cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
698
Views
3
Helpful
6
Replies

LMS and ACS Intergration, authentication fallback option

Hi there,

i have recently integrated LMS 3.0 with ACS appliance 4.I am facing one issue,whe the ACS is down i am unable to login to the LMS with the system id user account or any other user that exists in the LMS local database. The documentation says to change the aaa mode to Non-ACS but i can only do this when i login to the LMS. One method i came across is to reset the login module on the LMS using a builtin script.I wanted to know if there is any fallback options

Thanks for your answers

Ahmed

can get solve this issue of fall back.

6 Replies 6

Joe Clarke
Cisco Employee
Cisco Employee

Run the following command:

NMSROOT/bin/perl NMSROOT/bin/ResetLoginModule.pl

This is the only workaround if login fallback was not configured. All this script does is reset the authentication and authorization modes to local. You can then login using one of the local accounts, and reconfigure the TACACS+ login module for fallback to a local user.

Once everything is working, then you can re-enabled ACS integration.

hi clarke,

Thanks for your response,i did configure the login fallback under ->non-ACS->TACACS+->allow local login option.

i wanted to know how i can simulate an ACS appliance failure.i am just stopping the acs service from ->system configuration->service control.Is this ok or do i need to unplug the cable for the ACS as i am unable to login with the local users on the LMS after shutting the service.

Thanks

A failure when doing FULL ACS integration (i.e. not just authentication) is a hard failure. You will need to reset to a local login module to recover. If you're just doing authentication, then you should be able to login as allowed fallback users using local credentials (e.g. admin).

You can simulate an ACS failure by taking ACS off of the network. This can be done by putting in an access-list for tcp/49, unplugging the appliance, etc.

Hi,

I was wondering the same thing about the fallback option. I just don't understand how to configure only ACS authentication and not full ACS integration?

There is a white paper on CW-ACS integration posted here: http://www.cisco.com/en/US/prod/collateral/netmgtsw/ps6504/ps6528/ps2425/prod_white_paper0900aecd80613f62.html

You can unregister CiscoWorks applications from being ACS-integrated by a command line interface command, e.g.:

"java ACSRegCli unregister All"

or

"java ACSRegCli unregister "

The ACSRegCli command is a Perl script, and cannot be run through Java. The white paper has the correct details here, but messes things up in the FAQ. The actual commands are:

NMSROOT/bin/perl AcsRegCli.pl -unregister

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco