We have LMS 3,0.1, HUM and DFM on seperate servers. The System Identity User and the Peer Server user are the same and are defined in the ACS as an Admin with Full Control on ACS and also SuperAdmin rights to all CiscoWorks Apps (HUM not defined).
Users with Cisco Admin rights defined in ACS cannot access Report Generation Buttons in HUM nor can they access certain admin screens in DFM.
We configure CS-Server-Security-Multiserver Trust Management.
But on the DFM and HUM boxes we so far we did not configure AAA Mode Setup. Don't we need to do that and set it to ACS mode ?
You must configure ACS integration on ALL servers in a Single Sign On domain (I assume you're doing SSO here as that would explain the problem you're seeing). If you do not, while the ACS user will be allowed to login to the second server, they will only have Help Desk access. SSO only supports authentication. Authorization must be handled either by the local LMS user database, or by ACS.
I do a Server Settings->Security Settings on both the LMS Master and the DFM slave I see both are using the same system identity user and the same SSO domain with correct master slave settings
Then on the master I see Authentification Mode = TACACS+ and Authorization mode =ACS. On the DFM slave I see Authentification Mode = Ciscoworks Local and Authorization mode = CMF.
Now DFM is defined as a ciscoworks application in our ACS.
On another location where we have a similiar LMS, DFM, ACS configuration I do Server settings->Security settings and I see we have DFM slave Authentification Mode = TACACS+ and Authorization Mode = ACS which I believe was set when that site ran the Ciscoworks Assistanct setup wizard.
I believe the site that works has an invalid configuration which seems to work and the site that doesn't work has a valid conf that doesn't work.
Since the site that is not working is using local authorization, every user that logs into that server MUST have a local account configured with the appropriate rights. This account doesn't need a password as authentication is occurring on the SSO master.
Since the other server is using ACS for authorization, it stands to reason why the users are allowed to perform the tasks in question.
My thoughts too but thanks for confirming this. On our DFm and HUM boxes I will make sure Authentification Mode is set to ACS.
We had a tac case open on this that's taking awhile. First we wanted to know what was the "right" thing to do and second one of our guys has trouble doing this for HUM since HUM wasn't defined yet in our ACS as a Ciscoworks App.
We can't user local admin accounts from HUM because lots of users need to be able to generate HUM reports and if they are not HUM admins the GO button is greyed out.
When you register your HUM server with ACS, you will need to check the box for registering applications with ACS. That will push the HUM tasks to the ACS server, and allow you to add those tasks to user groups.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...