×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

LMS 2.5.1 and ACS 4.0 Integration

Unanswered Question
Sep 19th, 2006
User Badges:

hi


i have the follow environment.

cw lms 2.5 from december 2005 on solaris 9 platform. common services release is 3.0.3. cw is configured for master/slave on the dcr. acs 4.0 appliance.

now i try to register the cw application with the acs. but i get only failure messages like "failure on primary acs, failure on secondary acs.

what i like to do, is to register the application and configure the cw user roles on the acs.

but at the moment i am not sure anymore that this work.

is there somebody who has a similar environmment that works?


regards


hr

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
frankzehrer Tue, 09/19/2006 - 03:40
User Badges:
  • Silver, 250 points or more

Hi Hansruedi,


try this short description!

I guess you failure relies on the system identity user. Myabe it is not setup in the ACS as valid user account!


ON CISCOWORKS


===============


* Step 1: Setup up a System Identity User


-Common Services > Server >Security >Multi-Server Trust Management >System Identity Setup



* Step 2: Ensure that System Identity User is a local User with all the roles


-Server >Security >Single-Server Management >Local User Setup



ON ACS


=======


* Step 3: Define a group for CW Admin Users in ACS


-Go to GROUP SETUP


-Rename an available Group to something suitable such as CWAdmins


-Edit Settings


-Sessions available to user = unlimited



* Step 4: Add the CW system identity user (and other Admin users in CW) to ACS


-Go to USER SETUP


-Create Users for Ciscoworks including the System Identity User in ACS


-password


-Assign all these Admin users to the Group created in Step 3



* Step 5: Add a network device group with Ciscoworks as a Client


-Go to NETWORK CONFIGURATION


-Name


-IP address or range with wildcard masks


-key


-Authenticate using: TACACS+ (Cisco IOS)


-Submit+Restart


Note: (If NDG options are not visible, you can enable Network Device Groups in ACS under INTERFACE CONFIGURATION > ADVANCED)



ON CISCOWORKS


===============


* Step 6: Change CW AAA Mode to ACS TYPE (and register CW applications with ACS)


-Common Services > Server > Security > AAA Mode Setup


-Select ACS type


-Fill in IP address/Hostname of ACS server


-Fill in the ACS admin login information and the shared key


Note: ?ACS admin login" must be a user with full admin rights to ACS (i.e. one configured under Administration Control in ACS with ALL options checked)


-Put a check mark in "Register all installed applications with ACS" **


-Click on apply


-Restart CW Daemon Manager for above changes to take effect.



**WARNING: Make sure that AFTER the first successful registration to any specific ACS server, you always keep this box UNCHECKED if switching between ACS and non-ACS modes on LMS server.


Failure to do so will erase all custom roles (SUPERUSER) and you will need to do Step 7-8 on ACS again.



ON ACS


=======


* Step 7: Add "SUPERUSER" role for each module of Ciscoworks in ACS


-Go to SHARED PROFILE COMPONENTS


-Select a CW module (such as Common Services)


-ADD


-Name it CWSuperUser or something similar


-Select everything under the available functionality for that module


--REPEAT above procedure for Ciscoview, RME, Campus, DFM and any other Ciscoworks modules such as IPM, etc.



* Step 8: Assign the "SUPERUSER" role to the Admins Group (created in Step 3)


-Go to GROUP SETUP


-Edit Settings


- Select cwhp, rme, campus, dfm and any other CW components a select the "SUPERUSER" role (created in step 7)


-Submit+Restart




IMPORTANT: Once ACS mode is enabled on Ciscoworks, ALL devices MUST be added to the same ACS server as clients for them to be manageable in Ciscoworks. While the devices must be known (i.e. configured as clients) in the same ACS server, they do not have to use that ACS for their own AAA configuration, nor do those devices need to be configured for AAA themselves.


I hope that helps.


Best regards,


Frank



hansruedi.spycher1 Wed, 10/11/2006 - 01:06
User Badges:

hi frank


thank you for your manual. i did the steps as you told in your manual. it didn't work with the acs solution engine 4.0 (1113).

i installed the acs software packet 4.0 on a windows server to check how this is working. configured the steps from your manual and cw can register the applications with acs.

so i opend a case by the tac.


thank you anyway


regards


hansruedi

Joe Clarke Tue, 10/31/2006 - 09:26
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

ACS 4.0 running on an appliance is supported starting in LMS 2.6. Prior versions only supported ACS 4.0 running on a Windows server or ACS 3.3 appliance software.


The original poster was trying to integrate LMS 2.5.1 with ACS 4.0 on an appliance which will not work.

yjdabear Tue, 10/31/2006 - 13:32
User Badges:
  • Gold, 750 points or more

Is there any technical reason one ACS variant is supported with LMS sooner than the other, other than the amount of time QA'ing each combination? Is it a safe bet when LMS 3.0 comes out, it will be supported with any ACS installation simultaneously?

Joe Clarke Tue, 10/31/2006 - 13:38
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

The short answer is maybe. Sometimes lack of support boils down to a QA resources issue, and other times, a problem is known to exist, and a fix cannot be implemented in time for a release.


With LMS 3.0, we are looking at adding ACS 4.1 support.

Actions

This Discussion