Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Silver

CUOM and AAA / ACS Integration v2.2

Hi Guys,

I've been looking around but really found little docco or info on this.

We configured a lab build of CUOM 2.2 in stand alone mode.. discovered devices and Service level view populated fine.

Switched the lab mode over to integrate with ACS 4.2 and it all worked as before just with AAA authentication now.

We've done the same thing in production, but now when we integrate with ACS I lose visibility of devices from service level view.

I've ensured devices are added to ACS (I definitely couldnt find any docco on adding the voice servers to ACS - this would be of interest)

I believe we have the rights setup correctly. But I also think this is probably where the issue is.

I'm not really sure on the key area to focus on.

Is it the CUOM System Identity user and his rights that are the most likely culprit? What should I verify?

Is it my actual user account and something to do with device based filtering - again didnt find too much info on this one.

I also checked AAA logs and didnt find anything. Just about to try and dive into CUOM / CW logs now.

Any ideas or pointers would be appreciated.

Cheers,

Tim.

12 REPLIES
Cisco Employee

Re: CUOM and AAA / ACS Integration v2.2

If you have devices missing from CUOM, check the Common Services > Device and Credentials > Reports > Devices not configured in ACS report. If the devices show up there, then those devices are not clients of the ACS server to which CUOM is integrated. It would be a good idea to review this whitepaper on ACS integration. It was written for LMS, but all of the bits apply to CUOM since CUOM uses Common Services.

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

Silver

Re: CUOM and AAA / ACS Integration v2.2

Sorry should have mentioned that one. I did face that problem in the beginning, but now they are all configured in ACS, so that isnt the problem.

Cheers,

Tim

Cisco Employee

Re: CUOM and AAA / ACS Integration v2.2

Just to be clear, you aren't seeing any devices in the Devices not configured in ACS report?

Silver

Re: CUOM and AAA / ACS Integration v2.2

Thats correct. I originally had problems with this. So I reset back to local login.

Deleted everything from CUOM and DCR.

Rolled back to ACS mode.

Discovered everything again.

Everything I discovered is all authorized by ACS, and there are 0 devices in the not configure report.

The devices show up in DCR.

They also show as monitored in CUOM device list.

The CUCM clusters dont show in Service Level View.

The devices show up in the left hand pane, but they are greyed out, and they do not show in the topology map itself (this is blank)

Cheers,

Tim.

Cisco Employee

Re: CUOM and AAA / ACS Integration v2.2

I don't see any known issues with CUOM 2.2 and ACS integration, and since you say SLV was working prior to ACS integration, something must be wrong with ACS. The most likely candidate is your login user's ACS profile. Verify that the group to which this user belongs has the right roles for all CiscoWorks applications (especially qovr and iptm). Also, make sure that the correct devices are assigned to these applications for this user group. If you are using NDGs in ACS, make sure that you have access to both the device NDGs as well as the NDG which contains the LMS server itself.

Silver

Re: CUOM and AAA / ACS Integration v2.2

Yep I agree.. I think it is something to do with ACS permissions as well. I'll check the NDG setup.

Is there any logs that might help on the CUOM side for this?

Cheers,

Tim

Cisco Employee

Re: CUOM and AAA / ACS Integration v2.2

All of the ACS integration flows through Common Services. If you enable debugging for the Core Admin Module under Common Services > Server > Admin > CS Log Configurations, then logout, log back in, and reproduce the problem, the Core log should have information about the ACS interactions.

Silver

Re: CUOM and AAA / ACS Integration v2.2

Thanks for your help on this one!

As it turns out, problem was dual NIC's on the server.

We believe that the authentication was going through the right nic to the ACS server, but we think the authorization was not going out the same path, and was failing.

As a side note.. we were aware that dual NIC's with different IP's were not supported. We were waiting to see if we ran into any issues. I guess this was the first!

Cheers,

Tim.

Cisco Employee

Re: CUOM and AAA / ACS Integration v2.2

Dual NICs are supported, but you need to make sure ALL IP addresses for the CiscoWorks server are added to ACS as allowed TACACS+ clients (really, you only create one client definition, but you add all of the server's IPs).

Silver

Re: CUOM and AAA / ACS Integration v2.2

Ah ok, that is contrary to the documentation and the ipc management alias guys. But definitely good advice.

It's all working now, but I will add the other IP to the ACS just in case of any changes down the track.

Cheers,

Tim.

Cisco Employee

Re: CUOM and AAA / ACS Integration v2.2

Common Services supports dual NICs. There may be further restrictions imposed by CUOM, but for purposes of integration, as long as all IPs are known to ACS there should not be a problem from the Common Services/ACS side.

Silver

Re: CUOM and AAA / ACS Integration v2.2

Yep, its the CUOM docco that states dual NICs are supported, but multiple IP addresses are not.

336
Views
0
Helpful
12
Replies
CreatePlease to create content