cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1496
Views
0
Helpful
19
Replies

LMS 3.0, ACS 4.2 and TACACS

Paul Williams
Level 1
Level 1

Excuse me if I am missing the point here but...we have installed LMS on two servers, server one runs the Portal, CS, CM, Assistant and IU; the second server runs RME, CV, IPM and DFM (as well as the default CS, Portal and Assistant). I have run through the workflow for server setup and set up the two servers to use our ACS server for TACACS. Now this is where I may ne missing the point - when I sign into server one, and click on a ling to an applet on server two it asks me to authenticate again....I thought that with a multi server setup, and TACACS then I would only need to authenticate once to access applets across both servers.

19 Replies 19

MICHEL.HEGERAAT
Level 1
Level 1

I would think (haven't tried this) that you would not need to set tacacs on the SSO slave server. Rather keep the authentication module on "local"

Have you tried this?

Cheers,

Michel

You have to configure the two servers equal at "AAA Mode Setup" for ACS.

On the "Single Sign-On Setup" is the difference -> Master and Slave server.

The point here is that I used the workflow>server setup assistant and would have suspected that the system would have known to set this as it needed to make it work. I did find a patch for ACS integration and Common Services which I have now installed, but it has made no difference.

I don't use the setup assistant, sry.

But you can look for the ACS configuration by checking the setup under "Common Services" -> "Server" -> "Security" -> "AAA Mode Setup"

There you have to configure the ACS servers IP addresses, the admin-user for LMS to configure the ACS and the applications of LMS which you want to register on ACS. Normally you will select all applications.

This configuration you have to do on both servers, no matter if it is the slave or the master.

After that you have to configure the single sign-on.

Master:

Select "Master (SSO Authentication Server)"

Slave:

Select "Slave (SSO Regular Server)"

and put the whole server name of the master in the field and the port (by default 443).

Checked all of the above - still got the same issue....

Is it possible to get screenshots of the ACS configuration and the single sign-on?

As requested....

As requested...part 2

Is it possible, that you are looking on the equal common services?

Because on my system the address field on the bottom (the server name) is different on each of the servers.

In all the screenshots it is the same...

You have one Common Services on every server which you have to configure seperate!

Server2 should be the SSO slave?

You have not configured single sign on.

Both server1 and 2 are master in the screen shots

One should be master the other slave

And slave should be using the local module and the other tacacs

Cheers,

Michel

I don't think that it is right to use the local module at the slave.

If you don't use the ACS integration on the slave, you will not be able to select the permissions for those parts of LMS which are installed on the slave.

To have full permission control on the ACS it is important to integrate all modules of LMS, no matter where they are installed!

Here you can find a whitepaper for integration:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.pdf

As I read his story I see he wants to use tacacs for authentication, not authorization.

Maybe I misunderstood this. Otherwise the slave will ask the master to handle authentication.

Looking at the shots he is indeed trying the ACS integration indeed.

I have not tried that yet.

Cheers,

Michel

Oops - my bad - got some screenshots mixed up. Correct one are now posted (2 messages)....

Oops (part two)- my bad - got some screenshots mixed up. Correct one are now posted (2 messages)....

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco