Escolar Documentos
Profissional Documentos
Cultura Documentos
Introduction
CiscoWorks Common Services Software provides a robust security mechanism to manage identity
and access to the CiscoWorks applications, and data in a multi-user environment.
As CiscoWorks has powerful network management tools for device configuration and software
image management, unintended operations carried out by unauthorized users can cause
disruptions to your network and in turn have a severe impact on business-critical activities.
®
CiscoWorks addresses this requirement by integrating with Cisco Secure Access Control Server
(ACS) to provide improved access control by means of authentication, authorization, and
accounting (AAA).
This document explains in detail how to set up the Cisco Works server to integrate with Cisco
Secure ACS. It also gives information on the basic configuration steps to be executed with Cisco
Secure ACS.
Prerequisites
Before integrating your CiscoWorks Common Services Software with Cisco Secure ACS, you must
complete installing CiscoWorks Common Services Software and Cisco Secure ACS on the
appropriate servers and ensure that network connectivity exists between the two.
You need to have administrative privileges for Cisco Secure ACS and the CiscoWorks server to be
able to perform the procedures explained in this document.
CiscoWorks Common Services Software 3.0.5 supports the following versions of Cisco Secure
Access Control Server for Windows
It is recommended that you install the Admin HTTPS PSIRT patch if you are using Cisco Secure
ACS 3.2.3.
Go to http://www.cisco.com/public/sw-center/ciscosecure/cs-acs.shtml.
Click the Download Cisco Secure ACS Software (Windows) link. You can find the link to the
Admin HTTPS PSIRT patch in the table.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 1 of 29
White Paper
TACACS+ TCP 49
Cisco Secure ACS can be accessed across remote machines from the browser; it uses port
number 2002 for its communication.
Cisco Secure ACS and CiscoWorks Common Services Software cannot coexist on the
same server because of port number conflicts.
To find out more about how to install, maintain, and operate Cisco Secure ACS, refer to the online
user guide found at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/index.htm.
Components Used
The following applications and tools are used in the scenario explained in this document:
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 2 of 29
White Paper
Background Information
CiscoWorks Common Services Software supports two modes of access control for authentication,
authorization, and accounting:
This document provides step-by-step procedures for setting up your CiscoWorks server for ACS
mode. It also provides step-by-step instructions for setting up Cisco Secure ACS to integrate with
the CiscoWorks server.
The details for setting up the CiscoWorks server for non-ACS mode are not covered in this
document. For more information, refer to the online user guide at
http://cco/en/US/products/sw/cscowork/ps3996/products_user_guide_book09186a00801e8b82.ht
ml.
Fallback Option
In case of failure of the chosen authentication, CiscoWorks provides a fallback option to the
CiscoWorks Local mode. By default the admin user is added to the fallback option.
Debugging
Logging can be enabled or disabled by choosing the true or false option on the login mode page.
The logs are written into the stdout.log file under the location $NMSROOT/MDC/tomcat/logs.
For all the non-ACS mode modules, the user needs to enter the credentials, log out, and log in
again for the changes to take effect.
To understand more about how to maintain and operate CiscoWorks Common Services Software,
refer to the online user guide at
http://cco/en/US/products/sw/cscowork/ps3996/products_user_guide_book09186a00801e8b82.ht
ml.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 3 of 29
White Paper
Cisco Secure ACS initial setup—Adding the ACS administrator user and AAA clients in
Cisco Secure ACS.
AAA mode configuration in CiscoWorks Common Services—Specifying the Cisco Secure
ACS credentials in CiscoWorks Common Services.
User configuration in Cisco Secure ACS—Adding users and defining roles in Cisco Secure
ACS.
You must have an administrator account configured prior to accessing Cisco Secure ACS
from any remote machine.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 4 of 29
White Paper
Administrators are the only users of the Cisco Secure ACS HTML interface. To access the
Cisco Secure ACS HTML interface from a browser on a remote machine, you must log in to
Cisco Secure ACS using an administrator account.
If Cisco Secure ACS is so configured, access to the application from the server itself may
also require a browser.
Cisco Secure ACS administrator accounts are unique to Cisco Secure ACS. They are not
related to other administrator accounts, such as Windows users with administrator privileges.
In the HTML interface, an administrator can configure any of the features provided in Cisco
Secure ACS; however, the ability to access various parts of the HTML interface can be
limited by the administrative user.
Cisco Secure ACS administrator accounts have no correlation with Cisco Secure ACS user
accounts or username and password authentication. Cisco Secure ACS stores accounts
created for authentication of network service requests and those created for Cisco Secure
ACS administrative access in separate internal databases.
To add a Cisco Secure ACS administrator account, follow these steps:
a. In the Administrator Name box, type the login name (up to 32 characters) for the new
Cisco Secure ACS administrator account.
b. In the Password box, type the password (up to 32 characters) for the new Cisco Secure
ACS administrator account.
c. In the Confirm Password box, type the password a second time.
Step 4. To select all privileges, including user group editing privileges for all user groups, click
Grant All.
All privilege options are selected. All user groups move to the Editable groups list.
Step 5. To grant user and user group editing privileges, follow these steps:
a. Select the desired check boxes under User & Group Setup.
b. To move a user group to the Editable groups list, select the group in the Available groups
list, and then click --> (the right arrow button).
The selected group moves to the Editable groups list.
c. To remove a user group from the Editable groups list, select the group in the Editable
groups list, and then click <-- (the left arrow button).
The selected group moves to the Available groups list.
d. To move all user groups to the Editable groups list, click >>.
The user groups in the Available groups list move to the Editable groups list.
e. To remove all user groups from the Editable groups list, click <<.
The user groups in the Editable groups list move to the Available groups list.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 5 of 29
White Paper
Step 6. To grant any of the remaining privilege options, in the Administrator Privileges table,
select the applicable check boxes.
Cisco Secure ACS saves the new administrator account. The new account appears in the list of
administrator accounts on the Administration Control page.
Step 1. In the Cisco Secure ACS navigation bar, click Network Configuration.
If you are using network device groups (NDGs), click the name of the NDG to which the
AAA client is to be assigned. Then, click Add Entry below the AAA Clients table.
To add an AAA client when you have not enabled NDGs, click Add Entry below the AAA
Clients table.
The Add AAA Client page appears.
Step 3. In the AAA Client Hostname box, type the name of your CiscoWorks server (up to 32
characters).
Step 4. In the AAA Client IP Address box, enter the IP address of your CiscoWorks server.
Step 5. In the Key box, type the shared secret key that your CiscoWorks server and Cisco Secure
ACS use to encrypt the data (up to 32 characters).
For correct operation, the identical key must be configured on the AAA client and Cisco
Secure ACS. Keys are case sensitive.
Step 6. If you are using NDGs, from the Network Device Group list, select the name of the NDG
to which your CiscoWorks server should belong, or select Not Assigned to set your
CiscoWorks server to be an independent AAA client.
Step 7. From the Authenticate Using list, select the network security protocol used by the AAA
client.
Step 8. If you want a single connection from an AAA client, rather than a new one for every
TACACS+ request, select the Single Connect TACACS+ AAA Client (Record stop in
accounting on failure) check box.
Step 9. If you want to log watchdog packets, select the Log Update/Watchdog Packets from
this AAA Client check box.
Step 10. If you want to log RADIUS tunneling accounting packets, select the Log
RADIUS tunneling Packets from this AAA Client check box.
Step 11. If you want to track session state by username rather than port number, select
the Replace RADIUS Port info with Username from this AAA check box.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 6 of 29
White Paper
If you select this option, Cisco Secure ACS cannot determine the number of user
sessions for each user. Each session uses the same session identifier, the username; therefore,
the Max Sessions feature is ineffective for users accessing the network through an AAA client with
this feature selected.
Step 12. If you want to save your changes and apply them immediately, click Submit +
Restart.
Restarting the service clears the Logged-in User report and temporarily interrupts all
Cisco Secure ACS services. This affects the Max Sessions counter.
If you want to save your changes and apply them later, click Submit. When you are ready to
implement the changes, click System Configuration, click Service Control, and then click
Restart.
For more information on AAA client configuration for Cisco Secure ACS, refer to
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/n.htm.
When you are integrating with Cisco Secure ACS, your devices will not be visible from your
CiscoWorks server if you have not added them as AAA clients in Cisco Secure ACS.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 7 of 29
White Paper
For more information on adding network device groups and AAA client configuration, refer to the
“Network Configuration” section of the Cisco Secure ACS User Guide found at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/n.htm.
Step 1. Log in to the CiscoWorks Common Services server and launch the CiscoWorks Common
Services server security configuration page as shown in Figure 3.
Step 2. On the Security page, select the AAA Mode Setup link from the TOC menu on the left
side of the page (Figure 4).
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 8 of 29
White Paper
Step 3. Go to the ACS mode configuration page by selecting the ACS radio button (Figure 5). The
page shown in Figure 6 appears.
Step 4. Enter the following details into the fields A, B, C, and D indicated in Figure 6:
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 9 of 29
White Paper
A—Server Details
Hostname
Cisco Works Common Services Software supports up to three backup servers. When the
primary Cisco Secure ACS fails, the AAA requests are redirected to the secondary or
backup servers. You can have multiple backup servers for a higher level of redundancy.
It is not mandatory to have all three Cisco Secure ACS servers. You can still have a single
primary server.
When you have multiple Cisco Secure ACS servers for backup, ensure that the
configurations on all servers are synchronized.
If you enter the hostname instead of the ACS server IP in Solaris, make sure the
hostname is available in the /etc/hosts table. ACS TACACS+ Port: Port number 49 is utilized by
Cisco Secure ACS for the TACACS+ communication.
B—Login
ACS Admin Name—Enter the administrator user name that you would use to log in to Cisco
Secure ACS.
ACS Admin Password—Enter the administrator password that you would use to log in to
Cisco Secure ACS.
ACS Shared Key—Enter the shared secret key that you entered in Cisco Secure ACS while
adding the CiscoWorks Common Services server as an AAA client.
C—Application Registration
You can choose to register all installed applications with Cisco Secure ACS by selecting the check
box under Application Registration. But you need to know about the following before registering the
applications with Cisco Secure ACS:
<App name>RoleDefinition.xml
<App name>Tasks.xml
By default five predefined roles are available.
However, Cisco Secure ACS provides the feature of customized roles, wherein you can
create a new role or edit the privileges of the predefined roles.
In case of an application being reregistered from Common Services, the custom roles (if
any) created for that application would be lost.
The application registration from the AAA Mode Setup will reregister all the installed
applications to Cisco Secure ACS, which will cause the custom roles (if any) to be lost.
But this mass application registration can be avoided by using the command-line interface
(CLI) script AcsRegCli.pl.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 10 of 29
White Paper
HTTP/HTTPS mode is used for device cache initialization, application registration, and
administration purposes.
Select the check box option under ACS Communication on HTTPS when Cisco Secure
ACS is configured to work in HTTPS mode.
When you select HTTPS mode, make sure that the backup servers are also in HTTPS
mode.
The SSL mode is not applicable to the TACACS+ or RADIUS security protocols, which
are used for authentication and authorization between AAA clients and the server.
Refer to Appendix A of this document for information on selecting HTTPS mode and installing
security certificates on Cisco Secure ACS.
Step 5. Apply the changes after filling in the required parameters in the AAA mode page. On
applying the changes, you see the window shown in Figure 7, which displays the
summary of the login module changes done.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 11 of 29
White Paper
Step 1. Go to Common Services > Server > Security > Multi-Server Trust Management >
System Identity Setup. Set up a System Identity User.
Step 2. Go to Common Services > Server > Security > Single-Server Management > Local
User Setup. Ensure that the System Identity User is a local user with all the roles.
Step 3. Create a superuser role in Cisco Secure ACS that has full access rights to CiscoWorks
applications.
Step 4. Add the System Identity User configured in CiscoWorks Common Services to Cisco
Secure ACS and ensure that the System Identity User is part of the superuser group.
After you restart the daemons, all authentication requests for the CiscoWorks server are handled
by Cisco Secure ACS.
Cisco Secure ACS allows you to define access permissions and policies for the registered
CiscoWorks applications on a per user basis or user group basis.
Refer to the following sections of the Cisco Secure ACS User Guide for more information on
managing users and user groups:
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 12 of 29
White Paper
Figure 8 shows a subset of tasks that can be allowed or disallowed to be performed by a user
based on his or her role.
Figure 8. A Subset of Tasks That Can Be Allowed or Disallowed Based on the User’s Role
The list of tasks may vary with the CiscoWorks applications registered with Cisco Secure ACS.
Once you have created the user or user group, you need to set the CiscoWorks Common Services
specific policies to assign the following:
Step 1. Go to the Cisco Secure ACS Group Setup page, choose a user group, and click the Edit
Setting button.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 13 of 29
White Paper
Step 2. Under the TACACS+ setting, you can view all the CiscoWorks applications registered
with Cisco Secure ACS and the related attributes.
For each registered CiscoWorks application, you can choose any of the following three
TACACS+ settings while assigning a role to the user group for the devices or device
groups to be managed. The options are:
None—No role assigned.
Assign a <UserRole> for any Network Device—You can assign any one of the predefined
(or custom created) roles to the user group for all devices. When you choose this option,
the user will have the privileges of performing all the tasks defined for the selected role on
all devices defined as AAA clients in Cisco Secure ACS.
Assign a <UserRole> on a per Network Device Group basis—You can choose this option
when you want to assign different roles for the user group for different sets of devices or
device groups. For example, you can choose this option when you want to assign the
administrator role for the user group for one device group and assign the operator role to
the same user group for another device group.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 14 of 29
White Paper
Figure 9 shows an example for a user being assigned the role of System Administrator for the
device group NDG1, the role of Network Operator for the device group NDG2, and the role of Help
Desk for the device group NDG1.
Step 1. Before you can edit the user settings, make sure that you have selected the Per-user
TACACS+/RADIUS Attributes option for the CiscoWorks applications registered with
Cisco Secure ACS.
Go to the ACS Interface Configuration > Advanced options to select the Per-user
TACACS+/RADIUS Attributes option.
Select the check box next to Per-user TACACS+/RADIUS Attributes under the
Advanced Options configuration page and click the Submit button to save the changes
as shown in Figure 10.
Step 2. After selecting the Per-user TACACS+/RADIUS Attributes check box under the Advanced
Options, select the user-level TACACS+ services from Interface Configuration >
TACACS+ (Cisco IOS) (Figure 11).
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 15 of 29
White Paper
Step 3. Select the check boxes under the User column for the required applications and click the
Submit button to save changes as shown in Figure 11.
Step 4. After you select the per user interface configurations, go the User Setup page to edit the
settings for the selected user to define the access policies for CiscoWorks applications
registered with Cisco Secure ACS.
As you see in Figure 12, the per user setup also provides the same three options as the
groups setup for defining the role and associating the device groups that the user can
manage.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 16 of 29
White Paper
Step 5. After assigning the roles and device groups to the user, click the Submit button to save
the changes.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 17 of 29
White Paper
Appendix A
HTTP/HTTPS protocol is used for the following operations between the CiscoWorks server and
Cisco Secure ACS:
Perform the following procedure to install a server certificate for your Cisco Secure ACS. You can
perform certificate enrollment to support the HTTPS protocol for the HTML interface to Cisco
Secure ACS. There are three basic options by which you can install the server certificate; you may:
If you are installing a server certificate that replaces an existing server certificate, the installation
could affect the configuration of the CTL and CRL settings of Cisco Secure ACS. After you have
installed a replacement certificate, you should determine whether you need to reconfigure any CTL
or CRL settings.
To install an existing certificate for use on Cisco Secure ACS, use the following steps:
Cisco Secure ACS displays the Install ACS Certificate page (Figure 13).
Step 4. You must specify whether Cisco Secure ACS reads the certificate from a specified file or
uses a certificate already in storage on the local machine. Do one of the following:
To specify that Cisco Secure ACS reads the certificate from a specified file, select the Read
certificate from file option, and then type the full directory path and filename of the
certificate file in the Certificate file box.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 18 of 29
White Paper
To specify that Cisco Secure ACS uses a particular existing certificate from local machine
certificate storage, select the Use certificate from storage option, and then type the
certificate CN (common name/subject name) in the Certificate CN box.
Step 5. If you generated the request using Cisco Secure ACS, in the Private key file box, type the
full directory path and name of the file that contains the private key.
Step 6. In the Private key password box, type the private key password.
The self-signed certificate feature in Cisco Secure ACS allows the administrator to generate the
self-signed digital certificate and use it for the Protected Extensible Authentication Protocol (PEAP)
or for HTTPS support in Web administration service.
Cisco Secure ACS displays the Generate Self-Signed Certificate edit page (Figure 14).
Step 4. In the Certificate subject box, type the certificate subject in the form cn=XXXX. You can
enter additional information here. For information, refer to the “Self-Signed Certificate
Configuration Options” section in the Cisco Secure ACS User Guide.
Step 5. In the Certificate file box, type the full path and filename for the certificate file.
Step 6. In the Private key file box, type the full path and filename for the private key file.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 19 of 29
White Paper
Step 7. In the Private key password box, type the private key password.
Step 8. In the Retype private key password box, retype the private key password.
Step 10. In the Digest to sign with box, select the hash digest to be used to encrypt the key.
Step 11. To install the self-signed certificate when you submit the page, select the Install
generated certificate option.
The specified certificate and private key files are generated and stored, as specified. The
certificate becomes operational, if you also selected the Install Generated Certificate option, only
after you restart Cisco Secure ACS services.
For more information on Cisco Secure ACS authentication and certificates, refer to the Cisco
Secure ACS User Guide at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sau.htm#w
p326973.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 20 of 29
White Paper
Appendix B
Help Desk (default role for all users)—Can access network status information only. Can
access persisted data on the system but cannot perform any action on a device or
schedule a job that will reach the network.
Approver—Can approve all tasks.
Network Operator—Can perform all Help Desk tasks. Can do tasks related to network data
collection but cannot perform any task that requires write access on the network.
Network Administrator—Can perform all Network Operator tasks. Can perform tasks that
result in a network configuration change.
System Administrator—Can perform all CiscoWorks system administration tasks.
These roles determine which CiscoWorks applications, tools, and product features you are allowed
to access. Roles are not set up hierarchically, with each role including all the privileges of the role
“below” it. Instead, these roles provide access privileges based on user needs.
CiscoWorks when integrated with Cisco Secure ACS for authentication, authorization, and
accounting provides you the options to add new or custom roles and also to modify the predefined
role definitions and tasks.
Step 1. Select Shared Profile Components > CiscoWorks Common Services and click the
roles that you want to modify.
Step 2. Select or deselect any of the Common Services tasks that suit your business workflow
and needs.
Refer to Figure 15 (the check boxes represent the respective tasks applicable to the application).
The user can select or unselect the tasks and customize the default roles.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 21 of 29
White Paper
Figure 15. Shared Profile Components—Modifying CiscoWorks Common Services for Defined User Roles
Step 1. Select Shared Profile Components > <CiscoWorks Application> and click the Add
button to add a new role.
The new role definition page will appear as shown in Figure 16.
Step 2. Select or deselect any of the Common Services tasks that suit your business workflow
and the needs of the new role.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 22 of 29
White Paper
Figure 16. Shared Profile Components—Adding a New CiscoWorks Common Services User Role
You can facilitate logging using the logging configuration options in the System Configuration page
(Figure 17). Refer to the “System Configuration” section in the Cisco Secure ACS User Guide at
http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs33/user/sba.htm#w
p222166 for more information.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 23 of 29
White Paper
Cisco Secure ACS provides the following three logs, which can be useful when you are debugging
user activities and events related to CiscoWorks:
The reports and logs can be viewed from the Cisco Secure ACS Reports and Activity page (Figure
18).
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 24 of 29
White Paper
The location of the script is $NMSROOT\bin\AcsRegCli.pl. Following are the optional parameters
available when running the script from the CLI, :
cwhp—Common Services
rme—Resource Management Essentials
CM—Campus Manager
dfm—Device Fault Manager
CiscoView—CiscoView
ipm—Internetwork Performance Monitor
AcsRegCli.pl–register all
This option is similar to the application registration from the GUI, where all the installed
applications are registered with Cisco Secure ACS.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 25 of 29
White Paper
Appendix C
FAQ on Troubleshooting CiscoWorks Common Services Integration with Cisco Secure ACS
1. Question: I have configured my CiscoWorks server to integrate with Cisco Secure ACS for
AAA. When I log in to CiscoWorks, the authentication succeeds but all the buttons are
disabled/grayed-out. How do I troubleshoot this issue?
Answer:
Step 2. If the preceding solution doesn’t solve the problem, then check the Cisco Secure ACS
user configuration to see whether a role has been assigned to the user.
2. Question: I have provided the Cisco Secure ACS credentials in my CiscoWorks Common
Services AAA mode page and restarted the daemons. When I try to log in as a user in Cisco
Secure ACS I get an authentication failed message. How do I troubleshoot this issue?
Answer:
Step 2. Check the Failed Attempts log in Cisco Secure ACS. If it says “Bad request from NAS”, it
means the CiscoWorks server has not been added as an AAA client to Cisco Secure
ACS. Please refer to the section “Adding your CiscoWorks server as an AAA client” in this
document.
Step 3. If the message is “Password Mismatch”, then check whether the Cisco Secure ACS
administrator password and shared secret key entered in the CiscoWorks Common
Services AAA mode page are correct.
3. Question: I have integrated my CiscoWorks Common Services server with Cisco Secure ACS
and have assigned appropriate roles to the user. But I am not able to see the devices added
in the Device Credentials Registry (DCR) at all, and the list is always empty. What do I need
to do?
Answer:
To view the devices added to DCR, you need to add the devices as AAA clients to Cisco Secure
ACS.
Step 2. Check whether the Cisco Secure ACS administrator password specified in the
CiscoWorks Common Services AAA mode page is correct.
Step 3. Check or uncheck the Connect to ACS in HTTPS mode check box in the Common
Services AAA mode page depending on the HTTP/HTTPS mode of Cisco Secure ACS.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 26 of 29
White Paper
5. Question: I see an “initdevicecache failed” message in my log. What do I infer from this error
message?
Answer:
6. Question: How do I unregister an application? I do not see any option available from the GUI.
Answer:
There is no way of unregistering an application from the front end, but you can register or
unregister applications from the back end using the ACSRegCli script located at
$NMSROOT\www\classpath\com\cisco\nm\cmf\security. You can register or unregister all
applications as follows:
On Windows:
Run the following command from the CLI:
On Solaris:
Set LD_LIBRARY_PATH to the value found in the md.properties file.
8. Question: Are there any backend script or command-line interface options to change the
login module from Cisco Secure ACS to CiscoWorks Local?
Answer:
ResetLoginModule.pl, located at NMSROOT/bin, can be used to reset the login module back to the
CiscoWorks Common Services Local login module from Cisco Secure ACS. Make sure you first
stop the daemons on your CiscoWorks server prior to executing the script.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 27 of 29
White Paper
9. Question: I have installed several CiscoWorks applications on the CiscoWorks server. I have
configured the user in Cisco Secure ACS, and I am seeing the respective roles of the user
being applied in CiscoWorks. However, all the buttons are grayed out for all the applications
pages.
Answer:
Similar to assigning a user role to the CiscoWorks Common Services application (using either the
Group or User setup), you must explicitly assign a user role to each of the other registered
applications. Please refer to the section “User Configuration in Cisco Secure ACS” in this
document.
10. Question: Where do I specify the fallback user for ACS mode?
Answer:
The fallback option for ACS mode can be given in the non-ACS TACACS+ mode setup page.
To add the fallback users in Cisco Secure ACS, execute the following steps:
Step 3. Specify the fallback users in the Login fallback options text field.
11. Question: I have specified a user under the fallback option for Cisco Secure ACS, but I am
not seeing the fallback option from Cisco Secure ACS to CiscoWorks Local working for the
authorization request. What could be wrong?
Answer:
The fallback option in Cisco Secure ACS is only for authentication where the requests are
redirected to the CiscoWorks server; there is no fallback option for the authorization requests
(authorization would now be handled by the local user account on the CiscoWorks server).
12. Question: After I integrate CiscoWorks Common Services with Cisco Secure ACS,
CTMJrmServer does not come up when I restart Daemon Manager. What could be wrong?
Answer:
The System Identity User may not be properly configured in CiscoWorks Common Services
Check whether the System Identity User configured in CiscoWorks Common Services and
in Cisco Secure ACS is the same.
Check whether the System Identity User configured in the CiscoWorks server has
appropriate privileges. If it does not have the appropriate privileges, the error message
“Authorization failed for the job browser task” appears in the daemons.log file.
Check whether the System Identity User has the Network Administrator role, and restart
Daemon Manager to fix the issue.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 28 of 29
White Paper
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT
ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND
ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE
SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE
FOR A COPY.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,
CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST
PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE
THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
All contents are Copyright © 1992–2007 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information. Page 29 of 29