Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS 3.01 / ACS 4.1 - Device Management Permission / Issue

Hi there,

We run a secured network where all devices use TACACS+ to ACS and users have different permisisons on the end devices from read only, limited changes (port up/down) to full admin.

We have LMS 3.01 integrated to ACS and again different users have different permissions with LMS to match their rights on the network.

We have an issue where we keep getting devices in conflicting, alias or pre-deployed state.

Within the RME home page they show up on the left hand side and our users want to be able to click on the numbers and open up the Device Management centre list of devices in each state - see first attachment.

Working in a development environment and looking at the 'failed attempts' in ACS I can see the permission it needs is "Devicve Management' - see 2nd attachment.

If I enable this, when a user clicks on an entry withi nthe Device Management Status window in the RME homepage it opens up the Device Management window BUT (and this is a big but) it allows EXPORT of the devices and credentials - see last attachment.

This is categorically unacceptable - exporting from the DCR would export the ACS credentials used by LMS which have full rights on the network and exposing these to any users blows away all the security we have with different users having different permissions.

Is there any way to get a list of devices in the various states without enabling the RME 'Device Management' permission and destroying our security model?



Everyone's tags (2)
Cisco Employee

Re: LMS 3.01 / ACS 4.1 - Device Management Permission / Issue

Unfortunately, the Export feature is tied to this role and cannot be separated.  There is no other way to get the specific list of devices in each state.