cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
740
Views
10
Helpful
3
Replies

AAA accounting of LMS Events

Mike Bailey
Level 1
Level 1

Posted in AAA but no response, maybe more of an LMS/Network Management question so posting here......

We have setup CiscoWorks LMS 3.01 to integrate with Cisco Secure ACS 4.1.

We succesfully get accounting information for:

> Login to LMS

> Login to LMS Application (e.g. CM or RME)

> Failed authentications and attempts

We also recieve the AAA accounting from the end devices for any changes made.

However there is no direct correlation of these to LMS.

For example:

User JoeBloggs logs into LMS - Recorded in ACS

User JoeBloggs accesses RME - Recorded in ACS

User JoeBloggs accesses ConfigEditor and Deploys a configuration change - No logs recorded in ACS

LMS logs into the end device using default credentials and makes the change - AAA logs from device

How do I tie the change made by LMS using the default credentials to the job submitted by JoeBloggs?

The only way I can see is to look at the Job Browser on LMS and compare dates/times, but this is both clunky and means we have to disable the ability for people to delete job history.

Surely there is a way of making LMS send TACACS+ accounting information recording job submission.

Thanks

Michael

1 Accepted Solution

Accepted Solutions

Joe Clarke
Cisco Employee
Cisco Employee

When integrated with ACS, LMS tasks send authorization requests to the ACS server for everything that is done. Therefore, you should see something in the successful attempts log at the very least.

Each LMS application maintains its own audit log. To access the RME audit log, go to RME > Reports > Report Generator > Audit Trail > Standard Report.

View solution in original post

3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

When integrated with ACS, LMS tasks send authorization requests to the ACS server for everything that is done. Therefore, you should see something in the successful attempts log at the very least.

Each LMS application maintains its own audit log. To access the RME audit log, go to RME > Reports > Report Generator > Audit Trail > Standard Report.

I do not understand what you mean with:

'Surely there is a way of making LMS send TACACS+ accounting information recording job submission.'

and perhaps it is the same what I suggest:

Change the job policies and mark the check-box 'Enable Job Password' AND remove the mark from the according 'User configurable' check box in RME > Admin > Config Mgmt > Confi Job Policies.

In the 'Application' drill-down you can select the different jobs for which you want to change the settings.

Now every user needs to enter its own credentials with which the job will be executed (instead of the LMS default credentials) and you should see the user in this line instead of 'LMS':

[...]

'LMS logs into the end device using default credentials and makes the change - AAA logs from device '

[...]

Unfortunately we cannot use job based passwords as our ACS instance is integrated to RSA SecurID (one time password) and with 30 second tokens and separate login/enable credentials required its not possible to submit a job using SecurID details as they will have expired!

I think original post solves problem - looking at the Audit Reports.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco