Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

Full LMS-ACS Integration Vs Loose LMS-ACS Integration

If you are a enterprise and not a service provider it seems to me that FULL LMS-ACS integration just over complicates LMS deployments especially when you have multiple LMS and ACS deployments from various companies you acquired over the years but never fully integrated.

In the past all the enterprises I worked at deployed LMS with only user authentification via ACS. Now I am at a company where we have multiple LMS-ACS deployments and there seems to be more pain because of this.

Our eventual goal is to get down to two fully redundant multi-sever deployments of LMS for the entire enterprise and a fully integrated ACS.

If you are an enterprise using LMS with a consolidated network engineering group, and not a service provider, what does Cisco recommend in regards to ACS integration -- full LMS-ACS integration or loose integration for only user authentification to LMS ?

Any opinions on this topic would be most appreciated. Thx.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Full LMS-ACS Integration Vs Loose LMS-ACS Integration

Point 4 is a show stopper. LMS cannot manage devices from two different ACS servers. Point 3 shouldn't have any thing to do with ACS integration.

3 REPLIES
Cisco Employee

Re: Full LMS-ACS Integration Vs Loose LMS-ACS Integration

I don't think we offer an official recommendation in either case (SP vs. enterprise). However, we have many "true enterprise" customers running with full ACS integration. Besides centralizing passwords and roles for multi-server deployments, ACS integration offers the unique features of being able to do role customization and device access filtering. The latter is probably more important to MSPs, but we do have quite a few enterprise customers filtering devices on a department basis.

When I present to customers on LMS, I recommend full ACS deployment across all nodes in a multi-server LMS environment, period. Why bother with trying to manually synchronize users and roles across servers? Let ACS hold all of that information. It makes user management much easier, and there is a less chance of a security issue.

New Member

Re: Full LMS-ACS Integration Vs Loose LMS-ACS Integration

Thanks for your recommenation. That helps me believe we are doing the right thing.

Your recommendation is based on the added value of:

1) eliminating the need to specify user and roles definition manually within LMS and

2) to restrict LMS device access on a per user or department basis.

The complexity basically from a LMS prespective seems to me to be:

1) making sure devices are defined in ACS otherwise CS will not be able on discovery to add them to the DCR.

2) making sure devices are first deleted from ACS before deleting for LMS DCR

3) the fact the LMS device verification report never seems that clean anymore after LMS integration is enabled

4) The difficulties involved in having LMS manage devices from two independent ACS as per our case due to a acquisition that is not yet fully integrated.

Negatives 1 and 2 are no biggies but am I correct about negative items 3 and 4 ?

thx

Cisco Employee

Re: Full LMS-ACS Integration Vs Loose LMS-ACS Integration

Point 4 is a show stopper. LMS cannot manage devices from two different ACS servers. Point 3 shouldn't have any thing to do with ACS integration.

341
Views
0
Helpful
3
Replies
CreatePlease to create content