Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Campus manager and ACS integration

Hi everyone,

i'm trying to integrate CW LMS2.6 and ACS for windows 4.0 with RBAC.

Now, all the package works ok except Campus Manager, that retrive the following error:

"Your session has either timed out or you are not authorized to access this page."

Has everyone encounter (and/or solved)this problem?

thanks for assistance

1 REPLY
Silver

Re: Campus manager and ACS integration

Hi Gabriele,

i had the same problem some time ago in my test environment.

Be sure you have setup the access to all devices in Ani-DB.

My goal was a setup for different users. And every user should see only a portion of the network also in Campus Manager. Especially in Topology View. I am not 100 percent sure but i did the following:

I setup Network device Groups (NDG) in ACS and if the user only has access to some devices this message appeared. So i had to give the users all devices back and it worked.

The reason is that the ANI-DB is not client capable.

In other words: You can not restrict the view of CM or the portion of the ANI-DB to access. You can only restrict the behaviour of the CM.

Here are some pieces of my mails with TAC:

From me to TAC

a) i want a special person give a restricted access and do not want this person to browse or gather information about my entire network

b) i want to give some persons special roles to fullfill their tasks. E.g. Some persons may access devices via ssh or telnet while others may be able to deploy IOS Version but should not be able to acces the devices on the CLI.

c) In worldwide deployed networks it should be possible to setup special views for special areas or network segments.

a) As we actual know the view cannot be restricted. But unfortunteley i can gather information from this view, even if the access to the device is restricted. to a restricted device it is still possible to view the device attributes. The Port attribute not. Hmmm.

b) This task may be possible. But on the other hand on a restricted device i can use the pulldown menu and open a telnet window to the device.

c) Is it possible to define different Maps within Topology View. I?ve been asked this from many costumers. These costumer thing about Maps like you know from HP OpenView Network Node Manager and Spectrum.

Answer from TAC

As such there are no tasks available to restrict the telnet access and from launching the device attributes in ACS.

This is how the design was done in ACS simply because there is no way that the user could affect the security.

Even if we provide a restriction out there, one can very well access the device from his desktop using the telnet if one knows the credentials. For these reasons these tasks were not added to the ACS server. So there is no way we can restrict any user from performing these tasks from Ciscoworks integrated with ACS.

For the 3 rd question we dont have anything called as a per user basis for the topology devices views. Hence all the users can/cannot view the entire network based on the permission that each one holds.

I hope this answers your question.

Best regards,

Frank

122
Views
0
Helpful
1
Replies
CreatePlease to create content