Table Of Contents

Configuring LMS Server Using CiscoWorks Assistant

Before You Begin

Logging into CiscoWorks Assistant Server Setup Home Page

CiscoWorks Assistant Server Setup Home Page

Managing LMS Servers

Viewing Server Details

Adding a Server

Adding Server Details

Accepting Certificate Information

Setting up the System

Viewing Server Addition Summary

Editing Server Details

Deleting a Server

Setting up System Identity User

Setting and Editing the Device Management Mode

Allocating Device Groups to CiscoWorks Applications

Viewing Auto Allocation Summary Report

Viewing Server Management Status

Setting Default Credential Sets

Editing a Default Credential Set

Viewing Credential Sets Status

Configuring Device Credential Policies

Adding a Device Credentials Policy

Editing a Device Credentials Policy

Deleting a Device Credentials Policy

Defining the Order of Device Credential Policies

Viewing Device Credentials Policy Configuration Status

Adding Devices

Adding Devices Using Bulk Import From File

Adding Devices Using Bulk Import From NMS

Adding Devices Using Common Services Device Discovery

Setting SNMPv2 Parameters

Setting SNMPv3 Parameters

Viewing Add Devices Status

Deleting SNMPv2 Details

Deleting SNMPv3 Details

Managing Devices

About Device Selector

Viewing Allocate Devices Status

Changing ACS Setup

Configuring the ACS Mode

Viewing the Configure ACS Mode Status

Viewing the Configure ACS Mode Result

Updating ACS Configuration

Assigning Device Group

Viewing the Server Setup Summary

Configuring LMS Server Using CiscoWorks Assistant

---

The Server Setup workflow helps you to setup and manage CiscoWorks LAN management Solution (LMS) servers. It helps you to simplify the deployment and setting up of single or multiple LMS servers.

The Server Setup workflow assists you in:

•Managing LMS Servers—You can add servers, set up System Identity User accounts, and set up the device management mode.

•Setting Default Credential Sets—You can use the Credential Set feature to prevent the management applications from failing if devices added or imported into DCR do not contain all necessary credentials. Credentials are stored in DCR and are not associated with any device.

•Configuring Device Credential Policies—You can configure device credential policies and apply the default credentials for a range of devices to be added or imported to DCR.

•Adding Devices—You can populate the servers with network devices, either by dynamic discovery, or bulk import.

•Managing Devices—You can manage devices in each application after adding them into DCR.

•Changing ACS Setup—You can configure the ACS mode and assign device groups.

This chapter also contains:

•Before You Begin

•Logging into CiscoWorks Assistant Server Setup Home Page

•CiscoWorks Assistant Server Setup Home Page

•Viewing the Server Setup Summary

Before You Begin

Before you start using the Server Setup workflow, review the following topics:

•About Single-Server and Multi-Server Setups

•About AAA Mode

•Related Documentation

•Implications of DCR and SSO Modes on Server Setup Workflow

•Navigating Within Server Setup Workflow

About Single-Server and Multi-Server Setups

If the CiscoWorks applications are installed on a single LMS server, the setup is considered as a Single-server setup.

For large deployments, you may opt to have multiple servers for a single managed network by distributing applications across multiple servers for better performance and scaling. This setup is considered as a Multi-server setup. The Multi-server setup requires the various LMS servers part of the setup work in sync with each other.

You will encounter the following terms and concepts while setting up and working on a Multi-server setup:

•Peer Server Certificate Setup

Peer Server Certificates are used to allow one CiscoWorks server to communicate with another using SSL. In a Multi-server set up you have two or more servers on which CiscoWorks applications are installed. CiscoWorks allows you to add the certificate of another CiscoWorks server (a peer server) into its trusted store.

•System Identity Setup

Communication between multiple CiscoWorks servers is enabled by a trust model addressed by certificates and shared secrets. System Identity setup should be used to create a trust user on Slave servers to facilitate communication in Multi-server scenarios. This trust user is called System Identity User. The System Identity User is also used for inter-process communication.

A default System Identify User admin is created during installation. During the installation, you should provide the password for System Identity user. This password can be different from the password you provide for the admin user used to log in to CiscoWorks.

CiscoWorks Assistant allows you to create a System Identity User in all servers that are part of the Multi-server set up.

The System Identity User is a Local User with all privileges. The user will automatically be made a Peer Server User too.

If the LMS server is in ACS mode, the System Identity User should be present in ACS user data base with Super Admin privileges assigned.

•Peer Server Account Setup

Peer Server Account Setup helps you create users who can programmatically login to CiscoWorks servers and perform certain tasks. These users should be set up to enable communication between multiple CiscoWorks servers. Peer Server Account can be set up in Common Services.

•Device and Credentials Repository (DCR)

The DCR lets you manage the device list, and associated credentials and other user-defined device attributes at a single place, in a management domain. In a Multi-server setup, where each server could host one or more LMS application instances, the DCR serves as a single place from where you can manage the device lists and related attributes, for use by all applications in the setup.

DCR helps multiple applications share device lists and credentials using a client-server mechanism, with secured storage and communications. The CiscoWorks applications can read or retrieve the information from this repository.

–In a Single-server scenario, the DCR would be operating in a Standalone mode (default mode after installation)

–In a Multi-server scenario, user should designate one of the servers as the Master and configure the other servers in a Slave mode.

The Slave servers keep their copy of the DCR data, in sync with the Master DCR.

The Master DCR server refers to the master repository of device list and credential data. There is only one Master repository for each management domain, and it contains the most up-to-date device list and credentials. DCR Slaves are slave instances of DCR on other servers and provide transparent access to applications installed on those servers.

Any change to the repository data occurs first in the Master with the changes being propagated to all the Slaves. There can be more than one Slave in a management domain but any slave can become a master at any time.

In Standalone mode, DCR maintains an independent repository of device list and credential data. It does not participate in a management domain and its data is not shared with any other DCR. It does not communicate with or contain registration information about any other Master, Slave, or Standalone DCR.

Devices newly added in DCR can be managed by an application in following ways

•Auto Allocation Off mode—In this mode, automatic addition of devices to LMS applications is disabled. This mode allows you to selectively add devices to the application from DCR and add the previously deleted devices back into the application.

•Auto Allocation - All Devices—In this mode, all devices in DCR are added to the selected LMS application.

•Auto Allocation - Allocate by Groups mode—In this mode, devices that belong to a specific group in Common Services are added to LMS applications.

The Single Sign On (SSO) feature helps you to use a single session to navigate to multiple CiscoWorks servers without having to authenticate to each of them.

For Single Sign On, one of the CiscoWorks servers needs to be set up as the authentication server. The SSO authentication server is called the Master, and the SSO regular server is called the Slave. If there is no SSO Master server configured in your setup, the local server is selected as SSO Master.

You must perform the following tasks if the server is either configured as Master or Slave:

•Configure the System Identity User and password in both Master and Slave. The System Identity User name and password you specify in Master and Slave should be the same.

•Configure Master's Self Signed Certificate in Slave.

About AAA Mode

CiscoWorks provides a robust security mechanism to manage identity and access to the CiscoWorks applications, and data in a multi-user environment.

By default, CiscoWorks Server authentication (CiscoWorks Local) is used to authenticate users, and authorize them to access CiscoWorks applications. After authentication, your authorization is based on the privileges that have been assigned to you.

A privilege is a task or an operation defined within the application. The set of privileges assigned to you defines your role. It dictates how much, and what type of system access you have.The CiscoWorks Server authorization scheme has pre-defined roles. In this mode, you cannot change the roles, or the privileges assigned to these roles. However, a user can be assigned a combination of these roles.

CiscoWorks Server can be integrated with Cisco Secure Access Control Server (ACS) to provide improved access control using authentication, authorization, and accounting (AAA). Cisco Secure ACS provides authentication, authorization, and accounting services to network devices that function as AAA clients.

In ACS mode, you can create custom roles to best suit your business workflow and needs. That is, you can create a user, and assign the user with a set of privileges, that would suit your needs.

CiscoWorks Assistant helps you in changing the login module of all servers part of the multi-server set up to ACS mode. See Changing ACS Setup for details. See also, Adding Server Details.

Implications of DCR and SSO Modes on Server Setup Workflow

The Server Setup workflow assists you in setting up a Multi-server set up. You can add servers, create System Identity Users, modify the device mode, add and manage devices, and change the AAA mode to ACS using the workflow.

If you are installing the CiscoWorks applications for the first time, the setup will be considered as a Single-server setup, and the local host will be displayed in the table.

In a Multi-server setup, the Server Setup workflow runs only on the DCR Master server.

In Server Setup workflow, the local server will be treated as DCR Master server if the setup is converted from Single-server setup to Multi-server setup. That is, using CiscoWorks Assistant if you add another server to a Standalone server, the DCR mode of the Standalone server to which the new server is added will be changed to Master.

A Multi-server setup must have one SSO Master. The other LMS servers must be in SSO Slave mode. If there is no SSO Master server configured in your setup, the local server is set as SSO Master.

If the server is already configured for Multi-server setup, CiscoWorks Assistant automatically performs a Server Discovery to collect all the server information in the setup and displays it. Server Discovery runs once every hour.

The existing server setup will be discovered when you invoke the CiscoWorks Assistant workflow pages, if the last discovery occurred before 60 minutes. Also, Server Discovery runs at the end of the Manage Server tasks and CiscoWorks Assistant collects all the updated information.

If the SSO Master is not reachable, you cannot perform any operation in the Server Setup workflow. Also, if any of the servers is unreachable, you cannot perform the Manage Servers and Change ACS Mode Setup steps.

Navigating Within Server Setup Workflow

If you are starting the workflow for the first time, click Start Setup to enter into the Server Setup workflow.

To get back to the initial Server Setup workflow screen from any other screen, click Cancel.

If you have operated the workflow earlier, and logged out from the CiscoWorks, or closed the browser after a particular task, you can continue from that task. To do this, click Enter Setup.

The links in the Server Setup table-of contents (at the top-left corner of the screen) are disabled after you enter the workflow.

After you enter the Server Setup workflow, you can navigate among the available options using the Back, Skip, Next and Cancel buttons.

•Back button

Takes you to the previous screen. When you click Back, the previous step will not be rolled back. CiscoWorks Assistant does not retain the values you entered previously.

•Skip button

Allows you to skip a task, and get to the next task. For example, if you want to get to the Default Credential Sets page from the Manage Servers page, without getting into the System Identity User Setup or Device Management mode page, click Skip.

•Next button

Takes you to the screen that is after the current screen.

•Cancel button

Takes you to the initial Server Setup workflow screen from any screens. When the cancel action is performed during the middle of an task or a process, the task or the process will not be terminated, instead it will be executed from background.

CiscoWorks Assistant runs only one instance of Server Setup workflow. You can end an active session of another user if there are no operations running in that session. To end the session, you need to enter the System Identity User details. If any operations are running, you cannot end the session.

Also, multiple operations cannot be initiated by the same user, simultaneously. The operation is allowed only after the operation that is in progress is completed.

To go to the CiscoWorks Assistant home page click Home.

Logging into CiscoWorks Assistant Server Setup Home Page

Before you start with the Server Setup workflow, read the Before You Begin topic to help you understand the features better.

The initial screen for the workflow is the Current System Identity screen.

To access the Server Setup workflow,

---

Step 1 Enter the system identify username in the Username field.

Step 2 Enter the password relevant to the user specified in the Password field.

Step 3 Click OK.

The Server Application List window appears. See CiscoWorks Assistant Server Setup Home Page for details.

To go back to the CiscoWorks Assistant home page, click Cancel.

---

CiscoWorks Assistant Server Setup Home Page

The Server Application List window appears after entering the system identify user details in the Current System Identity screen.

Table 3-1 described the fields in the Server Application List window.

Table 3-1 Server Application List Window Details

Field	Description
LMS Server	IP Address of the LMS server or Display Name of the LMS server.
Reachability	Reachability status of the LMS server.

When you click the Expand button of the LMS server, a new pane gets added to the Server Application List window. Table 3-2 described the fields in the new pane.

Table 3-2 Application Version Support Details

Field	Description
Applications	Name of the application installed in the server. This can be any of the following: •Common Services •Campus Manager •CiscoView •RME •Integration Utility •Internetwork Performance Monitor •Health and Utilization Monitor •Device Fault Manager
Version	Version number of the CiscoWorks application.
Version Supported	If the version of the application is supported by CiscoWorks Assistant, a tick mark in green is displayed. For unsupported applications, a cross in red is displayed. You cannot perform any tasks using the workflow on unsupported applications.

You can perform the following Server Setup workflow tasks:

•Manage Servers (See Managing LMS Servers)

•Set Default Credential Sets (See Setting Default Credential Sets)

•Configure Device Credential Policies (See Configuring Device Credential Policies)

•Add Devices (See Adding Devices)

•Manage Devices (See Managing Devices)

•Change ACS Setup (See Changing ACS Setup)

After you complete the Server Setup workflow, you can view a detailed summary of all the tasks that you have performed during the workflow. See Viewing the Server Setup Summary for details.

Managing LMS Servers

The Manage Servers page displays the CiscoWorks server Details. This page allows you to:

•View server details (See Viewing Server Details)

•Add a server. (See Adding a Server)

•Set up System Identity User (See Setting up System Identity User)

•Set up the Device Management mode (See Setting and Editing the Device Management Mode)

•Allocate desired devices to a group for all CiscoWorks applications (See Allocating Device Groups to CiscoWorks Applications)

You can also:

•View Server Addition summary (See Viewing Server Addition Summary)

•View Device Management status (See Viewing Auto Allocation Summary Report)

•View Server Management status (See Viewing Server Management Status)

•Edit a server (See Editing Server Details)

•Delete a server (See Deleting a Server)

---

Note All the servers you want add to create the Multi-server set up should be DNS resolvable. If not, you will not be able to add servers.

---

Viewing Server Details

To view server details:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers from the CiscoWorks Assistant home page.

The Server Application List table lists the LMS servers.

Step 2 Click Start Setup.

The CiscoWorks Server Details table appears with the following details.

•Hostname/IP Address—Hostname or IP Address of the CiscoWorks server.

•Server Display Name—Display name you have set up for the LMS server.

•Protocol—Protocol of the server. This can be HTTP or HTTPS.

•Port—Port number of the CiscoWorks server.

•Admin Username—Admin username for the server.

•DCR—DCR mode of the server. Mode can be DCR Master, Slave, or Standalone.

•SSO—SSO mode of the server. SSO mode can be Master, Slave, or Standalone.

See the User Guide for CiscoWorks Common Services 3.3 for information on DCR and SSO modes.

---

Adding a Server

To add a server you must:

---

Step 1 Enter the server details.

See Adding Server Details for details.

Step 2 Accept the necessary certificate information.

See Accepting Certificate Information for details.

Step 3 Configure the SMTP server and the E-mail ID.

See Setting up the System for details.

Step 4 Create a trust user on the servers that are part of a Multi- server setup.

See Setting up System Identity User for details.

---

After you add a server, you can set up the Device Management mode for all applications (See Setting and Editing the Device Management Mode). This determines whether the devices should be managed by the different applications when they are added to the DCR.

You can view a summary of server addition, after you complete the necessary tasks. See Viewing Server Addition Summary for details.

Adding Server Details

To add details to a CiscoWorks server:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers.

Step 2 Click Add.

The Add Server dialog box appears.

Step 3 Enter the following server details:

•Hostname/IP Address—Hostname or IP Address of the CiscoWorks server. If the server you add is in DCR Master mode, or if it is the slave of another DCR master, it will not allow you to add the server.

•Administrator Username—Admin username for the server.

•Administrator Password—Admin username for the server.

•Protocol—Protocol of the server. This can be HTTP or HTTPS.

•Port—Port Number of the CiscoWorks server.

If the DCR Master (local server) is in ACS mode, you should enter the Network Device Group (NDG) details.

CiscoWorks Assistant will convert the server you add here into ACS mode, after the Manage Servers workflow has completed.

Select an option "Register all installed applications with ACS" to register all the installed applications with the ACS Server for the first time.

If an application is already registered with ACS, the current registration will overwrite the previous registration.

Hence any custom role that has been created in ACS will be lost for those applications.

If the server you are adding has already been integrated with another ACS server, it will get integrated to the ACS server to which the DCR Master (local server) is integrated, after the successful completion of Manage Servers step.

You must restart the daemon manager in the server that you have added, after the Manage Server process is complete. If you have added multiple servers, you must restart the daemon manager in all of the servers that you have added.

If the DCR Master is in CiscoWorks Local mode, you cannot add servers that are in ACS mode.

Step 4 Click Next to continue.

The CiscoWorks server is contacted to validate the Device and Credential Repository settings, and to fetch the Certificate information. See Accepting Certificate Information for details.

---

Accepting Certificate Information

If a CiscoWorks server needs to communicate to another CiscoWorks server, it must possess the certificate of the other server. You can add certificates of any number of peer CiscoWorks servers to the trusted store.

For more information on certificates, and importing peer server certificates, see the following sections in the User Guide for CiscoWorks Common Services 3.3:

•Creating Self Signed Certificates

•Setting up Peer Server Certificate

To view and accept the certificate:

---

Step 1 Click Next, after adding the server details,

The Server Setup window appears with the following certificate information.

•Version—Certificate version number

•Serial Number—Certificate serial number

•Issued By—Information on the certificate issuing authority.

•Issued To—Information about the certificate holder.

•Effective From—Displays the date from which the certificate is valid.

•Expiry Date—Expiry date of the certificate

•Signature—Signature information of the certificate

•Sign Algorithm—Sign algorithm used by the CiscoWorks for the certificate

Step 2 Select the Accept Certificate check box.

Step 3 Click Next to continue.

The Server Setup window is displayed. You can set the SMTP server and the CiscoWorks E-mail ID to receive e-mails from CiscoWorks server. See Setting up the System for details.

---

Setting up the System

The Server Setup window allows you to set up the SMTP server, and the CiscoWorks E-mail ID. The SMTP settings in CiscoWorks Assistant are specific to a server. If you change the SMTP settings in DCR master (local server), the SMTP server name and e-mail ID is set in the DCR master (local server) alone.

To change the SMTP settings in slaves, you need to go to the individual servers and set up SMTP details.

---

Step 1 Enter the SMTP server details in the SMTP Server field.

This is the system-wide name of the SMTP server used by CiscoWorks applications to deliver reports. The default server name is localhost.

Step 2 Enter the e-mail ID in the CiscoWorks E-mail ID field.

This is the CiscoWorks e-mail ID from which applications send e-mail notifications. There is no default e-mail ID.

These fields will be already populated if the SMTP server and e-mail ID have been set up in the Common Services > Server > Admin > System Preferences screen or using LMS Setup Center.

Step 3 Click OK.

---

Viewing Server Addition Summary

The Add Server Summary page provides the following details:

•LMS Server—LMS Server name or IP Address

•Server Display Name—Display name of the newly added server.

•DCR Settings—Displays the current and the new DCR modes of the server.

–Current Settings: DCR mode of the server before it was added to the Multi-server set up.

–New Settings: DCR mode of the server after it was added to the Multi-server set up.

•SSO Settings—Displays the current and the new DCR modes of the server.

–Current Settings: SSO mode of the server before it was added to the Multi-server set up.

–New Settings: SSO mode of the server after it was added to the Multi-server set up.

When you add a server to the existing setup, the added server will become SSO and DCR Slave. However, if you want to make the added server the SSO Master, select the Set as Master check box.

CiscoWorks Assistant does not allow you to convert the DCR mode of the added server from Slave to Master because this could result in applications losing data. You can go to the Setting up System Identity User procedure, after you complete the Add Server procedure.

To go to the Default Credential Sets Page, click Skip.

Editing Server Details

To edit a server:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers.

Step 2 Select the server by clicking the Host Name/IP Address radio button, and click Edit.

The Edit Server dialog box appears.

This dialog box has pre-populated values in Hostname/IP address, Protocol, Port and Current SSO Settings fields. All fields in the Edit Server dialog box can be edited, except the Hostname/IP address, Protocol, Port, and Current SSO settings fields.

•If the server is in SSO Slave mode, you can change it to SSO Master, by selecting the Set as Master check box.

•If the server is in SSO Master mode, you can change it to SSO Slave mode by selecting the Set as Slave check box. The Set as Slave check box is not available on the local server.

Step 3 Enter the Server Details and Setup parameters in Edit Server dialog box, and click OK.

Step 4 Click Next.

The New System Identity User window appears.

