CH A P T E R 7

Managing User Accounts

To use Security Manager, users must log in to the product and create individual accounts for each user.
Either you can create accounts that are unique to Security Manager, which are defined on the Security
Manager server and are called local accounts, or you can use your enterprise ACS server to authenticate
users. The following topics describe how to create and manage user accounts, and how to integrate the
product with your ACS system:
Setting Up User Permissions, page 7-1
Integrating Security Manager with Cisco Secure ACS, page 7-8
Troubleshooting Security Manager-ACS Interactions, page 7-23
In some cases, you may want to use a CiscoWorks login module other than the CiscoWorks Local login
module or the ACS module. That approach is called using a non-ACS login module, and it is supported
by CiscoWorks. For example, you can use LDAP (Lightweight Directory Access Protocol). For
information on this approach, see Setting the Login Module to Non-ACS in the User Guide for
CiscoWorks Common Services 3.3 at the following URL:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/user/guide/a
dmin.html#wp320043
See also the more general section Setting up the AAA Mode in the User Guide for CiscoWorks
Common Services 3.3 at the following URL:
http://www.cisco.com/en/US/docs/net_mgmt/ciscoworks_common_services_software/3.3/user/guide/a
dmin.html#wp618133

Setting Up User Permissions

Cisco Security Manager authenticates your username and password before you can log in. After they are
authenticated, Security Manager establishes your role within the application. This role defines your
permissions (also called privileges), which are the set of tasks or operations that you are authorized to
perform. If you are not authorized for certain tasks or devices, the related menu items, items in tables of
contents, and buttons are hidden or disabled. In addition, a message tells you that you do not have
permission to view the selected information or perform the selected operation.
Authentication and authorization for Security Manager is managed either by the CiscoWorks server or
the Cisco Secure Access Control Server (ACS). By default, CiscoWorks manages authentication and
authorization, but you can change to Cisco Secure ACS by using the AAA Mode Setup page in
CiscoWorks Common Services. For more information about ACS integration, see Integrating Security
Manager with Cisco Secure ACS, page 7-8.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-1
 Chapter 7 Managing User Accounts
Setting Up User Permissions

The major advantages of using Cisco Secure ACS are the ability to create highly granular user roles with
specialized permissions sets (for example, allowing the user to configure certain policy types but not
others) and the ability to restrict users to certain devices by configuring network device groups (NDGs).
These granular privileges are not available for CiscoWorks local users.

Tip To view the complete Security Manager permissions tree, log in to Cisco Secure ACS, then click Shared
Profile Components on the navigation bar. For more information, see Customizing Cisco Secure ACS
Roles, page 7-6.

The following topics describe user permissions:

Security Manager ACS Permissions, page 7-2
Understanding CiscoWorks Roles, page 7-4
Understanding Cisco Secure ACS Roles, page 7-5
Default Associations Between Permissions and Roles in Security Manager, page 7-7

Security Manager ACS Permissions

Cisco Security Manager provides default ACS roles and permissions. You can customize the default
roles or create additional roles to suit your needs. However, when defining new roles or customizing
default roles, make sure that the permissions you select are logical within the context of the Security
Manager application. For example, if you assign modify permissions without view permissions, you lock
the user out of the application.
Security Manager classifies permissions into the following categories. For an explanation of individual
permissions, see the online help integrated with Cisco Secure ACS (for information on viewing the
permissions, see Customizing Cisco Secure ACS Roles, page 7-6).
ViewAllows you to view the current settings. These are the main view permissions:
View > Policies. Allows you to view the various types of policies. The folder contains
permissions for various policy classes, such as firewall and NAT.
View > Objects. Allows you to view the various types of policy objects. The folder contains
permissions for each type of policy object.
View > Admin. Allows you to view Security Manager administrative settings.
View > CLI. Allows you to view the CLI commands configured on a device and preview the
commands that are about to be deployed.
View > Config Archive. Allows you to view the list of configurations contained in the
configuration archive. You cannot view the device configuration or any CLI commands.
View > Devices. Allows you to view devices in Device view and all related information,
including their device settings, properties, assignments, and so on. You can limit device
permissions to particular sets of devices by configuring network device groups (NDGs).
View > Device Managers. Allows you to launch read-only versions of the device managers for
individual devices, such as the Cisco Router and Security Device Manager (SDM) for Cisco IOS
routers.
View > Topology. Allows you to view maps configured in Map view.
ModifyAllows you to change the current settings.

Installation Guide for Cisco Security Manager 4.0.1

7-2 OL-23410-01
Chapter 7 Managing User Accounts
Setting Up User Permissions

Modify > Policies. Allows you to modify the various types of policies. The folder contains
permissions for various policy classes.
Modify > Objects. Allows you to modify the various types of policy objects. The folder
contains permissions for each type of policy object.
Modify > Admin. Allows you to modify Security Manager administrative settings.
Modify > Config Archive. Allows you to modify the device configuration in the Configuration
Archive. In addition, it allows you to add configurations to the archive and customize the
Configuration Archive tool.
Modify > Devices. Allows you to add and delete devices, as well as modify device properties
and attributes. To discover the policies on the device being added, you must also enable the
Import permission. In addition, if you enable the Modify > Devices permission, make sure that
you also enable the Assign > Policies > Interfaces permission. You can limit device permissions
to particular sets of devices by configuring network device groups (NDGs).
Modify > Hierarchy. Allows you to modify device groups.
Modify > Topology. Allows you to modify maps in Map view.
AssignAllows you to assign the various types of policies to devices and VPNs. The folder
contains permissions for various policy classes.
ApproveAllows you to approve policy changes and deployment jobs.
ControlAllows you to issue commands to devices, such as ping. This permission is used for
connectivity diagnostics.
DeployAllows you to deploy configuration changes to the devices in your network and perform
rollback to return to a previously deployed configuration.
ImportAllows you to import the configurations that are already deployed on devices into Security
Manager. You must also have view device and modify device privileges.
SubmitAllows you to submit your configuration changes for approval.

Tips
When you select modify, assign, approve, import, control or deploy permissions, you must also
select the corresponding view permissions; otherwise, Security Manager will not function properly.
When you select modify policy permissions, you must also select the corresponding assign and view
policy permissions.
When you permit a policy that uses policy objects as part of its definition, you must also grant view
permissions to these object types. For example, if you select the permission for modifying routing
policies, you must also select the permissions for viewing network objects and interface roles, which
are the object types required by routing policies.
The same holds true when permitting an object that uses other objects as part of its definition. For
example, if you select the permission for modifying user groups, you must also select the
permissions for viewing network objects, ACL objects, and AAA server groups.
You can limit device permissions to particular sets of devices by configuring network device groups
(NDGs). NDGs have the following effects on policy permissions:
To view a policy, you must have permissions for at least one device to which the policy is
assigned.
To modify a policy, you must have permissions for all the devices to which the policy is
assigned.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-3
 Chapter 7 Managing User Accounts
Setting Up User Permissions

To view, modify, or assign a VPN policy, you must have permissions for all the devices in the
VPN topology.
To assign a policy to a device, you need permissions only for that device, regardless of whether
you have permissions for any other devices to which the policy is assigned. (VPN policies are
an exception, as noted above.) However, if a user assigns a policy to a device for which you do
not have permissions, you cannot modify that policy.

Understanding CiscoWorks Roles

When users are created in CiscoWorks Common Services, they are assigned one or more roles. The
permissions associated with each role determine the operations that each user is authorized to perform
in Security Manager.
The following topics describe CiscoWorks roles:
CiscoWorks Common Services Default Roles, page 7-4
Assigning Roles to Users in CiscoWorks Common Services, page 7-5

CiscoWorks Common Services Default Roles

CiscoWorks Common Services contains the following default roles For Security Manager:
Help DeskHelp desk users can view (but not modify) devices, policies, objects, and topology
maps.
ApproverIn addition to view permissions, approvers can approve or reject deployment jobs. They
cannot perform deployment.
Network OperatorIn addition to view permissions, network operators can view CLI commands
and Security Manager administrative settings. Network operators can also modify the configuration
archive and issue commands (such as ping) to devices.
Network AdministratorNetwork administrators have complete view and modify permissions,
except for modifying administrative settings. They can discover devices and the policies configured
on these devices, assign policies to devices, and issue commands to devices. Network administrators
cannot approve activities or deployment jobs; however, they can deploy jobs that were approved by
others.

Note Cisco Secure ACS features a default role called Network Administrator that contains a
different set of permissions. For more information, see Understanding Cisco Secure ACS
Roles, page 7-5.

System AdministratorSystem administrators have complete access to all Security Manager

permissions, including modification, policy assignment, activity and job approval, discovery,
deployment, and issuing commands to devices.
For details about which Security Manager permissions are associated with each CiscoWorks role, see
Default Associations Between Permissions and Roles in Security Manager, page 7-7.

Tips
Additional roles, such as Export Data, might be displayed in Common Services if additional
applications are installed on the server. The Export Data role is for third-party developers and is not
used by Security Manager.

Installation Guide for Cisco Security Manager 4.0.1

7-4 OL-23410-01
 Chapter 7 Managing User Accounts
Setting Up User Permissions

Although you cannot change the definition of CiscoWorks roles, you can define which roles are
assigned to each user. For more information, see Assigning Roles to Users in CiscoWorks Common
Services, page 7-5.
To generate a permissions table in CiscoWorks, select Server > Reports > Permission Report and
click Generate Report.

Assigning Roles to Users in CiscoWorks Common Services

When you define a user in CiscoWorks Common Services, you must select the roles that the user should
have. By changing the role definition for a user, you change the types of operations this user is authorized
to perform in Security Manager. For example, if you assign the Help Desk role, the user is limited to
view operations and cannot modify any data. However, if you assign the Network Operator role, the user
is also able to modify the configuration archive. You can assign multiple roles to each user.

Tip You must restart Security Manager after making changes to user permissions.

Related Topics
Security Manager ACS Permissions, page 7-2
Default Associations Between Permissions and Roles in Security Manager, page 7-7
Understanding CiscoWorks Roles, page 7-4

Step 1 In Common Services, select Server > Security, then select Single-Server Trust Management > Local
User Setup from the table of contents.

Tip To reach the Local User Setup page from within Security Manager, select Tools > Security
Manager Administration > Server Security, then click Local User Setup.

Step 2 Do one of the following:

To create a user, click Add and enter the username, password, and email address.
To change the roles of an existing user, check the check box next to the user and click Edit.
Step 3 On the User Information page, select the roles to assign to this user. For more information about each
role, see CiscoWorks Common Services Default Roles, page 7-4.
Step 4 Click OK to save your changes.
Step 5 Restart Security Manager.

Understanding Cisco Secure ACS Roles

Cisco Secure ACS provides greater flexibility for managing Security Manager permissions than does
CiscoWorks because it supports application-specific roles that you can configure. Each role is made up
of a set of permissions that determine the level of authorization to Security Manager tasks. In Cisco
Secure ACS, you assign a role to each user group (and optionally, to individual users as well), which
enables each user in that group to perform the operations authorized by the permissions defined for that
role.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-5
 Chapter 7 Managing User Accounts
Setting Up User Permissions

In addition, you can assign these roles to Cisco Secure ACS device groups, allowing permissions to be
differentiated on different sets of devices.

Note Cisco Secure ACS device groups are independent of Security Manager device groups.

The following topics describe Cisco Secure ACS roles:

Cisco Secure ACS Default Roles, page 7-6
Customizing Cisco Secure ACS Roles, page 7-6

Cisco Secure ACS Default Roles

Cisco Secure ACS includes the same roles as CiscoWorks (see Understanding CiscoWorks Roles,
page 7-4), plus these additional roles:
Security ApproverSecurity approvers can view (but not modify) devices, policies, objects, maps,
CLI commands, and administrative settings. In addition, security approvers can approve or reject the
configuration changes contained in an activity. They cannot approve or reject the deployment job,
nor can they perform deployment.
Security AdministratorIn addition to having view permissions, security administrators can
modify devices, device groups, policies, objects, and topology maps. They can also assign policies
to devices and VPN topologies, and perform discovery to import new devices into the system.
Network AdministratorIn addition to view permissions, network administrators can modify the
configuration archive, perform deployment, and issue commands to devices.

Note The permissions contained in the Cisco Secure ACS network administrator role are different
from those contained in the CiscoWorks network administrator role. For more information,
see Understanding CiscoWorks Roles, page 7-4.

Unlike CiscoWorks, Cisco Secure ACS enables you to customize the permissions associated with each
Security Manager role. For more information about modifying the default roles, see Customizing Cisco
Secure ACS Roles, page 7-6.
For details about which Security Manager permissions are associated with each Cisco Secure ACS role,
see Default Associations Between Permissions and Roles in Security Manager, page 7-7.

Related Topics
Integrating Security Manager with Cisco Secure ACS, page 7-8
Setting Up User Permissions, page 7-1

Customizing Cisco Secure ACS Roles

Cisco Secure ACS enables you to modify the permissions associated with each Security Manager role.
You can also customize Cisco Secure ACS by creating specialized user roles with permissions that are
targeted to particular Security Manager tasks.

Note You must restart Security Manager after making changes to user permissions.

Installation Guide for Cisco Security Manager 4.0.1

7-6 OL-23410-01
 Chapter 7 Managing User Accounts
Setting Up User Permissions

Related Topics
Security Manager ACS Permissions, page 7-2
Default Associations Between Permissions and Roles in Security Manager, page 7-7

Step 1 In Cisco Secure ACS, click Shared Profile Components on the navigation bar.
Step 2 Click Cisco Security Manager on the Shared Components page. The roles that are configured for
Security Manager are displayed.
Step 3 Do one of the following:
To create a role, click Add. Enter a name for the role and, optionally, a description.
To modify an existing role, click the role.
Step 4 Check and uncheck the check boxes in the permissions tree to define the permissions for this role.
Checking the check box for a branch of the tree selects all permissions in that branch. For example,
selecting the Assign checkbox selects all the assign permissions.
Descriptions of the individual permissions are included in the window. For additional information, see
Security Manager ACS Permissions, page 7-2.

Tip When you select modify, approve, assign, import, control or deploy permissions, you must also
select the corresponding view permissions; otherwise, Security Manager does not function
properly.

Step 5 Click Submit to save your changes.

Step 6 Restart Security Manager.

Default Associations Between Permissions and Roles in Security Manager

Table 7-1 shows how Security Manager permissions are associated with CiscoWorks Common Services
roles and the default roles in Cisco Secure ACS. For information about the specific permissions, see
Security Manager ACS Permissions, page 7-2.

Table 7-1 Default Permission to Role Associations in Security Manager

Roles
Security Security Network Network
System Admin. Approver Admin. Admin. Network Help
Permissions Admin. (ACS) (ACS) (CW) (ACS) Approver Operator Desk
View Permissions
View Device Yes Yes Yes Yes Yes Yes Yes Yes
View Policy Yes Yes Yes Yes Yes Yes Yes Yes
View Objects Yes Yes Yes Yes Yes Yes Yes Yes
View Topology Yes Yes Yes Yes Yes Yes Yes Yes
View CLI Yes Yes Yes Yes Yes Yes Yes No

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-7
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Table 7-1 Default Permission to Role Associations in Security Manager (continued)

Roles
Security Security Network Network
System Admin. Approver Admin. Admin. Network Help
Permissions Admin. (ACS) (ACS) (CW) (ACS) Approver Operator Desk
View Admin Yes Yes Yes Yes Yes Yes Yes No
View Config Archive Yes Yes Yes Yes Yes Yes Yes Yes
View Device Managers Yes Yes Yes Yes Yes Yes Yes No
Modify Permissions
Modify Device Yes Yes No Yes No No No No
Modify Hierarchy Yes Yes No Yes No No No No
Modify Policy Yes Yes No Yes No No No No
Modify Image Yes Yes No Yes No No No No
Modify Objects Yes Yes No Yes No No No No
Modify Topology Yes Yes No Yes No No No No
Modify Admin Yes No No No No No No No
Modify Config Archive Yes Yes No Yes Yes No Yes No
Additional Permissions
Assign Policy Yes Yes No Yes No No No No
Approve Policy Yes No Yes No No No No No
Approve CLI Yes No No No No Yes No No
Discover (Import) Yes Yes No Yes No No No No
Deploy Yes No No Yes Yes No No No
Control Yes No No Yes Yes No Yes No
Submit Yes Yes No Yes No No No No

Integrating Security Manager with Cisco Secure ACS

This section describes how to integrate your Cisco Secure ACS with Cisco Security Manager.
Cisco Secure ACS provides command authorization for users who are using management applications,
such as Security Manager, to configure managed network devices. Support for command authorization
is provided by unique command authorization set types (called roles in Security Manager) that contain
a set of permissions. These permissions (also called privileges) determine the actions that users with
particular roles can perform within Security Manager.
Cisco Secure ACS uses TACACS+ to communicate with management applications. For Security
Manager to communicate with Cisco Secure ACS, you must configure the CiscoWorks server in Cisco
Secure ACS as a AAA client that uses TACACS+. In addition, you must provide the CiscoWorks server
with the administrator name and password that you use to log in to the Cisco Secure ACS. Fulfilling
these requirements ensures the validity of communications between Security Manager and Cisco Secure
ACS.

Installation Guide for Cisco Security Manager 4.0.1

7-8 OL-23410-01
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Note For an understanding of TACACS+ security advantages, see User Guide for Cisco Secure Access Control
Server.

When Security Manager initially communicates with Cisco Secure ACS, it dictates to Cisco ACS the
creation of default roles, which appear in the Shared Profile Components section of the Cisco Secure
ACS HTML interface. It also dictates a custom service to be authorized by TACACS+. This custom
service appears on the TACACS+ (Cisco IOS) page in the Interface Configuration section of the HTML
interface. You can then modify the permissions included in each Security Manager role and apply these
roles to users and user groups.
The following topics describe how to use Cisco Secure ACS with Security Manager:
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10
Integration Procedures Performed in Cisco Secure ACS, page 7-11
Integration Procedures Performed in CiscoWorks, page 7-17
Restarting the Daemon Manager, page 7-20
Assigning Roles to User Groups in Cisco Secure ACS, page 7-21

ACS Integration Requirements

To use Cisco Secure ACS, make sure that the following steps are completed:
You defined roles that include the permissions required to perform necessary functions in Security
Manager.
The Network Access Restriction (NAR) includes the device group (or the devices) that you want to
administer, if you apply a NAR to the profile.
Managed device names are spelled and capitalized identically in Cisco Secure ACS and in Security
Manager. This restriction applies to the display names, not the hostnames defined on the devices.
ACS naming restrictions can be more limiting than those for Security Manager, so you should define
the device in ACS first.
There are additional device display name requirements that you must meet for PIX/ASA security
contexts, FWSMs, and IPS devices. These are described in Adding Devices as AAA Clients Without
NDGs, page 7-13.

Tips
We highly recommend that you create a fault-tolerant infrastructure that utilizes multiple Cisco
Secure ACS servers. Having multiple servers helps to ensure your ability to continue work in
Security Manager even if connectivity is lost to one of the ACS servers.
You can integrate only one version of Security Manager with a Cisco Secure ACS. Therefore, if your
organization is using two different versions of Security Manager at the same time, you must perform
integration with two different Cisco Secure ACS servers. You can, however, upgrade to a new
version of Security Manager without having to use a different ACS.
Even when Cisco Secure ACS authentication is used, CiscoWorks Common Services software uses
local authorization for CiscoWorks Common Services-specific utilities, such as Compact Database
and Database Checkpoint. To use these utilities, you must be defined locally and be assigned the
appropriate permissions.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-9
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Related Topics
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10
Integrating Security Manager with Cisco Secure ACS, page 7-8

Procedural Overview for Initial Cisco Secure ACS Setup

The following procedure summarizes the overall tasks you need to perform to use Cisco Secure ACS
with Security Manager. The procedure contains references to more specific procedures used to perform
each step.

Related Topics
ACS Integration Requirements, page 7-9
Integrating Security Manager with Cisco Secure ACS, page 7-8

Step 1 Plan your administrative authentication and authorization model.

You should decide on your administrative model before using Security Manager. This includes defining
the administrative roles and accounts that you plan to use.

Tip When defining the roles and permissions of potential administrators, you should also consider
whether to enable Workflow. This selection affects how you can restrict access.

For more information, see the following:

Understanding Cisco Secure ACS Roles, page 7-5
User Guide for Cisco Security Manager
User Guide for Cisco Secure Access Control Server
Step 2 Install Cisco Secure ACS, Cisco Security Manager, and CiscoWorks Common Services.
Install Cisco Secure ACS. Install CiscoWorks Common Services and Cisco Security Manager on a
different server. Do not run Cisco Secure ACS and Security Manager on the same server.
For more information, see the following:
Release Notes for Cisco Security Manager (for information on the supported versions of Cisco
Secure ACS)
Installing Security Manager Server, Common Services, and AUS, page 4-3
Installation Guide for Cisco Secure ACS for Windows Server
Step 3 Perform integration procedures in Cisco Secure ACS.
Define Security Manager users as ACS users and assign them to user groups based on their planned role,
add all your managed devices (as well as the CiscoWorks/Security Manager server) as AAA clients, and
create an administration control user.
For more information, see Integration Procedures Performed in Cisco Secure ACS, page 7-11.
Step 4 Perform integration procedures in CiscoWorks Common Services.
Configure a local user that matches the system identity user defined in Cisco Secure ACS, define that
same user for the system identity setup, configure ACS as the AAA setup mode, and configure an SMTP
server and system administrator email address.

Installation Guide for Cisco Security Manager 4.0.1

7-10 OL-23410-01
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

For more information, see Integration Procedures Performed in CiscoWorks, page 7-17.
Step 5 Restart the Daemon Manager.
You must restart the Security Manager server Daemon Manager for the AAA settings you configured to
take effect.
For more information, see Restarting the Daemon Manager, page 7-20.
Step 6 Assign roles to user groups in Cisco Secure ACS.
Assign roles to each user group configured in Cisco Secure ACS. The procedure you should use depends
on whether you have configured network device groups (NDGs).
For more information, see Assigning Roles to User Groups in Cisco Secure ACS, page 7-21.

Integration Procedures Performed in Cisco Secure ACS

The following topics describe the procedures to perform in Cisco Secure ACS when integrating it with
Cisco Security Manager. Perform the tasks in the listed order. For more information about the procedures
described in these sections, see User Guide for Cisco Secure Access Control Server.
1. Defining Users and User Groups in Cisco Secure ACS, page 7-11
2. Adding Managed Devices as AAA Clients in Cisco Secure ACS, page 7-13
3. Creating an Administration Control User in Cisco Secure ACS, page 7-16

Defining Users and User Groups in Cisco Secure ACS

All users of Security Manager must be defined in Cisco Secure ACS and assigned a role appropriate to
their job function. The easiest way to do this is to divide the users into different groups based on each
default role available in ACS, for example, assigning all the system administrators to one group, all the
network operators to another group, and so on. For more information about the default roles in ACS, see
Cisco Secure ACS Default Roles, page 7-6.
You must create an additional user that is assigned the system administrator role with full permissions
to devices. The credentials established for this user are later used on the System Identity Setup page in
CiscoWorks. See Defining the System Identity User, page 7-18.
Please note that at this stage you are merely assigning users to different groups. The actual assignment
of roles to these groups is performed later, after CiscoWorks, Security Manager, and any other
applications have been registered to Cisco Secure ACS.

Tip This procedure explains how to create user accounts during the initial Cisco Secure ACS integration.
After you complete the integration, when you create a user account, you can assign it to the appropriate
group as you create the account.

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10
Assigning Roles to User Groups in Cisco Secure ACS, page 7-21

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-11
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Step 1 Log in to Cisco Secure ACS.

Step 2 Configure a user with full permissions using the following procedure. For more information about the
options available when configuring users and user groups, see User Guide for Cisco Secure Access
Control Server.
a. Click User Setup on the navigation bar.
b. On the User Setup page, enter a name for the new user and click Add/Edit.

Tip Do not create a user named admin. The admin user is the fall-back user in Security Manager. If
the ACS system stops working for some reason, you can still log in to CiscoWorks Common
Services on the Security Manager server using the admin account to change the AAA mode to
CiscoWorks local authentication and continue using the product.

c. Select an authentication method from the Password Authentication list under User Setup.
d. Enter and confirm the password for the new user.
e. Select Group 1 as the group to which the user should be assigned.
f. Click Submit to create the user account.
Step 3 Repeat this process for each Security Manager user. We recommend dividing the users into groups based
on the role each user will be assigned:
Group 1System Administrators
Group 2Security Administrators
Group 3Security Approvers
Group 4Network Administrators
Group 5Approvers
Group 6Network Operators
Group 7Help Desk
For more information about the default permissions associated with each role, see Default Associations
Between Permissions and Roles in Security Manager, page 7-7. For more information about customizing
user roles, see Customizing Cisco Secure ACS Roles, page 7-6.

Note At this stage, the groups themselves are collections of users without any role definitions. You
assign roles to each group after you complete the integration process. See Assigning Roles to
User Groups in Cisco Secure ACS, page 7-21.

Step 4 Create an additional user that you will use as the system identity user in CiscoWorks Common Services.
Assign this user to the system administrators group and grant all privileges to devices. The credentials
established for this user are later used on the System Identity Setup page in CiscoWorks. See Defining
the System Identity User, page 7-18.
Step 5 Continue with Adding Managed Devices as AAA Clients in Cisco Secure ACS, page 7-13.

Installation Guide for Cisco Security Manager 4.0.1

7-12 OL-23410-01
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Adding Managed Devices as AAA Clients in Cisco Secure ACS

Before you can begin importing devices into Security Manager, you must first configure each device as
a AAA client in your Cisco Secure ACS. In addition, you must configure the CiscoWorks/Security
Manager server as a AAA client.
If Security Manager is managing security contexts configured on firewall devices, including security
contexts configured on FWSMs for Catalyst 6500/7600 devices, each context must be added individually
to Cisco Secure ACS. Likewise, all virtual sensors defined on IPS devices must also be added.
The method for adding managed devices depends on whether you want to restrict users to managing a
particular set of devices by creating network device groups (NDGs). Proceed as follows:
If you want users to have access to all devices, add the devices as described in Adding Devices as
AAA Clients Without NDGs, page 7-13.
If you want users to have access only to certain NDGs, add the devices as described in Configuring
Network Device Groups for Use in Security Manager, page 7-14.

Adding Devices as AAA Clients Without NDGs

This procedure describes how to add devices as AAA clients of a Cisco Secure ACS. For complete
information about all available options, see User Guide for Cisco Secure Access Control Server.

Tip Remember to add the CiscoWorks/Security Manager server as a AAA client.

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10

Step 1 Click Network Configuration on the Cisco Secure ACS navigation bar.
Step 2 Click Add Entry beneath the AAA Clients table.
Step 3 Enter the AAA client hostname (up to 32 characters) on the Add AAA Client page. The hostname of the
AAA client must match the display name you plan to use for the device in Security Manager.
For example, if you intend to append a domain name to the device name in Security Manager, the AAA
client hostname in ACS must be <device_name>.<domain_name>.
When naming the CiscoWorks server, we recommend using the fully qualified hostname. Be sure to spell
the hostname correctly. (The hostname is not case sensitive.)
Additional naming conventions include:
PIX or ASA security context, or FWSM security context when discovered through the FWSM:
<parent_display_name>_<context_name>
FWSM blade: <chassis_name>_FW_<slot_number>
FWSM security context when discovered through the chassis:
<chassis_name>_FW_<slot_number>_<context_name>
IPS sensor: <IPSParentName>_<virtualSensorName>
Step 4 Enter the IP address of the network device in the AAA Client IP Address field. If the device does not
have an IP address (for example, a virtual sensor or a virtual context), enter the word dynamic instead
of an address.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-13
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Note If you are adding a multi-homed device (a device with multiple NICs), enter the IP address of
each NIC. Press Enter between each address. In addition, you must modify the gatekeeper.cfg
file on the Security Manager server.

Step 5 Enter the shared secret in the Key field.

Step 6 Select TACACS+ (Cisco IOS) from the Authenticate Using list.
Step 7 Click Submit to save your changes. The device you added is displayed in the AAA Clients table.
Step 8 Repeat the process to add additional devices.
Step 9 To save the devices you have added, click Submit + Restart.
Step 10 Continue with Creating an Administration Control User in Cisco Secure ACS, page 7-16.

Configuring Network Device Groups for Use in Security Manager

Cisco Secure ACS enables you to configure network device groups (NDGs) that contain specific devices
to be managed. For example, you can create NDGs for each geographic region or NDGs that match your
organizational structure. When used with Security Manager, NDGs enable you to provide users with
different levels of permissions, depending on the devices they need to manage. For example, by using
NDGs you can assign User A system administrator permissions to the devices located in Europe and
Help Desk permissions to the devices located in Asia. You can then assign the opposite permissions to
User B.
NDGs are not assigned directly to users. Rather, NDGs are assigned to the roles that you define for each
user group. Each NDG can be assigned to a single role only, but each role can include multiple NDGs.
These definitions are saved as part of the configuration for the selected user group.

Tips
Each device can be a member of only one NDG.
NDGs are not related to the device groups that you can configure in Security Manager.
For complete details about managing NDGs, see User Guide for Cisco Secure Access Control
Server.
The following topics outline the basic information and steps for configuring NDGs:
NDGs and User Permissions, page 7-14
Activating the NDG Feature, page 7-15
Creating NDGs, page 7-15
Associating NDGs and Roles with User Groups, page 7-22

NDGs and User Permissions

Because NDGs limit users to particular sets of devices, they affect policy permissions, as follows:
To view a policy, you must have permissions for at least one device to which the policy is assigned.
To modify a policy, you must have permissions for all the devices to which the policy is assigned.
To view, modify, or assign a VPN policy, you must have permissions for all the devices in the VPN
topology.

Installation Guide for Cisco Security Manager 4.0.1

7-14 OL-23410-01
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

To assign a policy to a device, you need permissions only for that device, regardless of whether you
have permissions for any other devices to which the policy is assigned. (VPN policies are an
exception, as noted above.) However, if a user assigns a policy to a device for which you do not have
permissions, you cannot modify that policy.

Note To modify an object, a user does not need modify permissions for all the devices that are using the object.
However, a user must have modify permissions for a particular device in order to modify a device-level
object override defined on that device.

Related Topics
Configuring Network Device Groups for Use in Security Manager, page 7-14
Setting Up User Permissions, page 7-1

Activating the NDG Feature

You must activate the NDG feature before you can create NDGs and populate them with devices.

Related Topics
Creating NDGs, page 7-15
Associating NDGs and Roles with User Groups, page 7-22
NDGs and User Permissions, page 7-14
Configuring Network Device Groups for Use in Security Manager, page 7-14

Step 1 Click Interface Configuration on the Cisco Secure ACS navigation bar.
Step 2 Click Advanced Options.
Step 3 Scroll down, then check the Network Device Groups check box.
Step 4 Click Submit.
Step 5 Continue with Creating NDGs, page 7-15.

Creating NDGs

This procedure describes how to create NDGs and populate them with devices. Each device can belong
to only one NDG.

Tip We highly recommend creating a special NDG that contains the CiscoWorks/Security Manager servers.

Before You Begin

Activate the NDG feature as described in Activating the NDG Feature, page 7-15.

Related Topics
Associating NDGs and Roles with User Groups, page 7-22
NDGs and User Permissions, page 7-14
Configuring Network Device Groups for Use in Security Manager, page 7-14

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-15
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Step 1 Click Network Configuration on the navigation bar.

All devices are initially placed under Not Assigned, which holds all devices that were not placed in an
NDG. Please note that Not Assigned is not an NDG.
Step 2 Create NDGs:
a. Click Add Entry.
b. Enter a name for the NDG on the New Network Device Group page. The maximum length is 24
characters. Spaces are permitted.
c. (Optional) Enter a key to be used by all devices in the NDG. If you define a key for the NDG, it
overrides any keys defined for the individual devices in the NDG.
d. Click Submit to save the NDG.
e. Repeat the process to create more NDGs.
Step 3 Populate the NDGs with devices. Keep in mind that each device can be a member of only one NDG.
a. Click the name of the NDG in the Network Device Groups area.
b. Click Add Entry in the AAA Clients area.
c. Define the particulars of the device to add to the NDG, then click Submit. For more information,
see Adding Devices as AAA Clients Without NDGs, page 7-13.
d. Repeat the process to add the remaining devices to NDGs. The only device you should consider
leaving in the Not Assigned category is the default AAA server.
e. After you configure the last device, click Submit + Restart.
Step 4 Continue with Creating an Administration Control User in Cisco Secure ACS, page 7-16.

Tip You can associate roles with each NDG only after completing the integration procedures in
Cisco Secure ACS and CiscoWorks Common Services. See Associating NDGs and Roles with
User Groups, page 7-22.

Creating an Administration Control User in Cisco Secure ACS

Use the Administration Control page in Cisco Secure ACS to define the administrator account that is
used when defining the AAA setup mode in CiscoWorks Common Services. Security Manager uses this
account to access the ACS server and register the application, to query device group membership and
group setup, and to perform other basic interactions with ACS. For more information, see Configuring
the AAA Setup Mode in CiscoWorks, page 7-18.

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10

Step 1 Click Administration Control on the Cisco Secure ACS navigation bar.
Step 2 Click Add Administrator.
Step 3 On the Add Administrator page, enter a name and password for the administrator.

Installation Guide for Cisco Security Manager 4.0.1

7-16 OL-23410-01
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Step 4 Select the following administrator privileges:

Under Users and Group Setup
Read access to users in group
Read access of these groups
Under Shared Profile Components
Create Device Command Set Type
Network Configuration
Step 5 Click Submit to create the administrator. For more information about the options available when
configuring an administrator, see User Guide for Cisco Secure Access Control Server.

Integration Procedures Performed in CiscoWorks

After you complete the integration tasks in Cisco Secure ACS (described in Integration Procedures
Performed in Cisco Secure ACS, page 7-11), you must complete some tasks in CiscoWorks Common
Services. Common Services performs the actual registration of any installed applications, such as Cisco
Security Manager and Auto Update Server, into Cisco Secure ACS.
The following topics describe the procedures to perform in CiscoWorks Common Services when
integrating it with Cisco Security Manager:
Creating a Local User in CiscoWorks, page 7-17
Defining the System Identity User, page 7-18
Configuring the AAA Setup Mode in CiscoWorks, page 7-18
Configuring an SMTP Server and System Administrator Email Address for ACS Status
Notifications, page 7-20

Creating a Local User in CiscoWorks

Use the Local User Setup page in CiscoWorks Common Services to create a local user account that
duplicates the system identity user you previously created in Cisco Secure ACS (as described in Defining
Users and User Groups in Cisco Secure ACS, page 7-11). This local user account is later used for the
system identity setup. For more information, see Defining the System Identity User, page 7-18.

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10

Step 1 Log in to CiscoWorks using the admin user account.

Step 2 Select Server > Security from Common Services, then select Local User Setup from the TOC.

Tip To get to this page from the Security Manager client, select Tools > Security Manager
Administration > Server Security and click Local User Setup.

Step 3 Click Add.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-17
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Step 4 Enter the same name and password that you entered when creating the system identity user in Cisco
Secure ACS. See Defining Users and User Groups in Cisco Secure ACS, page 7-11.
Step 5 Check all check boxes under Roles.
Step 6 Click OK to create the user.

Defining the System Identity User

Use the System Identity Setup page in CiscoWorks Common Services to create a trust user (called the
System Identity user) that enables communication between servers that are part of the same domain and
application processes that are located on the same server. Applications use the System Identity user to
authenticate processes on local or remote CiscoWorks servers. This is especially useful when the
applications must synchronize before any users have logged in.
In addition, the System Identity user is often used to perform a subtask when the primary task has already
been authorized for the logged in user.
The System Identity user you configure here must also be defined as a local user in CiscoWorks
(assigned to all roles) and as a user with all privileges to devices in ACS. If you do not select a user with
the required privileges, you might not be able to view all the devices and policies configured in Security
Manager. Make sure that you performed the following procedures before continuing:
Defining Users and User Groups in Cisco Secure ACS, page 7-11
Creating a Local User in CiscoWorks, page 7-17

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10

Step 1 In Common Services, select Server > Security, then select Multi-Server Trust Management > System
Identity Setup from the TOC.

Tip To get to this page from the Security Manager client, select Tools > Security Manager
Administration > Server Security and click System Identity Setup.

Step 2 Enter the name of the system identity user that you created in Cisco Secure ACS. See Defining Users
and User Groups in Cisco Secure ACS, page 7-11.
Step 3 Enter and verify the password for this user.
Step 4 Click Apply.

Configuring the AAA Setup Mode in CiscoWorks

Use the AAA Setup Mode page in CiscoWorks Common Services to define your Cisco Secure ACS as
the AAA server, including the required port and shared secret key. In addition, you can define up to two
backup servers.

Installation Guide for Cisco Security Manager 4.0.1

7-18 OL-23410-01
Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

This procedure performs the actual registration of CiscoWorks and Security Manager (and optionally,
Auto Update Server) into Cisco Secure ACS.

Tip The AAA setup configured here is not retained if you uninstall CiscoWorks Common Services or Cisco
Security Manager. In addition, this configuration cannot be backed up and restored after re-installation.
Therefore, if you upgrade to a new version of either application, you must reconfigure the AAA setup
mode and reregister Security Manager with ACS. This process is not required for incremental updates.
If you install additional applications, such as AUS, on top of CiscoWorks, you must reregister the new
applications and Cisco Security Manager.

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10

Step 1 In Common Services, select Server > Security, then select AAA Mode Setup from the TOC.

Tip To get to this page from the Security Manager client, select Tools > Security Manager
Administration > Server Security and click AAA Mode Setup.

Step 2 Select TACACS+ under Available Login Modules.

Step 3 Select ACS as the AAA type.
Step 4 Enter the IP addresses of up to three Cisco Secure ACS servers in the Server Details area. The secondary
and tertiary servers act as backups in case the primary server fails. All servers must be running the same
version of Cisco Secure ACS.

Note If all the configured TACACS+ servers fail to respond, you must log in using the admin
CiscoWorks Local account, then change the AAA mode back to Non-ACS/CiscoWorks Local.
After the TACACS+ servers are restored to service, you must change the AAA mode back to
ACS.

Step 5 In the Login area, enter the name of the administrator that you defined on the Administration Control
page of Cisco Secure ACS. For more information, see Creating an Administration Control User in Cisco
Secure ACS, page 7-16.
Step 6 Enter and verify the password for this administrator.
Step 7 Enter and verify the shared secret key that you entered when you added the Security Manager server as
a AAA client of Cisco Secure ACS. See Adding Devices as AAA Clients Without NDGs, page 7-13.
Step 8 Check the Register all installed applications with ACS check box to register Security Manager and
any other installed applications with Cisco Secure ACS.
Step 9 Click Apply to save your settings. A progress bar displays the progress of the registration. A message is
displayed when registration is complete.
Step 10 Restart the Cisco Security Manager Daemon Manager service. See Restarting the Daemon Manager,
page 7-20.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-19
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Step 11 Log back in to Cisco Secure ACS to assign roles to each user group. See Assigning Roles to User Groups
in Cisco Secure ACS, page 7-21.

Configuring an SMTP Server and System Administrator Email Address for ACS Status Notifications
If all the ACS servers become unavailable, users cannot perform tasks in Security Manager. Users who
are logged in can be abruptly logged out of the system (without an opportunity to save changes) if they
try to perform a task that requires ACS authorization.
If you configure Common Services settings to identify an SMTP server and a system administrator,
Security Manager sends an email message to the administrator if all ACS servers become unavailable.
This can alert you to a problem that needs immediate attention. The administrator might also receive
email messages from Common Services for non-ACS-related events.

Tip Security Manager can send email notifications for several other types of events such as deployment job
completion, activity approval, or ACL rule expiration. The SMTP server you configure here is also used
for these notifications, although the sender email address is set in Security Manager. For more
information about configuring these other email addresses, see the User Guide for Cisco Security
Manager for this version of the product, or the client online help.

Step 1 In Common Services, click Server > Admin, and select System Preferences from the table of contents.
Step 2 On the System Preferences page, enter the hostname or IP address of an SMTP server that Security
Manager can use. The SMTP server cannot require user authentication for sending email messages.
Step 3 Enter an email address that CiscoWorks can use for sending emails. This does not have to be the same
email address that you configure for Security Manager to use when sending notifications.
If the ACS server becomes unavailable, a message is sent to (and from) this account.
Step 4 Click Apply to save your changes.

Restarting the Daemon Manager

This procedure describes how to restart the Daemon Manager of the Security Manager server. You must
do this so the AAA settings that you configured take effect. You can then log back in to CiscoWorks
using the credentials defined in Cisco Secure ACS.

Related Topics
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10
ACS Integration Requirements, page 7-9

Step 1 Log in to the machine on which the Security Manager server is installed.
Step 2 Select Start > Programs > Administrative Tools > Services to open the Services window.
Step 3 From the list of services displayed in the right pane, select Cisco Security Manager Daemon Manager.
Step 4 Click the Restart Service button on the toolbar.

Installation Guide for Cisco Security Manager 4.0.1

7-20 OL-23410-01
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

Step 5 Continue with Assigning Roles to User Groups in Cisco Secure ACS, page 7-21.

Assigning Roles to User Groups in Cisco Secure ACS

After you have registered CiscoWorks, Security Manager and other installed applications to Cisco
Secure ACS, you can assign roles to each of the user groups that you previously configured in Cisco
Secure ACS. These roles determine the actions that the users in each group are permitted to perform in
Security Manager.
The procedure for assigning roles to user groups depends on whether NDGs are being used:
Assigning Roles to User Groups Without NDGs, page 7-21
Associating NDGs and Roles with User Groups, page 7-22

Assigning Roles to User Groups Without NDGs

This procedure describes how to assign the default roles to user groups when NDGs have not been
defined. For more information, see Cisco Secure ACS Default Roles, page 7-6.

Before You Begin

Create a user group for each default role. See Defining Users and User Groups in Cisco Secure ACS,
page 7-11.
Complete the procedures described in these topics:
Integration Procedures Performed in Cisco Secure ACS, page 7-11
Integration Procedures Performed in CiscoWorks, page 7-17

Related Topics
Understanding CiscoWorks Roles, page 7-4
Understanding Cisco Secure ACS Roles, page 7-5

Step 1 Log in to Cisco Secure ACS.

Step 2 Click Group Setup on the navigation bar.
Step 3 Select the user group for system administrators from the list (see Defining Users and User Groups in
Cisco Secure ACS, page 7-11), then click Edit Settings.

Tip You can rename the groups with a more meaningful name to make it easier to identify the correct
groups. Select a group and click Rename Group to change the name.

Step 4 Assign the system administrator role to this group:

a. Scroll down to the CiscoWorks area under TACACS+ Settings.
b. Select the first Assign option, then select System Administrator from the list of CiscoWorks roles.
c. Scroll down to the Cisco Security Manager Shared Services area.
d. Select the first Assign option, then select System Administrator from the list of Cisco Secure ACS
roles.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-21
 Chapter 7 Managing User Accounts
Integrating Security Manager with Cisco Secure ACS

e. Click Submit to save the group settings.

Step 5 Repeat the process for the remaining roles, assigning each role to the appropriate user group.
When selecting the Security Approver or Security Administrator roles in Cisco Secure ACS, we
recommend selecting Network Administrator as the closest equivalent CiscoWorks role.
For more information about customizing the default roles in ACS, see Customizing Cisco Secure ACS
Roles, page 7-6.

Associating NDGs and Roles with User Groups

When you associate NDGs with roles for use in Security Manager, you must create definitions in two
places on the Group Setup page:
CiscoWorks area
Cisco Security Manager area
The definitions in each area should match as closely as possible. When associating custom roles or ACS
roles that do not exist in CiscoWorks Common Services, try to define as close an equivalent as possible
based on the permissions assigned to that role.
You must create associations for each user group that will be used with Security Manager. For example,
if you have a user group containing support personnel for the Western region, you can select that user
group, then associate the NDG containing the devices in that region with the Help Desk role.

Before You Begin

Activate the NDG feature and create NDGs. See Configuring Network Device Groups for Use in
Security Manager, page 7-14.

Related Topics
ACS Integration Requirements, page 7-9
Procedural Overview for Initial Cisco Secure ACS Setup, page 7-10

Step 1 Click Group Setup on the navigation bar.

Step 2 Select a user group from the Group list, then click Edit Settings.

Tip You can rename the groups with a more meaningful name to make it easier to identify the correct
groups. Select a group and click Rename Group to change the name.

Step 3 Map NDGs and roles for use in CiscoWorks:

a. On the Group Setup page, scroll down to the CiscoWorks area under TACACS+ Settings.
b. Select Assign a Ciscoworks on a per Network Device Group Basis.
c. Select an NDG from the Device Group list.
d. Select the role to which this NDG should be associated from the second list.
e. Click Add Association. The association appears in the Device Group box.
f. Repeat the process to create additional associations.
g. To remove an association, select it from the Device Group, then click Remove Association.

Installation Guide for Cisco Security Manager 4.0.1

7-22 OL-23410-01
Chapter 7 Managing User Accounts
Troubleshooting Security Manager-ACS Interactions

Step 4 Map NDGs and roles for use in Cisco Security Manager; you should create associations that match as
closely as possible the associations defined in the previous step:
a. On the Group Setup page, scroll down to the Cisco Security Manager area under TACACS+ Settings.
b. Select Assign a Cisco Security Manager on a per Network Device Group Basis.
c. Select an NDG from the Device Group list.
d. Select the role to which this NDG should be associated from the second list.
e. Click Add Association. The association appears in the Device Group box.
f. Repeat the process to create additional associations.

Note When you are selecting the Security Approver or Security Administrator roles in Cisco Secure
ACS, we recommend selecting Network Administrator as the closest equivalent CiscoWorks
role.

Note CiscoWorks Common Services has a default role called Network Administrator. Cisco Secure
ACS has a default role called Network Admin. These roles are not identical; they differ for a
few of the permissions in Cisco Security Manager.

Step 5 Click Submit to save your settings.

Step 6 Repeat the process to define NDGs for the remaining user groups.
Step 7 To save the associations that you have created, click Submit + Restart.
For more information about customizing the default roles in ACS, see Customizing Cisco Secure ACS
Roles, page 7-6.

Troubleshooting Security Manager-ACS Interactions

This following topics describe how to troubleshoot common problems that could occur because of how
Security Manager and Cisco Secure ACS interact:
Using Multiple Versions of Security Manager with Same ACS, page 7-24
Authentication Fails When in ACS Mode, page 7-24
System Administrator Granted Read-Only Access, page 7-24
ACS Changes Not Appearing in Security Manager, page 7-25
Devices Configured in ACS Not Appearing in Security Manager, page 7-25
Working in Security Manager after Cisco Secure ACS Becomes Unreachable, page 7-25
Restoring Access to Cisco Secure ACS, page 7-26
Authentication Problems with Multihomed Devices, page 7-26
Authentication Problems with Devices Behind a NAT Boundary, page 7-26

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-23
 Chapter 7 Managing User Accounts
Troubleshooting Security Manager-ACS Interactions

Using Multiple Versions of Security Manager with Same ACS

You cannot use the same Cisco Secure ACS with two different versions of Security Manager. For
example, if you have integrated Security Manager 3.3.1 with a Cisco Secure ACS and another part of
your organization plans to use Security Manager 4.0.1 without upgrading the existing installation, you
must integrate Security Manager 4.0.1 with a different ACS than the one used for Security Manager
3.3.1.
If you upgrade an existing Security Manager installation, you can continue to use the same Cisco Secure
ACS. The permission settings are updated as required.

Authentication Fails When in ACS Mode

If authentication keeps failing when you log in to Security Manager or CiscoWorks Common Services,
even though you used Common Services to configure Cisco Secure ACS as the AAA server for
authentication, do the following:
Ensure that there is connectivity between the ACS servers and the server running Common Services
and Security Manager.
Ensure that the user credentials (username and password) you are using are defined in ACS and are
assigned to the appropriate user group.
Ensure that the Common Services server is defined as a AAA client on the Network Configuration
page of ACS. Verify that the shared secret keys defined in Common Services (AAA Mode Setup
page) and ACS (Network Configuration) match.
Ensure that the IP address of each ACS server is correctly defined on the AAA Mode Setup page in
Common Services.
Ensure that the correct account is defined on the Administration Control page of ACS.
Go to the AAA Mode Setup page in Common Services and verify that Common Services and
Security Manager (as well as any other installed applications, such as AUS) are registered with
Cisco Secure ACS.
Go to Administration Control > Access Setup in ACS and ensure that the ACS is configured for
HTTPS communication.
If you receive key mismatch errors in the ACS log, verify whether the Security Manager server is
defined as a member of a network device group (NDG). If it is, be aware that if you defined a key
for the NDG, that key takes precedence over the keys defined for the individual devices in the NDG,
including the Security Manager server. Ensure that the key defined for the NDG matches the secret
key of the Security Manager server.

System Administrator Granted Read-Only Access

If you have read-only access to all policy pages of Security Manager even after logging in as a System
Administrator with full permissions, do the following in Cisco Secure ACS:
(When using network device groups (NDGs)) Click Group Setup on the Cisco Secure ACS
navigation bar, then verify that the System Administrator user role is associated with all necessary
correct NDGs for both CiscoWorks and Cisco Security Manager, especially the NDG containing the
Common Services/Security Manager server.

Installation Guide for Cisco Security Manager 4.0.1

7-24 OL-23410-01
 Chapter 7 Managing User Accounts
Troubleshooting Security Manager-ACS Interactions

Click Network Configuration on the navigation bar, then do the following:

Verify that the Common Services/Security Manager server is not assigned to the Not Assigned
(default) group.
Verify that the Common Services/Security Manager server is configured to use TACACS+ not
RADIUS. TACACS+ is the only security protocol supported between the two servers.

Note You can configure the network devices (routers, switches, firewalls, and so on) managed
by Security Manager for either TACACS+ or RADIUS.

ACS Changes Not Appearing in Security Manager

When you are using Security Manager with Cisco Secure ACS 4.x, information from ACS is cached
when you log in to Security Manager or CiscoWorks Common Services on the Security Manager server.
If you make changes in the Cisco Secure ACS Network Configuration and Group Setup while logged in
to Security Manager, the changes might not appear immediately or be immediately effective in Security
Manager. You must log out of Security Manager and Common Services and close their windows, then
log in again, to refresh the information from ACS.
If you need to make changes in ACS, it is best practice to first log out of and close Security Manager
windows, make your changes, and then log back in to the product.

Note Although Cisco Secure ACS 3.3 is not supported, if you are using that version of ACS, you must open
Windows Services and restart the Cisco Security Manager Daemon Manager service to get the ACS
changes to appear in Security Manager.

Devices Configured in ACS Not Appearing in Security Manager

If the devices that you configured on the Cisco Secure ACS are not appearing in Security Manager, it is
probably a problem with the device display name.
The device display names defined in Security Manager must match the names you configure in ACS
when you add the devices as AAA clients. This is particularly important when you use domain names.
If you intend to append a domain name to the device name in Security Manager, the AAA client
hostname in ACS must be <device_name>.<domain_name>, for example, pixfirewall.cisco.com.

Working in Security Manager after Cisco Secure ACS Becomes Unreachable

Security Manager sessions are affected if the Cisco Secure ACS cannot be reached. Therefore, you
should consider creating a fault-tolerant infrastructure that utilizes multiple Cisco Secure ACS servers.
Having multiple servers helps to ensure your ability to continue work in Security Manager even if
connectivity is lost to one of the ACS servers.
If your setup includes only a single Cisco Secure ACS and you wish to continue working in Security
Manager in the event the ACS becomes unreachable, you can switch to performing local AAA
authentication on the Security Manager server.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-25
 Chapter 7 Managing User Accounts
Troubleshooting Security Manager-ACS Interactions

Procedure
To change the AAA mode, follow these steps:

Step 1 Log in to Common Services using the admin CiscoWorks local account.
Step 2 Select Server > Security > AAA Mode Setup, then change the AAA mode back to
Non-ACS/CiscoWorks Local. This enables you to perform authentication and authorization using the
local Common Services database and its built-in roles. Bear in mind that you must create local users in
the AAA database to make use of local authentication.
Step 3 Click Change.

Restoring Access to Cisco Secure ACS

If you cannot access Security Manager because the Cisco Secure ACS is down, do the following:
Open up Windows Services on the ACS server and check whether the CSTacacs and CSRadius
services are up and running. Restart these services if required.
Perform the following procedure in CiscoWorks Common Services:

Step 1 Log in to Common Services as the admin user.

Step 2 Open a DOS window and run NMSROOT\bin\perl ResetLoginModule.pl.
Step 3 Exit Common Services, then log in a second time as the admin user.
Step 4 Go to Server > Security > AAA Mode Setup, then change the AAA mode to Non-ACS > CW Local
mode.
Step 5 Open Windows Services and restart the Cisco Security Manager Daemon Manager service.

Authentication Problems with Multihomed Devices

If you cannot configure a multihomed device (a device with multiple network interface cards (NICs))
that was added to the Cisco Secure ACS, even though your user role includes Modify Device
permissions, there might be a problem with the way you entered the IP addresses for the device.
When you define a multihomed device as a AAA client of the Cisco Secure ACS, make sure to define
the IP address of each NIC. Press Enter between each entry. For more information, see Adding Devices
as AAA Clients Without NDGs, page 7-13.

Authentication Problems with Devices Behind a NAT Boundary

If you cannot configure a device with a pre-NAT or post-NAT IP address that was added to the Cisco
Secure ACS, even though your user role includes Modify Device permissions, there might be a problem
with the IP addresses that you configured.

Installation Guide for Cisco Security Manager 4.0.1

7-26 OL-23410-01
Chapter 7 Managing User Accounts
Troubleshooting Security Manager-ACS Interactions

When a device is behind a NAT boundary, make sure to define all IP addresses, including pre-NAT and
post-NAT, for the device in the AAA client configuration settings in Cisco Secure ACS. For more
information on how to add AAA client settings to ACS, see User Guide for Cisco Secure Access Control
Server.

Installation Guide for Cisco Security Manager 4.0.1

OL-23410-01 7-27
 Chapter 7 Managing User Accounts
Troubleshooting Security Manager-ACS Interactions

Installation Guide for Cisco Security Manager 4.0.1

7-28 OL-23410-01