User Guide for CiscoWorks Assistant 1.0. - Chapter 3 Configuring LMS Server Using CiscoWorks Assistant [CiscoWorks Assistant]

Table Of Contents

Configuring LMS Server Using CiscoWorks Assistant

Before You Begin

About the CiscoWorks Assistant Server Setup Homepage

Managing LMS Servers

Viewing Server Details

Adding a Server

Adding Server Details

Accepting Certificate Information

Setting up the System

Viewing Server Addition Summary

Editing Server Details

Deleting a Server

Setting up System Identity User

Setting and Editing the Device Management Mode

Viewing Server Management Status

Setting Default Credentials

Viewing Set Default Credentials Status

Adding Devices

Adding Devices Using Bulk Import From File

Adding Devices Using Bulk Import From NMS

Adding Devices Using Campus Device Discovery

Setting SNMP V2 Parameters

Setting SNMP V3 Parameters

Viewing Add Devices Status

Deleting SNMP V2 Details

Deleting SNMP V3 Details

Managing Devices

About Device Selector

Viewing Manage Devices Status

Changing ACS Setup

Configuring the ACS Mode

Viewing the Configure ACS Mode Status

Viewing the Configure ACS Mode Result

Updating ACS Configuration

Assigning Device Group

Viewing the Server Setup Summary

Configuring LMS Server Using CiscoWorks Assistant

The Server Setup The Server Setup workflow helps you to setup and manage CiscoWorks LAN management Solution (LMS) servers. It helps you to simplify the deployment and setting up of single or multiple LMS servers.

The Server Setup workflow assists you in:

•Managing LMS Servers—You can add servers, set up System Identity User accounts, and set up the device management mode.

•Setting Default Credentials—You can use the default credentials feature to prevent the management applications from failing if devices added or imported into DCR do not contain all credentials required to manage them. Default credentials are stored in DCR and are not associated with any device.

•Adding Devices—You can populate the servers with network devices, either by dynamic discovery, or bulk import.

•Managing Devices—You can manage devices in each application after adding them into DCR.

•Changing ACS Setup—You can configure the ACS mode and assign device groups.

Before You Begin

Before you start using the Server Setup workflow, review the following topics:

•About Single-Server and Multi-Server Setups

•About AAA Mode

•Related Documentation

•Implications of DCR and SSO Modes on Server Setup Workflow

•Navigating Within Server Setup Workflow

About Single-Server and Multi-Server Setups

If the CiscoWorks applications are installed on a single LMS server, the setup is considered as a Single-server setup.

For large deployments, you may opt to have multiple servers for a single managed network by distributing applications across multiple servers for better performance and scaling. This setup is considered as a Multi-server setup. The Multi-server set up requires the various LMS servers part of the set up work in sync with each other.

You will come across the following terms and concepts while setting up and working on a Multi-server set up:

•Peer Server Certificate Setup

Peer Server Certificates are used to allow one CiscoWorks server to communicate with another using SSL. In a Multi-server set up you have two or more servers on which CiscoWorks applications are installed. CiscoWorks allows you to add the certificate of another CiscoWorks server (a peer server) into its trusted store.

•System Identity Setup

Communication between multiple CiscoWorks servers is enabled by a trust model addressed by certificates and shared secrets. System Identity setup should be used to create a trust user on Slave servers to facilitate communication in Multi-server scenarios. This trust user is called System Identity User. The System Identity User is also used for inter-process communication.

A default System Identify User admin is created during installation. During the installation, you should provide the password for System Identity user. This password can be different from the password you provide for the admin user used to log in to CiscoWorks.

CiscoWorks Assistant allows you to create a System Identity User in all the servers part of the Multi-server set up.

The System Identity User is a Local User with all privileges. The user will automatically be made a Peer Server User too.

If the LMS server is in ACS mode, the System Identity User should be present in ACS user data base with Super Admin privileges assigned.

•Peer Server Account Setup

Peer Server Account Setup helps you create users who can programmatically login to CiscoWorks servers and perform certain tasks. These users should be set up to enable communication between multiple CiscoWorks servers. Peer Server Account can be set up in Common Services.

The Device and Credentials Repository (DCR) lets you manage the device list, and associated credentials and other user defined device attributes in a single place in a management domain. In a Multi-server setup, where each server could host one or more LMS application instances, the DCR serves as the one place where you can manage the device lists and related attributes, for use by all the applications in the set up.

DCR helps multiple applications share device lists and credentials using a client-server mechanism, with secured storage and communications. The CiscoWorks applications can read or retrieve the information from this repository.

In a Single-server scenario, the DCR would be operating in a Standalone mode (default mode after installation)

In a Multi-server scenario, user should designate one of the servers as the Master and configure the other servers in a Slave mode.

The Slave servers keep their copy of the DCR data, in sync with the Master DCR.

The Master DCR server refers to the master repository of device list and credential data. There is only one Master repository for each management domain, and it contains the most up-to-date device list and credentials. DCR Slaves are slave instances of DCR on other servers and provide transparent access to applications installed on those servers.

Any change to the repository data occurs first in the Master with the changes being propagated to all the Slaves. There can be more than one Slave in a management domain but any slave can become a master at any time.

In Standalone mode, DCR maintains an independent repository of device list and credential data. It does not participate in a management domain and its data is not shared with any other DCR. It does not communicate with or contain registration information about any other Master, Slave, or Standalone DCR.

Devices newly added in DCR can be managed by an application in following ways

•Auto-manage mode —In this mode, applications listen to "Add Device" event and automatically start managing the device, if the device is relevant to the application.

•Manual-manage mode —In this mode, application keeps track of all newly added devices and shows the list to the user. User chooses few or all devices from the list for the application to manage. This mode gives better control on what device to be managed in each application.

The Single Sign-On (SSO) feature helps you to use a single session to navigate to multiple CiscoWorks servers without having to authenticate to each of them.

For Single Sign On, one of the CiscoWorks servers needs to be set up as the authentication server. The SSO authentication server is called the Master, and the SSO regular server is called the Slave. If there is no SSO Master server configured in your setup, the local server is selected as SSO Master.

You must perform the following tasks if the server is either configured as Master or Slave:

•Configure the System Identity User and password in both Master and Slave. The System Identity User name and password you specify in Master and Slave should be the same.

•Configure Master's Self Signed Certificate in Slave.

About AAA Mode

CiscoWorks provides a robust security mechanism to manage identity and access to the CiscoWorks applications, and data in a multi-user environment.

By default, CiscoWorks Server authentication (CiscoWorks Local) is used to authenticate users, and authorize them to access CiscoWorks applications. After authentication, your authorization is based on the privileges that have been assigned to you.

A privilege is a task or an operation defined within the application. The set of privileges assigned to you defines your role. It dictates how much, and what type of system access you have.The CiscoWorks Server authorization scheme has pre-defined roles. In this mode, you cannot change the roles, or the privileges assigned to these roles. However, a user can be assigned a combination of these roles.

CiscoWorks server can be integrated with Cisco Secure Access Control Server (ACS) to provide improved access control by means of authentication, authorization, and accounting (AAA). CiscoSecure ACS provides authentication, authorization, and accounting services to network devices that function as AAA clients.

In ACS mode, you can create custom roles to best suit your business workflow and needs. That is, you can create a user, and assign the user with a set of privileges, that would suit your needs.

CiscoWorks Assistant helps you in changing the login module of all servers part of the multi-server set up to ACS mode. See Changing ACS Setup for details. See also, Adding Server Details.

Related Documentation

For more information on Multi-server setups, DCR and SSO, see the latest versions of following documents on Cisco.com:

•User Guide for CiscoWorks Common Services 3.1

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html

•White Paper on CiscoWorks L MS Integration with Cisco Secure ACS

http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html

•LMS application User Guides.

http://www.cisco.com/en/US/products/sw/netmgtsw/tsd_products_support_category_home.html

Implications of DCR and SSO Modes on Server Setup Workflow

The Server Setup workflow assists you in setting up a Multi-server set up. You can add servers, create System Identity Users, modify the device management mode, add and manage devices, and change the AAA mode to ACS using the workflow.

In a Multi-Server setup, Server Setup workflow runs only on the DCR Master server.

In Server Setup workflow, the local server will be treated as DCR Master server if the setup is converted from Single-Server setup to Multi-Server setup. That is, using CiscoWorks Assistant if you add another server to a Standalone server, the DCR mode of the Standalone server to which the new server is added will be changed to Master.

A Multi-Server setup must have one SSO Master. The other LMS servers must be in SSO Slave mode. If there is no SSO Master server configured in your setup, the local server is set as SSO Master.

If the server is already configured for Multi-Server Setup, CiscoWorks Assistant automatically performs a Server Discovery to collect all the server information in the setup and displays it. Server Discovery runs once every hour. The existing server setup will be discovered when you invoke the CiscoWorks Assistant workflow pages, if the last discovery occurred before 60 minutes. Also, Server Discovery runs at the end of the Manage Server tasks and CiscoWorks Assistant collects all the updated information.

If the SSO Master is not reachable, you cannot perform any operation in the Server Setup workflow. Also, if any of the servers is unreachable, you cannot perform the Manage Servers and Change ACS Mode Setup steps.

Navigating Within Server Setup Workflow

If you are starting the workflow for the first time, click Start Setup to enter into the Server Setup workflow.

To get back to the initial Server Setup workflow screen from any other screen, click Cancel.

If you have operated the workflow earlier, and logged out from the CiscoWorks, or closed the browser after a particular task, you can continue from that task. To do this, click Enter Setup.

The links in the Server Setup table-of contents at the top-left corner of the screen are disabled after you enter the workflow.

After you enter the Server Setup workflow, you can navigate among the available options using the Back, Skip, and Next buttons.

•Back button

Takes you to the previous screen. When you click Back, the previous step will not be rolled back. CiscoWorks Assistant does not retain the values you entered previously.

•Skip button

Allows you to skip a task, and get to the next task. For example, if you want to get to the Set Default Credentials page from the Manage Servers page, without getting into the System Identity User Setup or Device Management mode page, click Skip.

•Next button

Takes you to the screen that is after the current screen.

CiscoWorks Assistant runs only one instance of Server Setup workflow. You can end an active session of another user when no operation is running in that session. To end the session, you need to provide the System Identity User details. If any operation is running, you cannot end the session.

Also, multiple operations cannot be initiated by the same user, simultaneously. The operation is allowed only after the operation that is in progress is completed.

To go to the CiscoWorks Assistant homepage click Home.

About the CiscoWorks Assistant Server Setup Homepage

Before you start with the Server Setup workflow, read the Before You Begin topic to help you understand the features better.

The initial screen that appears when you enter the workflow displays the Server Application List window. The fields in this window are described in the following table:

Field

Description

LMS Server

IP Address of the LMS Server or Display Name of the LMS server.

Reachability

Reachability status of the LMS server.

When you click the Expand button of the LMS server, a new pane gets added to the Server Application List window. The fields in the new pane are described in the following table:

Field

Description

Applications

Name of the application installed in the server. This can be any of the following:

•Common Services

•Campus Manager

•CiscoView

•RME

•Integration Utility

•Internetwork Performance Monitor

•Device Fault Manager

Version

Version number of the CiscoWorks application.

Version Supported

If the version of the application is supported by CiscoWorks Assistant, a tick mark in green is displayed.

For unsupported applications, a cross in red is displayed. You cannot perform any tasks using the workflow on unsupported applications.

You can perform the following Server Setup workflow tasks:

•Manage Servers (See Managing LMS Servers)

•Set Default credential (See Setting Default Credentials)

•Add Devices (See Adding Devices)

•Manage Devices (See Managing Devices)

•Change ACS Setup (See Changing ACS Setup)

After you complete the Server Setup workflow, you can view a detailed summary of all the tasks that you have performed during the workflow. See Viewing the Server Setup Summary for details.

In a Multi-server setup, if one of the slaves is down, you cannot run the Manage Servers and Change ACS Setup steps in Server Setup workflow. However, you can run all the device related steps such as Setting Default Credentials, Adding Devices, and Managing Devices. This limitation is imposed because changes made during Manage Servers and Change ACS Setup steps have to be uniformly applied across all servers part of the Multi-server setup and cannot be skipped for the server which is down.

Managing LMS Servers

The Manage Servers page displays the CiscoWorks server Details. This page allows you to:

•View server details (See Viewing Server Details)

•Add a server. (See Adding a Server)

•Set up System Identity User (See Setting up System Identity User)

•Set up the Device Management mode (See Setting and Editing the Device Management Mode)

You can also:

•View Server Addition summary (See Viewing Server Addition Summary)

•View Server Management status. (See Viewing Server Management Status)

•Edit a server (See Editing Server Details)

•Delete a server (See Deleting a Server)

Note All the servers you want add to create the Multi-server set up should be DNS resolvable. If not, server addition will not be successful

Viewing Server Details

To view server details:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers from the CiscoWorks Assistant home page.

The Server Application List table lists the LMS servers.

Step 2 Click Start Setup.

The CiscoWorks server Details table appears with the following details.

•Hostname/IP Address—Hostname or IP Address of the CiscoWorks server.

•Server Display Name—The display name you have set up for the LMS Server.

•Protocol—Protocol of the server. This can be HTTP or HTTPS.

•Port—Port Number of the CiscoWorks server.

•Admin Username—Admin username for the Server.

•DCR—DCR mode of the server. Mode can be DCR Master, Slave, or Standalone.

•SSO—SSO mode of the server. SSO Mode can be Master, Slave, or Standalone.

See the User Guide for CiscoWorks Common Services 3.1 for information on DCR and SSO modes.

Adding a Server

When you add a server, you must:

Step 1 Enter the Server details.

See Adding Server Details for details.

Step 2 Accept the necessary certificate information.

See Accepting Certificate Information for details.

Step 3 Configure the SMTP server and the E-mail ID.

See Setting up the System for details.

Step 4 Create a trust user on the servers that are part of a Multi- Server setup.

See Setting up System Identity User for details.

After you add a server, you can set up the Device Management Mode for all the applications (See Setting and Editing the Device Management Mode). This determines whether the devices should be managed by the different applications when they are added to the DCR.

You can view a summary of server addition, after you complete the necessary tasks. See Viewing Server Addition Summary for details.

Adding Server Details

To add a CiscoWorks server:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers.

Step 2 Click Add.

The Add Server dialog box appears.

Step 3 Enter the following server details:

•Hostname/IP Address—Hostname or IP Address of the CiscoWorks server. If the server you add is in DCR Master mode, or if it is the Salve of another DCR master, it will not allow you to add the server.

•Administrator Username—Admin username for the Server.

•Administrator Password—Admin username for the Server.

•Protocol—Protocol of the server. Select HTTP or HTTPS from the drop-down list.

•Port—Port Number of the CiscoWorks server.

If the DCR Master (local server) is in ACS mode, you should enter the Network Device Group (NDG) details.

This should be the NDG to which the DCR Master server is added. CiscoWorks Assistant will convert the server you add here too into ACS mode, on a successful completion of the Manage Servers workflow.

If the server you are adding has already been integrated with another ACS server, it will get integrated to the ACS server to which the DCR Master (local server) is integrated, after the successful completion of Manage Servers step.

If you add a server that is already registered with the same ACS server as the DCR Master (local server), CiscoWorks Assistant re-integrates the server with the same ACS server.

On integration, all the custom roles you have created in the ACS server for the CiscoWorks applications will be lost.

You must restart the Daemon Manager in the server that you have added, after the Manage Server Step is complete. If you have added multiple servers, you must restart the Daemon Manager in all the servers that you have added.

If the DCR Master is in CiscoWorks Local mode, you cannot add a server that is in ACS mode.

Step 4 Click Next to continue.

CiscoWorks server is contacted to validate the Device and Credential Repository settings, and to fetch the Certificate information. See Accepting Certificate Information for details.

Accepting Certificate Information

If a CiscoWorks server needs to communicate to another CiscoWorks server, it must possess the certificate of the other server. You can add certificates of any number of peer CiscoWorks servers to the trusted store.

For more information on Certificates, and importing peer server certificates, see the following sections in the User Guide for CiscoWorks Common Services 3.1:

•Creating Self Signed Certificates

•Setting up Peer Server Certificate

To view and accept the certificate:

Step 1 Click Next, after adding the Server details,

The Server Setup window appears with the following certificate information.

•Version—Certificate version number

•Serial Number—Certificate serial number

•Issued By—Information on the certificate issuing authority.

•Issued To—Information about the certificate holder.

•Effective From—Displays the date from which the certificate is valid.

•Expiry Date—Expiry Date of the certificate

•Signature—Signature information of the certificate

•Sign Algorithm—Sign Algorithm used by the CiscoWorks for the certificate

Step 2 Select the Accept Certificate check box.

Step 3 Click Next to continue.

The Server Setup window is displayed. You can set the SMTP server and the CiscoWorks E-mail ID to receive e-mails from CiscoWorks server. See Setting up the System for details.

Setting up the System

The Server Setup window allows you to set up the SMTP server, and the CiscoWorks E-mail ID.

The SMTP settings in CiscoWorks Assistant is specific to a server. If you change the SMTP settings in DCR master (local server), the SMTP server name and e-mail ID is set in the DCR master (local server) alone. To change the SMTP settings in slaves, you have to go to the individual servers and set up SMTP details.

Step 1 Enter the SMTP server details in the SMTP Server field.

This is the system-wide name of the SMTP server used by CiscoWorks applications to deliver reports. The default server name is localhost.

Step 2 Enter the e-mail ID in the CiscoWorks E-mail ID field.

This is the CiscoWorks e-mail ID from which applications send e-mail notifications. There is no default e-mail ID.

These fields will be already populated if the SMTP server and e-mail ID have been set up in the Common Services > Server > Admin > System Preferences screen or using the LMS Setup Center.

Step 3 Click OK.

Viewing Server Addition Summary

The Add Server Summary page provides the following details:

•LMS Server—LMS Server name or IP Address

•Server Display Name—Display name of the newly added Server.

•DCR Settings—Displays the current and the new DCR modes of the Server.

–Current Settings: DCR mode of the Server before it was added to the Multi-Server set up.

–New Settings: DCR mode of the Server after it was added to the Multi-Server set up.

•SSO Settings—Displays the current and the new DCR modes of the Server.

–Current Settings: SSO mode of the Server before it was added to the Multi-Server set up.

–New Settings: SSO mode of the Server after it was added to the Multi-Server set up.

When you add a server to the existing setup, the added server will become SSO and DCR Slave. However, if you want to make the added server the SSO Master, select the Set as Master check box.

CiscoWorks Assistant does not provide the option to convert the DCR mode of the added server from Slave to Master as this could result in applications losing data. You can proceed to Setting up System Identity User step, after you complete the Add Server steps.

To go to the Set Default Credentials Page Setting Default Credentials, click Skip.

Editing Server Details

To edit a server:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers.

Step 2 Select the server by clicking the Host Name/IP Address radio button, and click Edit.

The Edit Server dialog box appears.

This dialog box has pre-populated values in Hostname/IP address, Protocol, Port and Current SSO Settings fields. All fields in the Edit Server dialog box can be edited, except the Hostname/IP address, Protocol, Port, and Current SSO settings fields.

If the server is in SSO Slave mode, you can set it as SSO Master, by selecting the Set as Master check box.

If the server is in SSO Master Mode, you can change it to Slave mode by selecting the Set as Slave check box. The Set as Slave check box is not present in the local server.

Step 3 Enter the Server Details and Setup parameters in Edit Server dialog box, and click OK.

Step 4 Click Next.

The Current System Identity User pop-up appears.

In a Single-server setup, if you have provided the admin user name and password, you will not be prompted to enter System Identity User details. In a Multi-server setup, if you have provided admin user name and password for all servers, you will not be prompted to enter System Identity User details.

Step 5 Click OK after you enter the System Identity User details.

The New System Identity User window appears.

Step 6 You can either:

•Enter the new System Identity Username and Password, confirm Password, and click Next

Or

•Click Skip to proceed, if you do not want to change the current System Identity User.

The Device Management Mode page appears.

Step 7 Click Next, after you modify the Device Management Mode.

See for Setting and Editing the Device Management Mode more information.

If you do not want to change the settings, click Next when you get to this page without making any modifications to the existing Device Management mode. The Skip button is disabled in this page.

The workflow initiates after you click Next button. The modifications you made are saved when the tasks are complete.

Deleting a Server

To delete a server from the setup:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers

Step 2 Select the server by clicking the Host Name/IP Address radio button.

Step 3 Click Delete.

The Delete Confirmation popup appears.

Step 4 Click OK to delete the selected server.

The Marked for Deletion tag appears adjacent to the server you selected in Step 2.

Step 5 Click Next.

The Current System Identity User pop-up appears.

Step 6 Click OK after you enter the System Identity User details.

Step 7 Click Next.

The New System Identity User window appears.

You can skip the New System Identity User step if you do not want to change the current System Identity User details. To do this, click Skip.

The Device Management Mode page appears.

Step 8 Click Next in the Device Management Mode page.

You may choose to change the device management mode here, or leave the values as such. This page does not have the Skip button. You need to click the Next button to proceed with the tasks. The workflow initiates after you click Next button.

The server marked for deletion will be removed from the set up after the Manage Servers tasks are complete.

Marked for deletion tag appears only for servers that are already added.

If you add a server and delete it immediately after adding it, that is, if you perform the Add Server and the Delete Server tasks in same UI session, the Marked for deletion tag does not appear in the screen. In this case, the newly added server is not marked for deletion, and is removed from the screen when you click OK in the Delete Confirmation pop-up.

Retaining a Server Marked for Deletion

To retain a server marked for deletion:

Step 1 Select the server by clicking the Host Name/IP Address radio button.

Step 2 Click Undelete.

Note The Undelete button appears only if you select a server that is marked for deletion.

The Undelete Confirmation pop up appears

Step 3 Click OK to retain the server.

If you try to add a server that is marked for deletion back to the set up again using the Add button, the Undelete Confirmation pop-up is displayed. Click OK to retain the server in the setup.

After the server is deleted from the setup, the deleted server goes into DCR Standalone and SSO Standalone modes. The workflow also removes the Trust that is set up from all the deleted servers.

You cannot remove the local server from the setup.

If you remove the SSO Master, you can assign any other server as the SSO Master. If you do not select another server as the SSO Master, the workflow will assign the local server as the SSO Master. If you remove the SSO Master, the Multi-server setup is not removed.

You cannot delete the DCR Master.

In a Multi-server setup that has two servers, the workflow will remove the Multi-server setup if you remove one server. In such a case, the local server switches to Standalone mode.

Setting up System Identity User

System Identity setup helps you to create a trust user on servers that are part of a Multi-server setup. This user enables communication among servers that are part of a management domain. There can only be one System Identity user for each server.

The System Identity user you configure must be a Peer Server user.

•In the Non-ACS mode, the System Identity user that you create must be a Local user, with all privileges.

•In the ACS mode, the System Identity user should be configured in ACS, with Super Admin privileges, in all applications registered in ACS. You can either configure the System Identity User with the predefined Super Admin role or with a custom role created with all privileges in ACS server.

See User Guide for CiscoWorks Common Services 3.1 for more details on System Identity setup.

Before you set up the System Identity user, you must add the server.

To set up the System Identity user:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers.

Step 2 Click Next.

The Current System Identity User Setup dialog box appears

This dialog box appears only when the admin user details are not entered for at least one of the servers. If the admin user details are entered for all servers, the New System Identity Setup page appears.

Step 3 Enter the current System Identity username and Password in the text field.

Step 4 Click OK to continue.

The New System Identity Setup page appears.

If you want to change the System Identity setup values, enter the new System Identity Username and Password in the text field, re-enter the password in the confirm password field, and click Next to complete the System Identity User setup.

CiscoWorks Assistant ensures the new user you create has all the necessary privileges. CiscoWorks Assistant ensures the new user you create has all privileges.

Otherwise, click Skip.

To set up, or edit the Device Management Mode page, click Next.

Setting and Editing the Device Management Mode

The Device Management mode determines whether the new devices are automatically managed by CiscoWorks applications.

You have to add your server before you get to this stage. If you are in a Multi-server setup, you must also set up a System Identity User before you begin this task.

See application specific User Guides to know more about device management modes in different CiscoWorks applications.

To set the Device Management Mode:

Step 1 Click Next, after adding the server or setting up the System Identity User.

The Device Management Mode page appears.

The possible modes are:

•Auto Management— If any new devices are added in DCR, these devices are also added in the application automatically.

•Manual Allocation—You can use this option to selectively add devices to the application from DCR or when you have deleted devices in the application and you want to re-add those devices to the application.

By default, the Device Management Mode shows the current status of device management mode of applications that have been set up in their respective Device Management Settings pages.

Step 2 Select Manual Allocation or Auto Management from the drop down list for each CiscoWorks server application.

Step 3 Click Next.

The workflow executes the assigned tasks when you click Next in the Device Management Mode page. The Manage Servers progress page displays the Server Management status. See Viewing Server Management Status.

Viewing Server Management Status

The Manage Servers progress page that appears after you complete the Device management mode set up displays the status of the Manage Server tasks that you have performed.

For information on setting up Device Management mode, see Setting and Editing the Device Management Mode.

To view the Manage Severs tasks status:

Step 1 Click Next after selecting the Device Management Mode.

The Manage Servers Progress page appears.

The process of checking the status of various tasks might take some time.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. You can then exit from the workflow before the tasks are complete. You can come back to view the status after you get the e-mail notification that the task have completed. See Setting up E-mail Notification After Managing Server Tasks for details.

Or

•Wait until the status check has completed to view the status.

The status on the following is displayed:

•System Identity User validation.

•New System Identity User creation, if you have added new System Identity User values.

•Trust removal from all deleted CiscoWorks servers, if you have deleted any.

•Trust creation for the newly added server by the System Identity setup configuration and certificate addition.

•Configuring new System Identity User on all servers.

•Configuring SMTP Server and e-mail.

•Device Management mode configuration.

•DCR mode configuration. If you add a Standalone server, it will be converted into the Slave of the local server. In a Single-server scenario, if you add a new server, the local server will be made the Master, and the added server will be made the Slave. In a Multi-server set up, the added server will be made the slave of the DCR master. If the local server (DCR master) is in ACS mode, the AAA mode of the added server would be set as ACS.

•SSO Mode change, if you have changed the SSO mode.

•Server Discovery step to up date CiscoWorks Assistant database with the most recent changes.

Step 2 Click on the relevant step link to view the detailed status report for that step.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for that particular step. It will not display anything, if the step is successful.

Setting up E-mail Notification After Managing Server Tasks

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

Step 1 Select the Notify me when Manage Servers tasks are complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail when the tasks have completed.

Step 4 Click Enter Setup to view the Manage Server status page after you receive the e-mail notification.

Setting Default Credentials

Default credentials are stored in DCR, and are not associated with any device. DCR maintains only one default credential set.

The default credential set comprises:

•Primary Credentials (Username, Password, Enable Password)

•Secondary Credentials (Username, Password, Enable Password)

•Rx Boot Mode Credentials (Username, Password)

•SNMPv2C/SNMPv1credentials (Read-Only Community String, Read-Write Community String)

•SNMPv3 Credentials (Username, Password, Authentication Algorithm, Engine ID)

•HTTP credentials (Primary HTTP Username and password, Secondary HTTP Username and Password, HTTP/HTTPS port, Current Mode)

•Auto Update Server Managed Device Credentials (Username and Password)

You can use the default credentials for devices and edit their credentials appropriately. You can configure the default credentials and use them in the applications. Applications use the default credentials for the devices they manage if they cannot retrieve the required device credentials from DCR.

All the credential information will be populated from the DCR Master. If the credentials are already available in DCR, they will be overwritten by the new values you enter. The DCR database is updated after you set the default credentials.

To set the default device credentials:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Set Default Credentials.

The Default Credentials page appears.

You can:

•Set Standard credentials (SeeSetting Standard Credentials)

•Set SNMP credentials (See Setting SNMP Credentials)

•Set HTTP credentials (See Setting HTTP Credentials)

•Set Auto Update Server managed Device Credentials (See Setting Auto Update Server)

•Set Rx Boot Mode credentials (See Setting Rx Boot Mode Credentials)

Setting Standard Credentials

To set Standard Credentials:

a. Click Standard Credentials under Set Default Credentials.

The Standard Credential page appears.

b. Add the following credentials:

–Primary credential

–Secondary credential

You can also enter the Enable password for these credentials.

c. Re-enter the passwords in the Verify field.

Setting SNMP Credentials

To set SNMP Credentials

a. Click SNMP Credentials under Set Default Credentials.

The SNMP Credential page appears.

b. Add the following credentials

–SNMP v2C credentials

–SNMPv3 credentials

c. Enter the Read-Only Community String and Read-Write Community String.

d. Enter the username and password.

e. Re-enter the password in the Verify field.

f. Select the Authentication Algorithm value from the drop-down list.

The Authentication Algorithm field can be MD5, SHA-1 or None.

Setting HTTP Credentials

To set HTTP Credentials:

a. Click HTTP Credentials under Set Default Credentials

The HTTP Credential page appears. You can add the following credentials:

–Primary Credential:

–Secondary Credential:

b. Enter the username and password.

c. Re-enter the password in the Verify field.

d. Enter:

–HTTP Port

–HTTPS Port

–Current Mode.

The Current Mode can be HTTP, HTTPS, or None. Select the value from the drop-down list.

Setting Auto Update Server

To set Auto Update Server Managed Device Credentials:

a. Click Auto Update Server Managed Device Credentials under Set Default Credentials.

The Auto Update Server Managed Device Credential page appears.

b. Enter the username and password.

c. Re-enter the password in the Verify field.

Setting Rx Boot Mode Credentials

To set Rx Boot Mode Credentials:

a. Click Rx Boot Mode Credentials under Set Default Credentials.

The Rx Boot Mode Credentials page appears.

b. Enter the username and password.

c. Re-enter the password in the Verify field.

Step 2 Click Next to complete the Default Credentials Settings.

The Set Default Credentials Progress page is displayed. This page provides the status of the Set Default Credentials tasks. See Viewing Set Default Credentials Status.

Viewing Set Default Credentials Status

To view the set default credentials status:

Step 1 Click Next after entering the credentials.

The Set Default Credentials Progress page is displayed.

The process of checking the status of various tasks might take some time.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. You can then exit from the workflow before the tasks are complete. You can come back to view the status after you get the e-mail notification that the task have completed. You should do this after getting an e-mail notification. See Setting up E-mail Notification After Setting Default Credentials for details.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the relevant step link to view the detailed status report.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for that particular step. It will not display anything, if the step is successful.

See the User Guide for CiscoWorks Common Services 3.1, for more information on Default Credentials.

Click Next to go to the Add Devices step. See Adding Devices for details.

Setting up E-mail Notification After Setting Default Credentials

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

Step 1 Select the Notify me when Set Default Credentials tasks are complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail after the tasks have completed.

Step 4 Click Enter Setup to view the Set Default Credentials Status page after you receive the e-mail notification.

Adding Devices

You can add devices to the Device and Credentials Repository (DCR) using the following methods:

•Bulk Import from File (See Adding Devices Using Bulk Import From File)

•Bulk Import from Network Management Station (NMS) (See Adding Devices Using Bulk Import From NMS)

•Campus Device Discovery (See Adding Devices Using Campus Device Discovery)

CiscoWorks Assistant allows you to add devices using multiple methods simultaneously. You can add devices using the Import from File feature, and Campus Device Discovery at the same time.

Campus Device Discovery can be run only if Campus Manager is installed in the CiscoWorks server. It can be installed either on a local or on a remote server.

You can also:

•View Add Devices Status (See Viewing Add Devices Status)

•Set SNMP Parameters (See Setting SNMP V2 Parameters)

•Delete SNMP Details (See Deleting SNMP V2 Details and Deleting SNMP V3 Details)

To add devices you can either:

•Select CiscoWorks Assistant > Workflows > Server Setup > Add Devices

Or

•Select Manage Servers, and continue in the wizard mode.

Adding Devices Using Bulk Import From File

To import from a file:

Step 1 Select the Import From File check box from the Select Methods pane, and click the Import From File link.

The File Information pane appears. This is the default.

Step 2 Enter the file name.

Or

a. Click Browse

The Server Side File selector dialog box appears

b. Select the filename

The Server Side File Selector dialog box displays the files from the remote server on which the Server Setup workflow is running.

Step 3 Select either CSV or XML file formats.

Only CSV 2.0 and CSV 3.0 file formats are supported.

See the User Guide for CiscoWorks Common Services 3.1 for sample CSV and XML files.

Step 4 Select either the Use data from Import source or the Use data from Device and Credential Repository, to resolve conflicts that may occur if the devices are present both in the import source and DCR, but differ in their attributes.

•If you select Use data from Import source, the credentials from the import source will be used, and credentials for the device in DCR will be modified.

•If you select Use data from Device and Credential Repository, the device credentials in DCR will be used.

Step 5 Select the Use Default Credentials check box to use the default credentials to import the devices.

•If your import source does not have the required device credentials, and if you have opted to use default credentials, the device information will be imported into DCR with default credentials values.

•If your import source has the required device credentials and if you have opted to use default credentials, the device information will be imported into DCR with the values specified in the import source.

Adding Devices Using Bulk Import From NMS

To import from NMS:

•Select CiscoWorks Assistant > Workflows > Server Setup > Add Devices

Or

•Select Manage Servers and continue in the wizard mode.

The NMS Information screen appears.

You can do a bulk import either from:

•Local NMS (See Performing Bulk Import From Local NMS)

Or

•Remote NMS (See Performing Bulk Import From Remote NMS)

Performing Bulk Import From Local NMS

To perform a bulk import from Local NMS:

Step 1 Select the Import From NMS check box from the Select Methods pane, and click the Import From NMS link.

Step 2 Select the Network Management System type from the NMS type drop-down list. HPOV6.x and Netview7.x are supported.

Step 3 Enter the installation location of Network Management System in the Install Location field.

For example: C:\Program Files\HP OpenView

Step 4 Select either the Use data from Import source or the Use data from Device and Credential Repository, to resolve conflicts that may occur if the devices are present both in the import source and DCR, but differ in their attributes.

•If you select Use data from Import source, the credentials from the import source will be used, and credentials for the device in DCR will be modified.

•If you select Use data from Device and Credential Repository, the device credentials in DCR will be used.

Step 5 Select the Use Default Credentials check box to use the default credentials to import the devices.

•If your import source does not have the required device credentials, and if you have opted to use default credentials, the device information will be imported into DCR with the default credentials values.

•If your import source has the required device credentials and if you have opted to use default credentials, the device information will be imported into DCR with the values specified in the import source.

Performing Bulk Import From Remote NMS

To do a bulk import from Remote NMS:

Step 1 Select the Import From NMS check box from the Select Methods pane, and click the Import From NMS link.

Step 2 Select the Remote NMS check box.

Step 3 Select the Network Management System type from the NMS type drop-down list. HPOV6.x, Netview7.x and ACS are supported.

Step 4 Select the Operating System type from the OS type drop-down list.

Step 5 Enter the host name, root username, and install location in the corresponding fields.

If you select the NMS type as ACS, enter the root password, port and protocol along with the hostname and root username in the corresponding fields.

Step 6 Select either the Use data from Import source or the Use data from Device and Credential Repository radio button, to resolve conflicts that may occur if the devices are present both in the import source and DCR, but differ in their attributes.

•If you select Use data from Import source, the credentials from the import source will be used, and credentials for the device in DCR will be modified.

•If you select Use data from Device and Credential Repository, the device credentials in DCR will be used.

Step 7 Select the Use Default Credentials check box to use the default credentials to import the devices.

•If your import source does not have the required device credentials and if you have opted to use default credentials, the device information will be imported into DCR with the default credentials value.

•If your import source has the required device credentials and if you have opted to use default credentials, the device information will be imported into DCR with the values specified in the import source.

Adding Devices Using Campus Device Discovery

Discovery can be done only if Campus Manager is installed in the server. Before running Discovery on a server you must specify the SNMP settings and Seed Device configuration.

To run Discovery:

•Select CiscoWorks Assistant > Workflows > Server Setup > Add Devices.

Or

•Select Manage Servers and continue in the wizard mode.

Add Devices page appears. This page contains the Run Discovery check box for each server.

To specify Device Discovery settings:

Step 1 Select the Run Discovery on host_name check box, and click the Run Discovery on host_name link.

This option is available only if Campus Manager is installed on the server.

The Discovery window appears with the following tabs.

•Seed Devices tab

•SNMPV2 tab

•SNMPV3 tab

•Discovery Settings tab

•Configure Range tab

Step 2 Enter the following details to specify the Discovery settings. See the Administering Campus Manager chapter in the User Guide for Campus Manager for more information on the Discovery Settings

Seed Devices tab

•IP Address/Host Name

a. Specify the IP Address/Host Name in the text field

b. Click Add to add the device in the device list.

To delete a device, select it, and click Delete.

•Added Device List—Lists the devices that are added to the server.

•Browse—Click Browse to enter seed devices in a file. The file browser displays only the files on the local server. It does not display any files that are on the remote server.

SNMPV2 tab

•Enable Multiple Community Strings—Select the check box to enable multiple community strings. You can provide multiple community strings for the same IP address range. Each string is tried for reachability until the correct string is found.

For example: 10.*.*.* public1 and 10.*.*.* public2

•Encrypt Community Strings —Select the check box to enable encryption of community strings. Community strings are stored in the system in the encrypted format.

•Target—Target device.

•Read Community—Read community string.

•Time Outs—Time period after which the query times out.

•Retries—Number of attempts.

•Comments—Remarks, if any.

SNMPV3 tab

•Encrypt Community Strings—Select the check box to enable encryption of community strings. Target—Target device.

•User Name—Name of the user who has access to views configured on the device.

•Password—Password of the user.

•Time Outs—Time period after which the query times out.

•Retries—Number of attempts.

•Authentication—Method of authentication. The method of authentication can be SHA-1 or MD5

•Comments—Remarks, if any.

See Setting SNMP V2 Parameters and Setting SNMP V3 Parameters for more information.

Discovery Settings tab

•Jump Router Boundaries—Extends Discovery beyond the boundaries set by routers on your network.

•Use Reverse DNS Lookup—Select this option to use Domain Name Services (DNS) for Device Discovery. Device Discovery uses DNS, if available, to perform device name lookups. If Device Discovery has problems resolving DNS names, discovery might take longer.

Therefore, if you do not use DNS in your network, or if you are experiencing problems with DNS, consider disabling the reverse DNS lookup.

•Update DCR Display Name—Select this option to update the Host name/IP Address of the device as the Display name in DCR. The display name is updated in the next device discovery cycle.

•Use Default Credentials—When you select this option, devices discovered a nd updated to DCR will be associated with the default credentials.

Preferred Management IP

•Use LoopBack Address—Resolves server name by loopback address. If the device has an IP address for LoopBack Interface, the device is managed using this IP address. If there are multiple Loopback IP addresses, one of them is used to manage the device.

•Resolve By Name—Select this option if you have configured the device with DNS Name. This name is fetched from DNS during Discovery

•Resolve By Sysname—Contacts the DNS Server to get the device hostname.

Configure Range tab

•Filter —Allows you to limit Discovery by IP addresses in your network. You can do this by selecting either of these options from the drop-down list box:

–Discover devices in IP address range

–Do not discover devices in IP address range

•Added Device List—Lists the devices that are added to the server.

•IP Address/Host Name:

–To add the device to the Added Device IP List enter an IP address or a range of IP addresses to limit Discovery and click Add.

–To delete a device from the Device IP List, select a device from the Added Device IP List, and click Delete.

Step 3 Click Next to complete the Add Devices step.

The Add Devices Progress page appears. You can view the device addition status in this page.

See Viewing Add Devices Status for details.

Setting SNMP V2 Parameters

To add or edit SNMP V2 and SNMP v3 parameters:

Step 1 Select the Run Discovery on host_name check box, and click the Run Discovery on host_name link.

Step 2 Click the SNMP V2 tab.

Step 3 Click Add to add the SNMP settings.

The SNMP V2 popup appears.

Step 4 Enter the following details in the popup:

•Target—Target device

•Read Community—Read community string.

•Timeouts—Time period after which the query times out.

•Retries—Number of attempts.

•Comments—Remarks, if any.

Step 5 Click either

•OK to save the changes

Or

•Cancel to exit.

Step 6 Select a row, and click Edit to edit the community strings.

The SNMP V2 popup appears with the existing values.

Step 7 Edit the details in the popup and click either:

•OK to save the changes

Or

•Cancel to exit.

Step 8 Select a row, and click Delete to delete the community string.

Setting SNMP V3 Parameters

To add or edit SNMP V3 parameters:

Step 1 Select the Run Discovery on host_name check box, and click the Run Discovery on host_name link.

Step 2 Click the SNMP V3 tab.

Step 3 Click Add to add the SNMP settings.

The SNMP V3 popup appears.

Step 4 Enter the following details in the popup

•Target—Target device

•Username—Name of the user who has access to the views configured on the device.

•Password—Password of the user.

•Timeouts—Time period after which the query times out.

•Retries—Number of attempts.

•Authentication—Method of authentication. Either SHA-1 or MD5.

•Comments—Remarks, if any.

Step 5 Click either:

•OK to save the changes

Or

•Cancel to exit.

Step 6 Select a row, and click Edit to edit the community strings.

The SNMP V3 popup appears with the existing values.

Step 7 Edit the details in the popup and click either:

•OK to save the changes

Or

•Cancel to exit.

Select a row, and click Delete to delete the community string.

Viewing Add Devices Status

To view the Add Devices status:

Step 1 Click Next after adding the devices.

The Add Devices Progress page is displayed.

The process of checking the status of various tasks might take some time.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. mail notification. You can then exit from the workflow before the tasks are complete. You can come back to view the status after you get the e-mail notification that the tasks have completed. You should do this after getting an e-mail notification. See Setting up E-mail Notification After Adding Devices for details.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the relevant step link to view the detailed status report.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for that particular step. It will not display anything, if the step is successful.

Click Next to go to Manage Devices Tasks. See Managing Devices for details.

Setting up E-mail Notification After Adding Devices

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

Step 1 Select the Notify me when Add Devices tasks are complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

E-mail ID can contain any characters, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail after the tasks have been completed.

Step 4 Click Enter Setup to view the Add Devices Progress page after you receive the e-mail notification.

Deleting SNMP V2 Details

To delete an SNMP V2 device:

Step 1 Select the Run Discovery on host_name check box, and click the Run Discovery on host_name link.

Step 2 Click the SNMP V2 tab.

Step 3 Select the row to be deleted.

Step 4 Click Delete.

The Delete SNMP V2 Confirmation dialog box appears.

Step 5 Click OK in the Delete SNMP V2 Confirmation dialog box.

Deleting SNMP V3 Details

To delete an SNMP V3 Device:

Step 1 Select the Run Discovery on host_name check box, and click the Run Discovery on host_name link.

Step 2 Click the SNMP V3 tab.

Step 3 Select the row to be deleted.

Step 4 Click Delete.

The Delete SNMP V3 Confirmation dialog box appears.

Step 5 Click OK in the Delete SNMP V3 Confirmation dialog box.

Managing Devices

This page helps you to allocate devices to be managed by the applications installed in the CiscoWorks servers. The page lists the CiscoWorks servers and the applications that are present in each server. You can select devices from the device selector and add it to the application with which you want the device to be managed.

You can also:

•View device management status (See Viewing Manage Devices Status)

•Use Device Selector to search for devices in DCR (See About Device Selector)

To manage devices:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Devices.

The Manage Devices page appears.

Step 2 From the Device Selector, select the devices that you want to add.

Step 3 Select the applications to which you want to allocate the devices.

Initially, devices must be added to DCR. After a device is added to DCR, you can add it to the applications.

Step 4 Click Add Devices to add,

Or

Click Reset to reset the added devices in the application.

The Manage Devices screen displays:

•LMS Server—LMS Server IP Address

•Applications—Applications installed in the LMS Server

•Selected Device(s)—Number of devices selected to add in that application

Step 5 Click Next to complete the Manage Devices tasks.

The Device Management Progress page appears. You can view the Device Management status in this page. See Viewing Manage Devices Status for details.

About Device Selector

The Device Selector allows you to search for the devices in Device and Credential Repository (DCR). It helps you to locate the devices and perform the device management tasks quickly. With this device selector, you need not remember the device type or application group hierarchy to locate the devices.

The devices are categorized under the Device Type based groups, User Defined groups, Subnet Based groups, Application Specific groups or under All Groups.

The CiscoWorks Assistant uses the Common Services device selector.

See the Configuring Device Selector section in the Managing Device and Credentials chapter of the User Guide for CiscoWorks Common Services 3.1 for information on using Device Selector:

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html

You can also access this information from Common Services Online help. From CiscoWorks help, select:

Common Services > Managing Device and Credentials > Configuring Device Selector > Searching Devices.

Viewing Manage Devices Status

You can view the device management status after you complete the Manage Devices tasks.

To view the status:

Step 1 Click Next after the manage devices tasks are complete.

The Device Management Progress page is displayed.

The process of checking the status of various tasks might take some time.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. mail notification. You can then exit from the workflow before the tasks are complete. You can come back to view the status after you get the e-mail notification that the tasks have completed. You should do this after getting an e-mail notification. See Setting up E-mail Notification After Device Management Tasks for details.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the step link to view the detailed status report.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for that particular step. It will not display anything, if the step is successful.

Click Next to go to the Change ACS Setup tasks. See Changing ACS Setup for details.

Setting up E-mail Notification After Device Management Tasks

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

Step 1 Select the Notify me when Manage Devices tasks are complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail, after the tasks have completed.

Step 4 Click Enter Setup to view the Manage Devices Status page after you receive the e-mail notification.

Changing ACS Setup

The CiscoWorks server provides mechanisms used to authenticate users for CiscoWorks applications. The login module determines the type of authentication and authorization CiscoWorks uses.

By default, the login module is set to the native CiscoWorks authentication mechanism, that is, the CiscoWorks Local login module. You can change this default value to use Cisco Secure ACS for user authentication and authorization.

In CiscoWorks Local mode, you cannot create custom roles, or modify the predefined roles. Cisco Secure ACS allows you to create custom roles and also limit the access to network devices within LMS using Network Device Groups (NDGs).

The details for setting up the CiscoWorks server for non-ACS mode are available in User Guide for CiscoWorks Common Service 3.1.

Change ACS Setup page shows the ACS Mode Status for each CiscoWorks server in the setup. From this page you can:

•Configure ACS Mode (See Configuring the ACS Mode)

•Assign Device Group (See Assigning Device Group)

The tasks to be performed to complete AAA mode change to ACS can be classified as:

•Cisco Secure ACS Initial Setup Tasks—This includes:

–Adding the ACS administrator user

–Adding CiscoWorks server and devices managed by it as AAA clients in Cisco Secure ACS. When you change the mode to ACS using CiscoWorks Assistant, you need to manually add the DCR Master server in ACS as an AAA client. When you change the mode of a Slave, CiscoWorks Assistant adds it to the NDG group you specify.

The See Cisco Secure ACS Initial Setup Tasks for details.

•AAA mode configuration in CiscoWorks Assistant—Specifying the Cisco Secure ACS server details and credentials in the Configure ACS Mode page. See Configuring the ACS Mode for details.

•User Configuration in Cisco Secure ACS—Adding users and defining roles in Cisco Secure ACS. See User Configuration in Cisco Secure ACS for details and pointers to documentation.

Cisco Secure ACS Initial Setup Tasks

You must define an Administrator in ACS server to provide remote access. To access the Cisco Secure ACS HTML interface from a browser on a remote machine, you must log in to Cisco Secure ACS using an administrator account.

You can perform the necessary steps to do this in the Administration Control tab in the ACS UI. See the White paper titled CiscoWorks LMS Integration with Cisco Secure ACS, or the User Guide for Cisco Secure ACS 4.1 for detailed information.

You must then add the CiscoWorks server and the devices it manage as AAA clients in ACS.

The following tasks need to be performed to add CiscoWorks server as an AAA client:

Step 1 In the Cisco Secure ACS navigation bar, click Network Configuration.

The Network Configuration page appears.

Step 2 Do either of the following:

•If you are using Network Device Groups (NDGs), click the name of the NDG to which the AAA client is to be assigned. Then, click Add Entry below the AAA Clients table.

If NDG option is not visible, you can enable Network Device Groups in ACS under Interface Configuration > Advanced.

Or

•Click Add Entry below the AAA Clients table, to add an AAA client when you have not enabled NDGs.

The Add AAA Client page appears.

Step 3 In the AAA Client Hostname box, type the name of your CiscoWorks server (up to 32 characters).

Step 4 In the AAA Client IP Address box, enter the IP address of your CiscoWorks server.

Step 5 In the Key box, type the shared secret key that your CiscoWorks server and ACS use to encrypt the data.

Step 6 From the Authenticate Using list, select TACACS + (CiscoIOS) as the network security protocol used by the AAA client.

Step 7 Click Submit + Restart.

Apart from adding your CiscoWorks server as an AAA client, you also need to add the devices to be managed by the CiscoWorks server as AAA clients to Cisco Secure ACS. When you are integrating with Cisco Secure ACS, your devices will not be visible from your CiscoWorks server if you have not added them as AAA clients in Cisco Secure ACS.

For information on adding network device groups and AAA client configuration, see the Network Configuration section of the User Guide for CiscoSecure ACS 4.1.

To change ACS settings:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup.

The Change ACS Setup page appears.

Change ACS Setup page contains these ACS Mode Status details.

•Server—Name or IP Address of the Server.

•Mode—The current mode of the Server. It can be ACS or Non-ACS.

If the mode is ACS, there will be a link. Click the link to view the ACS Connection Status for the server.

Step 2 Select the Change mode to ACS check box in the Login Module pane to change the login mode to ACS.

If the server is in ACS mode, the Change ACS Setup page will contain ACS tasks pane instead of Login Module pane. ACS tasks pane has these radio buttons:

•Update ACS Configuration (See Updating ACS Configuration.)

•Assign Group for missing devices (See Assigning Device Group.)

Configuring the ACS Mode

To change the mode to ACS:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup.

CiscoWorks Assistant checks whether there are pending devices in DFM and RME. If CiscoWorks Assistant finds there are pending devices, the Pending Device Count table is displayed. It shows the following details:

•Server—Server name.

•Application—The application in which there are pending devices. Value will be DFM or RME.

•Pending Count—Number of pending devices.

•Details—The reason due to which CiscoWorks Assistant could not fetch the pending device count. This column will be blank if the pending devices count is found.

Along with the table, a Notification pop up window appears with the following message:

Pending devices exist or could not check for pending devices in some LMS applications

Step 2 Click OK.

Step 3 Click Next. A confirmation pop up appears with the following message:

LMS server(s) ACS configuration will not be proper if there are pending devices in the LMS applications. Make sure there are no pending devices and click OK to continue.

To get further details on pending devices in the applications, go to:

•RME > Devices > Device Management > Pending Devices

•Device Fault Manager > Device Management > Device Summary

See RME and Device Fault Manager User Guides for more information on pending devices.

The Change ACS Setup page appears after you click OK.

Step 4 Select the Change Mode to ACS check box and click Next to go the Configure ACS Mode page.

Note Ensure that the local server is an AAA client to ACS server.

Step 5 Click OK on the Notification pop-up window to continue with the ACS Mode change.

Step 6 Enter the required information in the ACS Mode Setup table to change the login mode to ACS.

If the DCR Master (local server) is already in ACS mode, the fields other than the passwords and secret keys will be pre-populated.

Field

Description

Server Details

Primary IP Address/Hostname

Enter the Primary IP Address/Hostname of the ACS server.

ACS TACACS+ port

Enter the ACS TACACS+ port number.

The default port number is 49. You can change the port based on the value configured in ACS.

Secondary IP Address/Hostname

Enter the Secondary IP Address/Hostname of the ACS server.

ACS TACACS+ port

Enter the ACS TACACS+ port number.

The default port number is 49. You can change the port based on the value configured in ACS.

Tertiary IP Address/Hostname

Enter the Tertiary IP Address/Hostname of the ACS server

ACS TACACS+ port

Enter the ACS TACACS+ port number.

The default port number is 49. You can change the port based on the value configured in ACS.

Login

ACS Admin Name

Enter the administrator username in ACS

ACS Admin Password

Enter the administrator password in ACS

Confirm Password

Re-enter the administrator password in ACS

ACS Shared Secret Key

Enter the secret key shared between ACS and the CiscoWorks server.

Confirm Key

Re-enter the ACS shared secret key

System Identity

User Name

Enter the system identity user name. This user should be already configured in ACS, with all privileges.

Password

Enter the system identity password value

Confirm Password

Re-enter the password.

Network Device Group Name

Network Device Group Name

Enter the Network Device Group Name value. Network Device Group name should present in the ACS.

This field appears only in a Multi-server set up, when you change the mode of a Slave. The local server (DCR Master) should be manually added as an AAA client in ACS, before you change mode to ACS. The workflow converts the other servers part of the Multi-server setup to ACS mode and also adds missing devices to the NDG you specify here.

Step 7 Select the Register all installed applications with ACS check box, if you are registering the applications for the first time.

In case an application is already registered with ACS, the current registration will overwrite the previous registration. When you select the Register all installed applications with ACS check box, you are prompted to confirm whether you want to continue with the settings.

See Common Services Online Help for details.

Step 8 Select the HTTP or HTTPS radio button under Current ACS Administrative Access Protocol.

Step 9 Click Next to complete the Mode change.

The Configure ACS Mode Progress page is displayed. You can view the ACS mode configuration status in this page. See Viewing the Configure ACS Mode Status for details.

User Configuration in Cisco Secure ACS

The System Identity User has to be created in ACS, and assigned Super Admin role in all applications in ACS.

You should create a user in ACS with the current System Identity User name, and assign Super Admin role to that user in all applications in the TACACS + options pane in Group Setup or User Setup UI in ACS.

See Configuring Device Management Command Authorization for a User Group in User Guide for CiscoSecure ACS 4.1.

Note Restart Daemon Manager after you create the System Identity User in ACS, and assign the Super Admin role for the changes to take effect.

The final step in integrating CiscoWorks Common Services Software with Cisco Secure ACS is to configure the CiscoWorks users within Cisco Secure ACS. Cisco Secure ACS allows you to define access permissions and policies for the registered CiscoWorks applications on a per user basis or user group basis.

See the following sections of the Cisco Secure ACS User Guide for more information on managing users and user groups:

•User Group Management

•User Management

When adding the user, you can configure access policies to define what the user is authorized to do depending on the role.

See Configuring Users in ACS section in User Guide for CiscoWorks Common Services 3.1 for information on:

•Assigning Privileges in ACS

•Creating and Modifying Roles in ACS

See also the white paper on CiscoWorks LMS Integration with Cisco Secure ACS, available on cisco.com

Viewing the Configure ACS Mode Status

You can view the ACS mode configuration status after you complete the Configure ACS Mode tasks.

To view the status, click Next after configuring the ACS mode.

The Configure ACS Mode Progress page is displayed.

The process of checking the status of various tasks might take some time.

You can either:

•Exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification. See Setting up E-mail Notification After Configuring ACS Mode for details.

Or

•Wait until the status checks complete to view the status.

The Configure ACS Mode Result page is displayed. See Viewing the Configure ACS Mode Result for details.

Setting up E-mail Notification After Configuring ACS Mode

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

Step 1 Select the Notify me when ACS tasks are complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail after the tasks have been completed.

Step 4 Click Enter Setup to view the ACS Mode Progress page after you receive the e-mail notification.

Viewing the Configure ACS Mode Result

Configure ACS Mode Result page displays the ACS Connection Status of all servers in the setup. To access the Configure ACS Result page you should have changed the server into ACS Mode.

To view the Configure ACS Mode Result page:

Step 1 Click Next, after the Configure ACS Mode tasks are complete.

The Configure ACS Mode result page appears with the following popup message:

Restart the LMS Daemon Manager of the following servers for the ACS changes to take effect:

<Server details>

Make sure the configured System Identity User is available in ACS Server.

Step 2 Restart Daemon Manager, and click OK to view the Configure ACS Mode Result page.

Step 3 To restart Daemon Manager:

•Stop daemon manager.

–On Solaris:

Run /etc/init.d/dmgtd stop

–On Windows:

Run net stop CRMdmgtd or net stop crmdmgtd

•Start daemon manager.

–On Solaris:

Run /etc/init.d/dmgtd start

–On Windows:

Run net start CRMdmgtd or net start crmdmgtd

The following ACS Connection Status details are shown:

•TACACS+ Connectivity With ACS Status—Reachability status of the ACS server

• HTTP/HTTPS Connectivity With ACS—Reachability status of the ACS server using HTTP or HTTPS

•CiscoWorks System Identity User Configuration in ACS— Information on privileges for the ACS server.

See the Setting up AAA Mode to ACS section in the User Guide for CiscoWorks Common Services 3.1, for further details.

Updating ACS Configuration

You can update the ACS server details using this option. You should have already completed the ACS Mode change to do this.

To update ACS server details:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup

CiscoWorks Assistant checks whether there are pending devices in DFM and RME. If CiscoWorks Assistant finds there are pending devices, the Pending Device Count table is displayed. It shows the following details:

•Server—Server name.

•Application—The application in which there are pending devices. Value will be DFM or RME.

•Pending Count—Number of pending devices.

•Details—The reason due to which CiscoWorks Assistant could not fetch the pending device count.This column will be blank if the pending devices count is found.

Along with the table, a Notification pop up window appears with the following message:

Pending devices exist or could not check for pending devices in some LMS applications

Step 2 Click OK.

Step 3 Click Next. A confirmation pop up appears with the following message:

LMS server(s) ACS configuration will not be proper if there are pending devices in the LMS applications. Make sure there are no pending devices and click OK to continue.

To get further details on pending devices in the applications, go to:

•RME > Devices > Device Management > Pending Devices

•Device Fault Manager > Device Management > Device Summary

See RME and Device Fault Manager User Guides for more information on pending devices.

The Change ACS Setup page appears after you click OK.

Step 4 Select the Update ACS Configuration radio button from the ACS Tasks pane.

The Update ACS Configuration check box appears in the ACS Tasks pane only if the server is in ACS mode.

Step 5 Click Next.

The following popup message appears:

Please ensure that local server is an AAA client to ACS server.

Step 6 Click OK to continue.

The Configure ACS Mode page appears with the pre-populated values in the ACS Mode Setup.

Step 7 Enter the new details in the ACS Mode Setup window.

You need to provide the current System Identity Username and Password. The NDG should be already be preset in ACS. You must also provide the Shared Secret key.

Step 8 Click Next to complete updating ACS configuration.

Step 9 Restart Daemon Manager for the changes to take effect.

Assigning Device Group

After you have integrated the CiscoWorks server with Cisco Secure ACS and assigned appropriate roles to the user you would not be able to see the devices added in DCR if the devices are not added as AAA clients to Cisco Secure ACS. CiscoWorks Assistant lets you add the missing devices into the appropriate NDG in ACS.

Common Services displays a report that has the list of DCR devices that need to be configured in ACS. See Generating Reports in DCR section of the User Guide for CiscoWorks Common Services 3.1, for details.

The Assign Device Group check box appears only if there are missing DCR devices in ACS. You can assign the devices to the appropriate NDG.

To assign device groups:

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup

CiscoWorks Assistant checks whether there are pending devices in DFM and RME. If CiscoWorks Assistant finds there are pending devices, the Pending Device Count table is displayed. It shows the following details:

•Server—Server name.

•Application—The application in which there are pending devices. Value will be DFM or RME.

•Pending Count—Number of pending devices.

•Details—The reason due to which CiscoWorks Assistant could not fetch the pending device count.This column will be blank if the pending devices count is found.

Along with the table, a Notification pop up window appears with the following message:

Pending devices exist or could not check for pending devices in some LMS applications

Step 2 Click OK.

Step 3 Click Next. A confirmation pop up appears with the following message:

LMS server(s) ACS configuration will not be proper if there are pending devices in the LMS applications. Make sure there are no pending devices and click OK to continue.

To get further details on pending devices in the applications, go to:

•RME > Devices > Device Management > Pending Devices

•Device Fault Manager > Device Management > Device Summary

See RME and Device Fault Manager User Guides for more information on pending devices.

The Change ACS Setup page appears after you click OK.

Step 4 Select the Assign group for missing devices radio button in the ACS Tasks pane.

Step 5 Click Next.

The Assign Device Group page appears.

Step 6 Enter the following information in the Export Devices to ACS table to add the missing devices into ACS:

•Server details—The IP address and port number of the ACS server.

•Login details—The ACS administrator name, password, and the shared secret key.

•Current ACS Administrative Access Protocol—The protocol used to connect to ACS server.

•Network Device Group name—The NDG to which you want to add the missing devices.

Step 7 Click Next to complete assigning device group.

Step 8 Stop daemon manager.

•On Solaris:

Run /etc/init.d/dmgtd stop

•On Windows:

Run net stop CRMdmgtd or net stop crmdmgtd

Step 9 Start daemon manager.

•On Solaris:

Run /etc/init.d/dmgtd start

•On Windows:

Run net start CRMdmgtd or net start crmdmgtd

Viewing the Server Setup Summary

You can view a summary of the tasks that you performed during the workflow, after you complete the workflow steps.

To view the summary, click Next after you perform the workflow steps.

The Server Setup Summary page is displayed. with the following details:

•Session Details

•Server Summary

•ACS Summary

•Operation Summary

The information on this page depends on the tasks that you performed.

You need not perform all of the Server Setup workflow tasks to view the Summary. You may skip the steps that you do not need to perform during a workflow session.

For example, you may perform the Manage Servers tasks and skip all the other tasks to get to the Summary page. The Summary page in this case, displays only the summary related to the Manage Servers tasks.

Session Details

The Session Details table displays the Start Time and the User Name for the current session.

Server Summary

The Server Summary lists all the servers in the setup. The fields in the Server Summary and their descriptions are given below.

•LMS Server—Host Name or IP Address of the server.

•Protocol—Protocol of the server can be HTTP or HTTPS

•Port—Port Number of the CiscoWorks server.

•DCR—DCR mode of the server. Mode can be DCR Master, Slave, or Standalone.

•SSO—SSO mode of the server. SSO Mode can be Master, Slave, or Standalone.

When you click the Expand button of the CiscoWorks server, it lists the applications installed in that server.

ACS Summary

The ACS Summary table lists all the servers and their current mode. The mode can be ACS or Non-ACS.

Operation Summary

The Operation Summary tables display the tasks that you performed during the Server Setup workflow. The fields in the Operation Summary, and their descriptions are given below

•Step—Step Name of the workflow.

•Last run—Date and Time when the step was executed.

•Details—Click the View link to view the Step Summary dialog box.

Click Finish to go to the Server Setup home page and end the current session.