Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Re-register ACS when upgrading from LMS2.6 to LMS3

We're doing a new install of LMS3 while we run LMS2.6 in parallel. We're ACS integrated on ver 2.6 and have quite a few customized groups configured in ACS. When I switch my LMS3 install to ACS, do I need to reregister with ACS? I'd hate to recreate all those customized groups if I don't have to.

Also, will this have any impact on my 2.6 install? I wouldn't think so, but if anyone can confirm, that'd be great.

TIA

9 REPLIES
Cisco Employee

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

You will need to re-register LMS with ACS after upgrading to LMS 3.0. There are quite a few new tasks (and a new role) that needs to be added to ACS. This will remove your current customized roles, but one role, the Super Admin role, is now built into LMS 3.0, and will not need to be recreated. Other custom roles will need to be recreated.

New Member

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

Thanks for the prompt reply. Are there still issues with ACS servers running on VMWare boxes?

Cisco Employee

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

I'm not certain if this is supported. I don't deal with the support of ACS beyond what is required for LMS. You might try asking on one of the security forums. That said, all of our NMS ACS servers (in our lab) are run on the physical machine.

New Member

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

thanks again. One last question if you don't mind. We have 3 ACS servers, I'm assuming I should put all three in so CW will properly register with each one, is that correct? Should I do them individually, or all @ once?

sb

Cisco Employee

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

If they are replicating, then you only need to register applications with one server, and that will replicate the the others. Then you can add the other two servers to LMS (but don't register applications).

If they are not replicating, then you will need to register applications with all servers, so it's best to add them all at the same time.

New Member

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

do you know if there are any compatibility issues with having both versions of LMS integrated on the same ACS Servers? i.e. after registering lms3 applications in acs, will there be any issues with the same ACS server handling AAA for LMS2.6?

Cisco Employee

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

No, both servers can share the same ACS.

New Member

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

Thanks for you help so far. I opened a TAC case (608264265) because when I attempt to register I get the following:

Primary ACS Verification Status (acs1)

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Not Configured

Secret Key Verification : Not Applicable

System Identity User : Not Applicable

Secondary ACS Verification Status (acs2)

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Not Configured

Secret Key Verification : Not Applicable

System Identity User : Not Applicable

Tertiary ACS Verification Status ( acs3 )

Tacacs+ Connectivity : Reachable

HTTP/HTTPS Connectivity : Reachable

AAA Client : Configured

Secret Key Verification : Success

System Identity User : Not configured properly for - (cwhp,cwportal,CiscoView,rme,CM,dfm)

ACS 1 and 2 are both running on VMWare ESX 3.5 servers

ACS 3 is on real hardware

ACS1 replicates down to 2 & 3 but not visa/versa.

When we were on a older version of ESX we had problems running jobs so we moved our current LMS 2.6 install to ACS3. However, ACS 1 and 2 both have the CW information registered.

Any thoughts as to what the problem could be? Are there still issues with CW and ACS while ACS is running on VMWare ESX?

Thanks again,

Simon

Cisco Employee

Re: Re-register ACS when upgrading from LMS2.6 to LMS3

As I said before, I do not know if ACS is supported on VMWare. You need to either check on one of the security forums, or have your SR requeued to the ACS team to find out. If ACS is supported on VMWare, you should follow the instructions in the following thread to make sure LMS can properly register with ACS. That said, if ACS1 replicates to ACS2 and ACS3, you should only do the registration to ACS1 initially. Once the applications are registered and replicated, then add ACS2 and ACS3 to LMS.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=Network%20Management&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc00950

181
Views
0
Helpful
9
Replies