Ciscoworks Assistance Needed!
We are currently implementing CiscoWorks for managing our Enterprise. We have Ciscoworks installed and we have been able to incorporate all of the LOCAL network devices for management under Ciscoworks using ACS authentication.
Now we are in the process of trying to do the same thing (manage our Cisco devices using ACS authentication) for each of our Remote sites. However we keep getting Authentication failures. Cisco has implied that we should leave our network "wide-open" and our devices with a default configuration and it should just work. Unfortunately we have a policy of "Deny All, Allow by exception" Therefore, we need to know what services (such as SNMP and RCP) should be enabled and what ports need to be open to enable us to accomplish our goal.
Therefore, I guess the question boils down to: Is there anyone out there who can tell me what to look for in the config file of a managed device to verify it can be managed under a Ciscoworks Environment using ACS authentication?
All devices have had their default configs modified by a variety of previous admins we do not do config fetches or OS uploads to them. All devices are Cisco Catalyst Switches or Routers.
Any help or direction in this matter is greatly appreciated.
Now we are in the process of trying to do the same thing (manage our Cisco devices using ACS authentication) for each of our Remote sites. However we keep getting Authentication failures. Cisco has implied that we should leave our network "wide-open" and our devices with a default configuration and it should just work. Unfortunately we have a policy of "Deny All, Allow by exception" Therefore, we need to know what services (such as SNMP and RCP) should be enabled and what ports need to be open to enable us to accomplish our goal.
Therefore, I guess the question boils down to: Is there anyone out there who can tell me what to look for in the config file of a managed device to verify it can be managed under a Ciscoworks Environment using ACS authentication?
All devices have had their default configs modified by a variety of previous admins we do not do config fetches or OS uploads to them. All devices are Cisco Catalyst Switches or Routers.
Any help or direction in this matter is greatly appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So it sounds like what you want is basically to limit particular Ciscoworks users, who are verified by ACS, to particular devices? I have no idea how to do that.
We use Windows IAS, which is glorified RADIUS. By putting different users in different groups we can limit them to authentication on particular devices- but Ciscoworks has access to everything.
We use Windows IAS, which is glorified RADIUS. By putting different users in different groups we can limit them to authentication on particular devices- but Ciscoworks has access to everything.
ASKER
It turns out that while there was a minor problem with the ACS authentication the real reason we where having problems pulling the configs was because the SNMP communities were different for each of our remote networks. While they were instructed to use a specific community, it seems that no one bothered to read the directions.
Therefore I'm giving the points to Mike as he was the one who mentioned SNMP and caused me to look more closely at the SNMP configuration.
Therefore I'm giving the points to Mike as he was the one who mentioned SNMP and caused me to look more closely at the SNMP configuration.
ASKER
We want to pull the configs, and we have have been told by Cisco that if we have rcp enabled we don't need tftp. We know that if we were NOT using ACS for access control that we can enter the credentials to access each device directly and we successfully pull the configs.
The problem seems to occur with remote devices when using ACS. We need to use ACS because we have administrators at each remote site that manage their own devices - we want them to be able to use Ciscoworks to manage their devices but we want to limit them to their own devices.
Hope this helps to clarify our situation.