Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

LMS and ACS

Hi,

We have 4 Ciscoworks servers using an acs user id and password to allow ciscoworks to do

it's various activities. We are not ACS integrated.

We are trying to develop a process where we can expire the Ciscoworks ACS user id's

password every 90 days. We envision to avoid problems is to reset the password every 60 or 70 days prior to expiry.

I want to know what would be the best process to facilitate this.

Running LMS 3.01 with CS/RME/CAMPUS on windows 2003 SP1 ACS - 4.1 on Windows 2003 Server SP1.

Please check.

-Thanks

7 REPLIES
Cisco Employee

Re: LMS and ACS

You mean you're using an ACS account in DCR in order to connect to the devices, and you want to change this in DCR for all devices on a monthly basis?

New Member

Re: LMS and ACS

Hi Jclarke,

Thanks.

Yes, we want the credentials in DCR should be changed every couple of months of a specified amount of time.

We have a large number of devices and it is impossible for us to change those

manually. So we want something which can udate the credentials in DCR as per ACS.

We are also, looking same for LMS as well, that the password for them to expire after specified time.

I think, for LMS that has to be done throgh ACS, right?

But if a LMS server has nothing to do with ACS (Standalone), is there is way we can set password

policies for password expiry for users?

Please advise.

-Thanks

Cisco Employee

Re: LMS and ACS

If the ACS is administering your users (that is, you're using the TACACS+ or Radius login module in LMS), then you don't have to worry about user passwords. All of that will be handled in ACS, and the user will just need to know to use the new password when next logging into LMS.

As for updating DCR, this cannot happen automatically. Whenever your ACS device account password changes, you will either need to go to Common Services > Device and Credentials > Device Management in the GUI, then select all the devices, and click the Edit Credentials button. Then update the password for the telnet/SSH user.

You could also do this using dcrcli, by first exporting the device list using the dcrcli "exp" command. Then search and replace the old password with the new, then use the impFile command with the "cr=file" argument to import the changes back into DCR.

New Member

Re: LMS and ACS

Thank you very much jclarke.

One last question, is there any plans to include such utility to have the DCR also in sync so that we dont have to do it manually.

The current procedure is okay for a few devices, but a 9-10k deviced LMS user will be at a mess.

-Thanks

Cisco Employee

Re: LMS and ACS

There is going to be a lot more ACS integration in LMS 4.0, but I haven't seen where this specific type of integration will be there. However, if all of your devices use the same ACS account, the overhead for a user with one device vs. one with 10K devices is the same. The credential update can be done universally in one step.

New Member

Re: LMS and ACS

Thanks jclarke,

So finally, right now there is no possibility of - if a user has changed the password for login to ACS and if the same previous tacacs pwd was configured for DCR devices, LMS will not be able to give notification or sync the password with the user, right?

The only way we can do it is doing it manually.

-Thanks

Cisco Employee

Re: LMS and ACS

This is correct. LMS has no way of synchronizing DCR passwords with ACS in an automated fashion. However, you could configure job policies to require job-based passwords (under RME > Admin > Config Mgmt > Config Job Policies), and that would force users to specify a username and password at job creation time.

153
Views
10
Helpful
7
Replies
CreatePlease login to create content