Step 5 You can either:

•Enter the new System Identity Username and Password, confirm Password, and click Next

Or

•Click Skip to proceed, if you do not want to change the current System Identity User.

The Device Management Mode page appears.

Step 6 Click Next, after you modify the Device Management mode.

See for Setting and Editing the Device Management Mode more information.

If you do not want to change the settings, click Next when you get to this page without making any modifications to the existing Device Management mode. The Skip button is disabled in this page.

The workflow initiates after you click Next. The modifications you made are saved when the tasks are complete.

---

Deleting a Server

To delete a server from the setup:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers

Step 2 Select the server by clicking the Host Name/IP Address radio button.

Step 3 Click Delete.

The Delete Confirmation popup appears.

Step 4 Click OK to delete the selected server.

The Marked for Deletion tag appears adjacent to the server you selected in Step 2.

Step 5 Click Next.

The New System Identity User window appears.

You can skip the New System Identity User procedure if you do not want to change the current System Identity User details. To do this, click Skip.

The Device Management Mode page appears.

Step 6 Click Next in the Device Management Mode page.

You can change the Device Management mode here. This page does not have a Skip button. You need to click Next to proceed with the tasks. The workflow initiates after you click Next.

The server marked for deletion will be removed from the set up after the Manage Servers tasks are complete.

The Marked for Deletion tag appears only for servers that are already added.

If you add a server and delete it immediately after adding it, that is, if you perform the Add Server and the Delete Server tasks in same UI session, the Marked for Deletion tag does not appear in the screen.

In this case, the newly added server is not marked for deletion, and is removed from the screen when you click OK in the Delete Confirmation pop-up.

---

Retaining a Server Marked for Deletion

To retain a server marked for deletion:

---

Step 1 Select the server by clicking the Host Name/IP Address radio button.

Step 2 Click Undelete.

The Undelete button appears only if you select a server that is marked for deletion.

The Undelete Confirmation pop up appears

Step 3 Click OK to retain the server.

---

If you try to add a server that is marked for deletion back to the set up, using the Add button, the Undelete Confirmation pop-up is displayed. Click OK to retain the server in the setup.

After the server is deleted from the setup, the deleted server goes into the DCR Standalone and SSO Standalone modes. The workflow also removes the Trust that is set up from all the deleted servers.

You cannot remove the local server from the setup.

If you remove the SSO Master, you can assign any other server as the SSO Master. If you do not select another server as the SSO Master, the workflow will assign the local server as the SSO Master. If you remove the SSO Master, the Multi-server setup is not removed.

You cannot delete the DCR Master.

In a Multi-server setup that has two servers, the workflow will remove the Multi-server setup if you remove one of the servers. In such a case, the local server switches to the Standalone mode.

Setting up System Identity User

System Identity setup helps you to create a trust user on servers that are part of a Multi-server setup. This user enables communication among servers that are part of a management domain. There can only be one System Identity user for each server.

The System Identity user you configure must be a Peer Server user.

•In the Non-ACS mode, the System Identity user that you create must be a Local user, with all privileges.

•In the ACS mode, the System Identity user should be configured in ACS, with Super Admin privileges, in all applications registered in ACS. You can either configure the System Identity User with the predefined Super Admin role or with a custom role created with all privileges in ACS server.

See User Guide for CiscoWorks Common Services 3.3 for more details on System Identity setup.

Before you set up the System Identity user, you must add the server.

To set up the System Identity user:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Manage Servers.

Step 2 Click Next.

The New System Identity Setup page appears.

If you want to change the System Identity setup values, enter the new System Identity username and password in the text field, re-enter the password in the confirm password field, and click Next to complete the System Identity User setup.

CiscoWorks Assistant ensures the new user you create has all the necessary privileges. CiscoWorks Assistant ensures that the new user you create, has all privileges.

Otherwise, click Skip.

---

Setting and Editing the Device Management Mode

The Device Management mode determines whether the new devices are automatically managed by CiscoWorks applications.

You have to add your server before you get to this stage. If you are in a Multi-server setup, you must also set up a System Identity user before you begin this task.

See the application-specific User Guides to know more about device management modes in different CiscoWorks applications.

To set the Device Management mode:

---

Step 1 Click Next, after adding the server or setting up the System Identity User.

The Device Management Mode page appears.

The possible device management modes are given in Table 3-3.

Table 3-3 Device Management Modes

Device Management Mode	Description
Auto Allocation Off	In this mode, automatic addition of devices to LMS applications is disabled. You can use this option to: •Selectively add devices to the application from DCR. •Add the previously deleted devices back into the application. You can manually add the devices to LMS applications even if you have selected other modes for device management.
Auto Allocation - All Devices	In this mode, all devices in DCR are added to the selected LMS application. This is also limited by the LMS license you have purchased.
Auto Allocation - Allocate by Groups	In this mode, devices that belong to a specific group in Common Services are added to LMS applications. This is also limited by the LMS license you have purchased. You must select a group name for all applications that are on installed on local and peer servers.

By default, the Device Management Mode page in CiscoWorks Assistant shows the current status of the device management mode of applications that have been set up in their respective Device Management Settings pages.

Step 2 Select any of the following modes from the drop down list for each CiscoWorks server application installed on the local server (Standalone mode) or installed on all peer servers (Master-Slave mode):

•Auto Allocation Off

•Auto Allocation - All Devices

•Auto Allocation - Allocate by Groups

---

Note The applications on the peer servers will not be listed when the peer servers are down or if an earlier version of LMS applications is installed on the servers.

---

Step 3 Click Next.

The workflow performs the assigned tasks when you click Next in the Device Management Mode page. The Manage Servers progress page displays the Server Management status and the Manage Server tasks gets completed here. See Viewing Server Management Status for details.

Step 4 If you have selected the Auto Allocation - Allocate by Groups mode for at least one CiscoWorks application, the Auto Allocation page appears. See Allocating Device Groups to CiscoWorks Applications for details.

---

Allocating Device Groups to CiscoWorks Applications

You must assign the device groups to CiscoWorks applications when you have configured the device management mode as Auto Allocation - Allocate by Groups. The Auto Allocation page that appears after the Device Management page helps you to perform this task.

The Assign Groups page appears only when at least one CiscoWorks application is configured with Allocate by Groups mode.

To assign the device groups to CiscoWorks applications:

---

Step 1 Click Next after configuring the Device Management mode.

The Auto Allocation page appears. It displays:

•A list of CiscoWorks applications configured with Auto Allocation - Allocate by Groups mode

•Group Selector

You can click Refresh to get the latest information (device groups) in Device Group Selector.

You can also create new groups or edit groups in the Common Services Group Administration page. To do so, click Group Admin located at the bottom of the Assign Groups page.

Step 2 Select an application from the list of CiscoWorks applications displayed. You can select only one application at a time.

Step 3 Select a group from the Group Selector.

Step 4 Click Apply to save the changes.

To cancel the selection process, click Cancel.

Step 5 Select another application from the list and assign a group from Group Selector.

Step 6 Click Apply to save the changes.

Step 7 Complete assigning groups to all the applications in the list.

Step 8 Click Next.

A detailed report containing the device management status is displayed in tabular format. See Viewing Auto Allocation Summary Report for details.

---

Viewing Auto Allocation Summary Report

After you have completed assigning device groups to all CiscoWorks applications whose Device Management mode is Auto Allocation - Allocate by Groups, you can see a detailed report of the device management status.

To view the Auto Allocation Report:

---

Step 1 Click Next on the Auto Allocation page.

The Auto Allocation Summary Report appears with the details given in Table 3-4.

Table 3-4 Auto Allocation Summary Report

Field	Description
Server	Name of local or remote CiscoWorks Server.
Application	Name of the application in local or peer CiscoWorks Server managing the devices.
Number of Devices Currently Managed	Number of devices managed by the application before the auto allocation of devices to groups.
Number of New Devices After This Rule Change	Number of new devices managed by the application after the auto allocation of devices to groups.
Number of Devices Deleted After This Rule Change	Number of devices deleted and not managed by the application after the auto allocation of devices. This field is applicable only for Campus Manager. This displays NA for the rest of CiscoWorks Applications.
Total Number of Devices After This Rule Change	Total number of devices managed by the application after the auto allocation of devices.
Current License Limit	Number of devices that the LMS License allows the application to manage.

Step 2 Click Next to view the Server Management Status.

