We have our Ciscoworks server set to authenticate to our ACS server (Non-ACS and Tacacs+). In other words, authenticate to ACS but do not register modules to ACS (controlled on the server). We had some network issues where we could not ping the ACS servers. When that happened I noticed that the Authentication mode is now "Tacacs+ (fallback Mode). How can I get that out of that mode and back into authentication "Tacacs+"
It should automatically go back to TACACS+ mode. However, if you don't see this happening, then you can restart Daemon Manager. The restart will cause the authentication servlet to reconnect to the TACACS+ server (if it is reachable).
What happens if you try to toggle between the two options under DCR - Server - Security - AAA Mode Setup - TACACS+ (click on the Change button)?
1. Allow all CiscoWorks local users to fallback to the CiscoWorks Local login.
3. Allow no fallbacks to the CiscoWorks Local login.
Who are you logging in as? If you're logging in as admin, and admin has no TACACS+ account, then you will be seen as logging in via fallback mode (if admin is allowed in your fallback list).
Check the logs on ACS to see if LMS is making an authentication request. Make sure that you can telnet to TCP port 49 on the ACS server from the LMS server and get a successful connection.
I am logging into Ciscoworks using my Tacacs account, but it still showing fallback mode. To make sure that it is authenticating to ACS, I have changed my password in Ciscoworks, and when I try to log into CW, with the new password, I am denied access. When I use my Tacacs password, I am able to log into Ciscoworks.
Yes, I selected all users to fallback. I just put up another post, since we tried toggling between fallback and not fallback, and now we cannot log into ciscoworks via the GUI. We tried other accounts and we cannot connect.
Something is not working between LMS and ACS. I strongly suspect either a communication problem, or a secret key mismatch. What, if anything, do you see in the ACS server logs?
If you are now locked out of LMS, you can run the NMSROOT/bin/ResetLoginModule.pl command to restore local authentication: