Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Bronze

LMS with ACS integration - all users have access

Hello,

I did the ACS integration on LMS 3.1.

Our ACS version is 4.1.

All looks fine I think, but the problem is that all users which are configured on the ACS have access to the LMS now!

The users I didn't configure for LMS have access, but can't do anything because of missing rights.

But I want to configure, that only special users have access to the LMS portal and not all!

Thanks for helping!

Sven

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: LMS with ACS integration - all users have access

If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.

To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.

If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:

AAA Client Port Address

NDG:LMS Servers * *

This will completely disable the user from being able to login to LMS.

5 REPLIES
Cisco Employee

Re: LMS with ACS integration - all users have access

This may be a side-effect of external authentication in ACS. Are these non-LMS users mapped to an external authenticator in ACS?

Bronze

Re: LMS with ACS integration - all users have access

Hello,

no, all users are configured directly in ACS.

All parts of LMS are not marked in ACS for this group, but they have still access to connect to LMS.

Bronze

Re: LMS with ACS integration - all users have access

I attached a part of the group configuration on ACS for the users without access to LMS.

Cisco Employee

Re: LMS with ACS integration - all users have access

If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.

To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.

If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:

AAA Client Port Address

NDG:LMS Servers * *

This will completely disable the user from being able to login to LMS.

Bronze

Re: LMS with ACS integration - all users have access

Hi Joe,

I'm so thankful!

With the NAR it works!

164
Views
0
Helpful
5
Replies
CreatePlease to create content