Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS and LMS 2.5

If TACACS is implemented on all network switches, what is the best way to implement TACACS on the LMS 2.5 server that manages the network?

6 REPLIES
Cisco Employee

Re: TACACS and LMS 2.5

There are older switches that do not implement TACACS+. However, all modern CatOS and IOS switches do.

As for your other question, more context is required. Do you have CiscoSecure ACS? What kind of LMS/TACACS interaction are you looking for? With LMS 2.5, you can use CS ACS for LMS authorization as well as for access to network devices.

New Member

Re: TACACS and LMS 2.5

The network consists of 2950s cored to two 6513s. TACACS would be applied via the "aaa" command. We want someone to be able to use LMS to change vlans, for example, on a selected group of switches using their TACACS userid and pw, so that the changes made on the switches is tracable to that someone.

Cisco Employee

Re: TACACS and LMS 2.5

You can do that using the job based password feature of LMS. With this, the user executing the job provides their username and password for that job only. That way, AAA logs will reflect that user as being the one that performed the config changes.

In this configuration, the best solution would be to enforce job-based passwords using RME > Admin > Config Mgmt > Config Job Policies. Make the Job Passwords mandatory by unchecking the User Configurable checkbox. Then, all config changes must specify per-job credentials.

New Member

Re: TACACS and LMS 2.5

Thanks, sounds like that will work for the LMS user, but don't I still have to configure LMS with a TACACS id and pw before it can access the switches?

Cisco Employee

Re: TACACS and LMS 2.5

You will still need to enter TACACS credentials in the DCR so that the various applications can access the devices.

Cisco Employee

Re: TACACS and LMS 2.5

No, you don't HAVE to. RME (and other LMS apps) can certain use SNMP to perform all necessary operations. However, if you want to use telnet/SSH for configuration fetches in RME, you will need to populate DCR with a username and password.

117
Views
5
Helpful
6
Replies
CreatePlease login to create content