Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Blue

LMS 2.6: not authorized to "/loginModule"

There's been erratic problems with the Cisco Secure ACS box refusing/rejecting logon attempts. Currently, my LMS 2.6 is configured in TACACS+ fallback mode, which means it now takes a long time to log [local] users on. In addition, the LMS "admin" gets the following error when trying to access the "AAA Mode Setup" screen (because I'd like to switch the auth mode to "local" temporarily), which strangely is only found on the Common Services homepage but doesn't show up under Common Services > Server > Security > TOC as online Help indicates:

You are not authorized to request the Action associated with screenID: "/loginModule".

So my questions are:

1) Is the above error encountered by LMS "admin" related to the TACACS issue? I'm assuming there's an "admin" user defined on ACS as well. Does it make a difference if there's no "admin" user on ACS?

2) Why is the LMS "admin" user not seeing "AAA Mode Setup" under Common Services > Server > Security > TOC?

3 REPLIES
Cisco Employee

Re: LMS 2.6: not authorized to "/loginModule"

1. The error may be related to fallback problems. You do not need an admin user in ACS. In fact, when in ACS mode it is recommended to create another admin-equivalent user, and not login as "admin" to CiscoWorks.

2. This almost certainly has to do with the role assigned to the current "admin" user. If you want an easy way to temporarily restore local login, just run the NMSROOT\bin\resetLoginModule.pl command.

Blue

Re: LMS 2.6: not authorized to "/loginModule"

Just to clarify, LMS is not fully AAA-integrated with ACS, just using the latter for authentication (non-ACS, TACACS fallback mode). That's why I'm puzzled by the oddities exhibited when ACS goes snafu.

Cisco Employee

Re: LMS 2.6: not authorized to "/loginModule"

I would agree with that, then. The roles should be the local roles, and you as admin you should have access to everything. In any event, the same script will reset your login module back to local.

153
Views
9
Helpful
3
Replies