Ciscoworks Assistance Needed!

rjmedina
rjmedina used Ask the Experts™
on
We are currently implementing CiscoWorks for managing our Enterprise.  We have Ciscoworks installed and we have been able to incorporate all of the LOCAL network devices for management under Ciscoworks using ACS authentication.

Now we are in the process of trying to do the same thing (manage our Cisco devices using ACS authentication) for each of our Remote sites.  However we keep getting Authentication failures.  Cisco has implied that we should leave our network "wide-open" and our devices with a default configuration and it should just work.  Unfortunately we have a policy of "Deny All, Allow by exception"  Therefore, we need to know what services (such as SNMP and RCP) should be enabled and what ports need to be open to enable us to accomplish our goal.  

Therefore, I guess the question boils down to:  Is there anyone out there who can tell me what to look for in the config file of a managed device to verify it can be managed under a  Ciscoworks Environment using ACS authentication?

All devices have had their default configs modified by a variety of previous admins we do not do config fetches or OS uploads to them. All devices are Cisco Catalyst Switches or Routers.

Any help or direction in this matter is greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2004
Commented:
You don't need telnet unless your devices don't do ssh. you don't need rcp. You don't need tftp unless you want Ciscoworks to pull configs. You do need snmp in from the Ciscoworks server for the server to discover the device. If you're using TACACS+ for your AAA then the port you need is TCP 49 out from the device to the server, and permit tcp established from the server to the device.

Author

Commented:
Mike -

We want to pull the configs, and we have have been told by Cisco that if we have rcp enabled we don't need tftp.  We know that if we were NOT using ACS for access control that we can enter the credentials to access each device directly and we successfully pull the configs.  

The problem seems to occur with remote devices when using ACS.  We need to use ACS because we have administrators at each remote site that manage their own devices - we want them to be able to use Ciscoworks to manage their devices but we want to limit them to their own devices.  

Hope this helps to clarify our situation.
Top Expert 2004

Commented:
So it sounds like what you want is basically to limit particular Ciscoworks users, who are verified by ACS, to particular devices? I have no idea how to do that.

We use Windows IAS, which is glorified RADIUS. By putting different users in different groups we can limit them to authentication on particular devices- but Ciscoworks has access to everything.

Author

Commented:
It turns out that while there was a minor problem with the ACS authentication the real reason we where having problems pulling the configs was because the SNMP communities were different for each of our remote networks.  While they were instructed to use a specific community, it seems that no one bothered to read the directions.

Therefore I'm giving the points to Mike as he was the one who mentioned SNMP and caused me to look more closely at the SNMP configuration.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial