Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

LMS and ACS Intergration, authentication fallback option

Hi there,

i have recently integrated LMS 3.0 with ACS appliance 4.I am facing one issue,whe the ACS is down i am unable to login to the LMS with the system id user account or any other user that exists in the LMS local database. The documentation says to change the aaa mode to Non-ACS but i can only do this when i login to the LMS. One method i came across is to reset the login module on the LMS using a builtin script.I wanted to know if there is any fallback options

Thanks for your answers

Ahmed

can get solve this issue of fall back.

6 REPLIES
Cisco Employee

Re: LMS and ACS Intergration, authentication fallback option

Run the following command:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

This is the only workaround if login fallback was not configured. All this script does is reset the authentication and authorization modes to local. You can then login using one of the local accounts, and reconfigure the TACACS+ login module for fallback to a local user.

Once everything is working, then you can re-enabled ACS integration.

Community Member

Re: LMS and ACS Intergration, authentication fallback option

hi clarke,

Thanks for your response,i did configure the login fallback under ->non-ACS->TACACS+->allow local login option.

i wanted to know how i can simulate an ACS appliance failure.i am just stopping the acs service from ->system configuration->service control.Is this ok or do i need to unplug the cable for the ACS as i am unable to login with the local users on the LMS after shutting the service.

Thanks

Cisco Employee

Re: LMS and ACS Intergration, authentication fallback option

A failure when doing FULL ACS integration (i.e. not just authentication) is a hard failure. You will need to reset to a local login module to recover. If you're just doing authentication, then you should be able to login as allowed fallback users using local credentials (e.g. admin).

You can simulate an ACS failure by taking ACS off of the network. This can be done by putting in an access-list for tcp/49, unplugging the appliance, etc.

Community Member

Re: LMS and ACS Intergration, authentication fallback option

Hi,

I was wondering the same thing about the fallback option. I just don't understand how to configure only ACS authentication and not full ACS integration?

Hall of Fame Super Silver

Re: LMS and ACS Intergration, authentication fallback option

There is a white paper on CW-ACS integration posted here: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

You can unregister CiscoWorks applications from being ACS-integrated by a command line interface command, e.g.:

"java ACSRegCli unregister All"

or

"java ACSRegCli unregister "

Cisco Employee

Re: LMS and ACS Intergration, authentication fallback option

The ACSRegCli command is a Perl script, and cannot be run through Java. The white paper has the correct details here, but messes things up in the FAQ. The actual commands are:

NMSROOT/bin/perl AcsRegCli.pl -unregister

324
Views
3
Helpful
6
Replies
CreatePlease to create content