 2.1) but that doesn't appear to be working. How do I need to configure ACS 5.4 to send back the appropriate role?
Thanks,
Brian
07-11-2014 11:00 AM
Hi Brian,
kindly follow the below links for ACS integration:
https://supportforums.cisco.com/docs/DOC-17909
http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1112433
http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1136882
Hope it will help
Thanks-
Afroz
***Ratings Encourages Contributors***
07-11-2014 11:05 AM
Thanks for the links but those don't appear to be applicable to LMS 4.2. I attempte to create a Shell Profile that sent back role0=Super Admin but it doesn't appear to take.
07-11-2014 12:16 PM
What you are trying to do was applicable till LMS 3.x. From LMS 4.x onwards this changed as we don't depend on ACS anymore for authorization.
It would be correct to say that ACS developers removed that portion from ACS 5.x onwards where Integration between LMS and ACS was done for both Authentication and Authorization.
Now you can only have Authentication part from ACS as a RADIUS server, Authorization OR what role a user will have, needs to be configured on LMS itself.
So LMS 4.x onwards it has Role Based Access-Control (RBAC) inbuilt. It can have following Roles :
•Help Desk—Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network.
•Network Operator—Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network.
•Approver—Can approve all tasks.
•Network Administrator—Can perform all Network Operator tasks. Can perform tasks that result in a network configuration change.
•System Administrator—Can perform all system administration tasks.
•Super Admin—Can perform all operations including the administration and approval tasks.
You can also add customized roles to control each feature authorization as well.
For details on how to create role see document here.
-Thanks
Vinod
**Encourage Contributors. RATE Them.**
07-11-2014 04:33 PM
Hi Brian,
what Vinod said is absolutely correct , I think I overlooked the problem and thought you are trying to Integrate PI with ACS.
From LMS 4.x onwards Integration with ACS has changed as we don't depend on ACS anymore for authorization.it is done locally through the LMS ONLY.
Thanks-
Afroz
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: