Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Radius + CW + User Roles

I have a group in Active Directory that is allowed access to our network infrastructure, including Cisco Works. When I login to Cisco Works with an account that is a member of this AD account, I do not get any administrative permissions in Cisco Works. How to I relate the AD group (authenticated via Radius) to an administrative role in Cisco Works?

Edit: If I go into Common Services -> Security -> AAA Mode Setup, I can setup Radius authentication, which works great, but I cannot figure out how to grant server roles to an authenticated user. This is so frustrating.

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Radius + CW + User Roles

If you login as a user who does not have an account in Radius (e.g. admin), then LMS will fallback to local authentication. The users allowed for fallback (admin is the only user by default) can be configured when you switch the login module.

No, what you are doing is the proper way of doing external authentication.

3 REPLIES
Cisco Employee

Re: Radius + CW + User Roles

You need to add a local account to LMS to provide the authorization piece. The login modules only provide authentication. If you want to do full centralized authentication and authorization, you need to integrate LMS with Cisco Security ACS, and due TACACS+ between LMS and ACS.

New Member

Re: Radius + CW + User Roles

ok, I created a user account in local user setup that reflects my domain account. I created a bogus password for this account that does not match my domain password.

When I login to LMS, I can see the following,

Authentication Mode RADIUS

Authorization Mode CiscoWorks Local

I have a couple of questions about this.

1.) Why does the RADIUS sometimes read RADIUS (Fallback Mode) and other times, just RADIUS?

2.) Are there any security risks with me authenticating like this?

Cisco Employee

Re: Radius + CW + User Roles

If you login as a user who does not have an account in Radius (e.g. admin), then LMS will fallback to local authentication. The users allowed for fallback (admin is the only user by default) can be configured when you switch the login module.

No, what you are doing is the proper way of doing external authentication.

202
Views
5
Helpful
3
Replies