Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Campus manager and ACS

I would like to limit access only to the VLAN port assignment. So I've checked the "VLAN Port Assignment" boxe in the User profile created on my ACS.

The problem is that there is no devices listed under Configuration/VLAN Port Assignment/Device Selector window/All Devices.

When I put the user on the Network Admin group, I can list devices.

Also, I found a security problem. When I limit the access to a NDG, devices under the "All Devices" respect that limitation. But when you go under Campus-Switch Clouds-Switchcloud-1, all devices are listed and I can change the vlan of any interfaces.

Is that normal ?

I'm using LMS 3.1 and ACS 4.1

When a user connects to LMS, the ACS log file show the IP source as the IP of the Ciscoworks server. Is there a way to obtain the user workstation IP to restrict access only from his IPs.

Thanks.

3 REPLIES
Cisco Employee

Re: Campus manager and ACS

First, the fact that Campus Topology doesn't respect ACS roles is a known limitation. This will be fixed in LMS 3.2. See CSCsk11553.

As for not seeing devices, make sure the group to which the user belongs has access to the devices NDG as well as the NDG which contains the LMS server. Make sure this has been done for the Campus Manager application.

New Member

Re: Campus manager and ACS

Thanks again Joe.

For my last question, is there a solution ?

How can I limit the access to Ciscoworks from a specific workstation ie. a specific IP as the ciscoworks do not send the host IP in the TACACS+ request ?

Cisco Employee

Re: Campus manager and ACS

No, this cannot be done. Roles are restricted only to user/group.

122
Views
0
Helpful
3
Replies