cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
525
Views
0
Helpful
5
Replies

LMS with ACS integration - all users have access

Sven Hruza
Level 4
Level 4

Hello,

I did the ACS integration on LMS 3.1.

Our ACS version is 4.1.

All looks fine I think, but the problem is that all users which are configured on the ACS have access to the LMS now!

The users I didn't configure for LMS have access, but can't do anything because of missing rights.

But I want to configure, that only special users have access to the LMS portal and not all!

Thanks for helping!

Sven

1 Accepted Solution

Accepted Solutions

If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.

To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.

If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:

AAA Client Port Address

NDG:LMS Servers * *

This will completely disable the user from being able to login to LMS.

View solution in original post

5 Replies 5

Joe Clarke
Cisco Employee
Cisco Employee

This may be a side-effect of external authentication in ACS. Are these non-LMS users mapped to an external authenticator in ACS?

Hello,

no, all users are configured directly in ACS.

All parts of LMS are not marked in ACS for this group, but they have still access to connect to LMS.

I attached a part of the group configuration on ACS for the users without access to LMS.

If this is all you have done, then this is expected. ACS will still tell LMS that the user passed authentication, and LMS will allow the user to login. Of course, simply not enabling any LMS access will prevent the user from being able to perform any tasks.

To completely prevent the user from logging in, you need to disable their access to the LMS server. To do this, edit their group settings, and add a network access restriction. I typically recommend people put their LMS servers in a separate NDG in ACS which makes this easy. If you are already using a permit NAR, simply do not add the LMS server NDG to the NAR list. If you are already using a deny NAR, add the LMS server NDG.

If you are not using any NARs, add a new NAR rule which denies the user from logging in to devices in the LMS server NDG from any host on any port. For example:

AAA Client Port Address

NDG:LMS Servers * *

This will completely disable the user from being able to login to LMS.

Hi Joe,

I'm so thankful!

With the NAR it works!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: