Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Prime LMS 4.2 TACACs Auth ACS 5.4

Hello,

We have authentication established between LMS 4.2 and ACS 5.4 but having issues associating users with the Super Admin role.  Currently the default role configured on LMS is the Help Desk role and that's what users are getting associated with when getting authenticated via ACS.  I attempted to configure ACS to send back a custom shell profile with "role0 = Super Admin" (similar to Prime Infrastructure 2.1) but that doesn't appear to be working.  How do I need to configure ACS 5.4 to send back the appropriate role?

Thanks,

Brian

Everyone's tags (1)
4 REPLIES
Cisco Employee

Hi Brian, kindly follow the

Hi Brian,

 

kindly follow the below links for ACS integration:


https://supportforums.cisco.com/docs/DOC-17909

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1112433

http://www.cisco.com/en/US/docs/wireless/ncs/1.0/configuration/guide/admin.html#wp1136882

 

Hope it will help

 

Thanks-

Afroz

***Ratings Encourages Contributors***

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
New Member

Thanks for the links but

Thanks for the links but those don't appear to be applicable to LMS 4.2.  I attempte to create a Shell Profile that sent back role0=Super Admin but it doesn't appear to take.

Cisco Employee

What you are trying to do was

What you are trying to do was applicable till LMS 3.x. From LMS 4.x onwards this changed as we don't depend on ACS anymore for authorization.

It would be correct to say that ACS developers removed that portion from ACS 5.x onwards where Integration between LMS and ACS was done for both Authentication and Authorization.

Now you can only have Authentication part from ACS as a RADIUS server, Authorization OR what role a user will have, needs to be configured on LMS itself.

So LMS 4.x onwards it has Role Based Access-Control (RBAC) inbuilt. It can have following Roles :

Help Desk—Can access network status information only. Can access persisted data on the system and cannot perform any action on a device or schedule a job which will reach the network.

Network Operator—Can perform all Help Desk tasks. Can perform tasks related to network data collection. Cannot perform any task that requires write access on the network.

Approver—Can approve all tasks.

Network Administrator—Can perform all Network Operator tasks. Can perform tasks that result in a network configuration change.

System Administrator—Can perform all system administration tasks.

Super Admin—Can perform all operations including the administration and approval tasks.

You can also add customized roles to control each feature authorization as well.

For details on how to create role see document here.

-Thanks

Vinod

**Encourage Contributors. RATE Them.**

-Thanks Vinod **Rating Encourages contributors, and its really free. **
Cisco Employee

Hi Brian,what Vinod said is

Hi Brian,

what Vinod said is absolutely correct , I think I overlooked the problem and thought you are trying to Integrate PI with ACS.

 

From LMS 4.x onwards Integration with ACS has changed as we don't depend on ACS anymore for authorization.it is done locally through the LMS ONLY.

 

Thanks-

Afroz

Thanks- Afroz [Do rate the useful post] ****Ratings Encourages Contributors ****
712
Views
0
Helpful
4
Replies
CreatePlease login to create content