Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

LMS 3.0, ACS 4.2 and TACACS

Excuse me if I am missing the point here but...we have installed LMS on two servers, server one runs the Portal, CS, CM, Assistant and IU; the second server runs RME, CV, IPM and DFM (as well as the default CS, Portal and Assistant). I have run through the workflow for server setup and set up the two servers to use our ACS server for TACACS. Now this is where I may ne missing the point - when I sign into server one, and click on a ling to an applet on server two it asks me to authenticate again....I thought that with a multi server setup, and TACACS then I would only need to authenticate once to access applets across both servers.

19 REPLIES
New Member

Re: LMS 3.0, ACS 4.2 and TACACS

I would think (haven't tried this) that you would not need to set tacacs on the SSO slave server. Rather keep the authentication module on "local"

Have you tried this?

Cheers,

Michel

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

You have to configure the two servers equal at "AAA Mode Setup" for ACS.

On the "Single Sign-On Setup" is the difference -> Master and Slave server.

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

The point here is that I used the workflow>server setup assistant and would have suspected that the system would have known to set this as it needed to make it work. I did find a patch for ACS integration and Common Services which I have now installed, but it has made no difference.

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

I don't use the setup assistant, sry.

But you can look for the ACS configuration by checking the setup under "Common Services" -> "Server" -> "Security" -> "AAA Mode Setup"

There you have to configure the ACS servers IP addresses, the admin-user for LMS to configure the ACS and the applications of LMS which you want to register on ACS. Normally you will select all applications.

This configuration you have to do on both servers, no matter if it is the slave or the master.

After that you have to configure the single sign-on.

Master:

Select "Master (SSO Authentication Server)"

Slave:

Select "Slave (SSO Regular Server)"

and put the whole server name of the master in the field and the port (by default 443).

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

Checked all of the above - still got the same issue....

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

Is it possible to get screenshots of the ACS configuration and the single sign-on?

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

As requested....

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

As requested...part 2

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

Is it possible, that you are looking on the equal common services?

Because on my system the address field on the bottom (the server name) is different on each of the servers.

In all the screenshots it is the same...

You have one Common Services on every server which you have to configure seperate!

Server2 should be the SSO slave?

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

You have not configured single sign on.

Both server1 and 2 are master in the screen shots

One should be master the other slave

And slave should be using the local module and the other tacacs

Cheers,

Michel

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

I don't think that it is right to use the local module at the slave.

If you don't use the ACS integration on the slave, you will not be able to select the permissions for those parts of LMS which are installed on the slave.

To have full permission control on the ACS it is important to integrate all modules of LMS, no matter where they are installed!

Here you can find a whitepaper for integration:

http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.pdf

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

As I read his story I see he wants to use tacacs for authentication, not authorization.

Maybe I misunderstood this. Otherwise the slave will ask the master to handle authentication.

Looking at the shots he is indeed trying the ACS integration indeed.

I have not tried that yet.

Cheers,

Michel

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

Oops - my bad - got some screenshots mixed up. Correct one are now posted (2 messages)....

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

Oops (part two)- my bad - got some screenshots mixed up. Correct one are now posted (2 messages)....

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

You configured the port 443 on the slave server in the SSO.

But you are not using HTTPS, so it should be the port 1741 (default).

But I think it is not a bad idea to change to HTTPS from HTTP ;-)

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

tried to change the 443 to 1741 - however when I hit apply it says that it is unable to connect to the server on that port.

I will say that none of these settings were input by me - I used the server setuo workflow and it did it all itself

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

Did you try to change from HTTP to HTTPS?

You can find it under

CS -> Server -> Security -> Browser-Server Security Mode Setup

Perhaps the workflow doesn't work for that part.

I think the port for the SSO and the port for web access should be the same.

New Member

Re: LMS 3.0, ACS 4.2 and TACACS

Changed that (although I did have reservations as it is listed under the "single server setup" heading)....but I changed it on the second server anyway - and now cannot access the server at all - just get 403 forbidden...anyone know how to reset the browser security setting from the command line????

Bronze

Re: LMS 3.0, ACS 4.2 and TACACS

What link to the server do you use?

Take this one:

https:// without any port.

355
Views
0
Helpful
19
Replies