Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Multi-Server Setup ACS Mode Question

We have LMS 3,0.1, HUM and DFM on seperate servers. The System Identity User and the Peer Server user are the same and are defined in the ACS as an Admin with Full Control on ACS and also SuperAdmin rights to all CiscoWorks Apps (HUM not defined).

Users with Cisco Admin rights defined in ACS cannot access Report Generation Buttons in HUM nor can they access certain admin screens in DFM.

We configure CS-Server-Security-Multiserver Trust Management.

But on the DFM and HUM boxes we so far we did not configure AAA Mode Setup. Don't we need to do that and set it to ACS mode ?

Cisco Employee

Re: Multi-Server Setup ACS Mode Question

You must configure ACS integration on ALL servers in a Single Sign On domain (I assume you're doing SSO here as that would explain the problem you're seeing). If you do not, while the ACS user will be allowed to login to the second server, they will only have Help Desk access. SSO only supports authentication. Authorization must be handled either by the local LMS user database, or by ACS.

New Member

Re: Multi-Server Setup ACS Mode Question

All servers are in a SSO domain.

I do a Server Settings->Security Settings on both the LMS Master and the DFM slave I see both are using the same system identity user and the same SSO domain with correct master slave settings

Then on the master I see Authentification Mode = TACACS+ and Authorization mode =ACS. On the DFM slave I see Authentification Mode = Ciscoworks Local and Authorization mode = CMF.

Now DFM is defined as a ciscoworks application in our ACS.

On another location where we have a similiar LMS, DFM, ACS configuration I do Server settings->Security settings and I see we have DFM slave Authentification Mode = TACACS+ and Authorization Mode = ACS which I believe was set when that site ran the Ciscoworks Assistanct setup wizard.

I believe the site that works has an invalid configuration which seems to work and the site that doesn't work has a valid conf that doesn't work.

Cisco Employee

Re: Multi-Server Setup ACS Mode Question

Since the site that is not working is using local authorization, every user that logs into that server MUST have a local account configured with the appropriate rights. This account doesn't need a password as authentication is occurring on the SSO master.

Since the other server is using ACS for authorization, it stands to reason why the users are allowed to perform the tasks in question.

New Member

Re: Multi-Server Setup ACS Mode Question

My thoughts too but thanks for confirming this. On our DFm and HUM boxes I will make sure Authentification Mode is set to ACS.

We had a tac case open on this that's taking awhile. First we wanted to know what was the "right" thing to do and second one of our guys has trouble doing this for HUM since HUM wasn't defined yet in our ACS as a Ciscoworks App.

We can't user local admin accounts from HUM because lots of users need to be able to generate HUM reports and if they are not HUM admins the GO button is greyed out.

Again, thanks.

Cisco Employee

Re: Multi-Server Setup ACS Mode Question

When you register your HUM server with ACS, you will need to check the box for registering applications with ACS. That will push the HUM tasks to the ACS server, and allow you to add those tasks to user groups.

CreatePlease to create content