---

Viewing Server Management Status

The Manage Servers progress page that appears after you complete the Device Management mode and Group Assignment setup, displays the status of the Manage Server tasks that you have performed.

For information on setting up Device Management mode, see Setting and Editing the Device Management Mode.

To view the Manage Severs tasks status:

---

Step 1 Select the Device Management mode and click Next.

The Manage Servers Progress page appears.

This process takes some time to check the status of various tasks.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. You can then exit from the workflow before the tasks are complete.

You can view the status after you get an e-mail notification that the tasks have completed. See Setting up E-mail Notification After Managing Server Tasks for details.

Or

•Wait until the status check has completed to view the status.

The status on the following is displayed:

•System Identity user validation.

•New System Identity user creation, if you have added new System Identity User values.

•Trust removal from all deleted CiscoWorks servers, if you have deleted any servers.

•Trust creation for the newly added server by the System Identity setup configuration and certificate addition.

•Configuring new System Identity user on all servers.

•Configuring SMTP Server and e-mail.

•Device Management mode configuration.

•DCR mode configuration. If you add a Standalone server, it is converted into the Slave of the local server.

–In a Single-server scenario, if you add a new server, the local server is made the Master, and the newly added server is made the Slave.

–In a Multi-server set up, the newly added server is made the Slave of the DCR Master. If the local server (DCR Master) is in ACS mode, the AAA mode of the added server is set as ACS.

•SSO Mode change, if you have changed the SSO mode.

•Server Discovery step to update the CiscoWorks Assistant database.

•Groups allocated for all applications, when the Auto Allocation - Allocate by Groups option is selected.

Step 2 Click on the relevant step link to view the detailed status report for that step.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for that particular step. It will not display anything, if the step is successful.

---

Setting up E-mail Notification After Managing Server Tasks

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

---

Step 1 Select the Notify me when Manage Servers Tasks are Complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Otherwise, the default e-mail address YourName@YourDomainName.com is displayed.

Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail after the tasks have completed.

Step 4 Click Enter Setup to view the Manage Server status page after you receive the e-mail notification.

---

Setting Default Credential Sets

DCR manages the details of multiple default credential sets. Each Default credential set comprises of the components listed below. The Default credential set can be associated with the each device while adding or importing devices into DCR.

Each default credential set comprises:

•Primary Credentials (Username, Password, Enable Password)

•Secondary Credentials (Username, Password, Enable Password)

•Rx Boot Mode Credentials (Username, Password)

•SNMPv2c/SNMPv1 Credentials (Read-Only Community String, Read-Write Community String)

•SNMPv3 Credentials (Mode, Username, Authentication Password, Authentication Algorithm, Privacy Algorithm, Privacy Password)

•HTTP credentials (Primary HTTP Username and Password, Secondary HTTP Username and Password, HTTP/HTTPS port, Current Mode)

•Auto Update Server Managed Device Credentials (Username and Password)

The recommended multiple default credential sets configurations are set to 50 default credential sets. You can use the default credentials for devices and edit their credentials appropriately. You can configure the default credentials and use them in the applications. Similar to Common Services, if the default credentials cannot be accessed from DCR, CiscoWorks Assistant will not assign the credentials.

All the credential information will be populated from the DCR Master. If the credentials are already available in DCR database, they will be updated by the new values you enter, after setting default credentials.

To set the device credentials:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Default Credential Sets.

The Default Credential Sets page appears.

You can:

•Add Credential Set Name (See Adding Credential Set Name)

•Set Standard credentials (See Setting Standard Credentials)

•Set SNMP credentials (See Setting SNMP Credentials)

•Set HTTP credentials (See Setting HTTP Credentials)

•Set Auto Update Server managed Device Credentials (See Setting Auto Update Server)

•Set Rx Boot Mode credentials (See Setting Rx Boot Mode Credentials)

Step 2 Click Next to complete the Credentials Settings.

The Credential Sets Progress page appears. This page provides the status of the Credential Sets tasks. See Viewing Credential Sets Status.

---

Adding Credential Set Name

To add the Credential Set name:

---

Step 1 Click Credential Set Name in the Default Credential Sets page.

The Credential Set page appears.

Step 2 Select Add New from the Credential Set drop-down list.

Step 3 Enter the name of the credential set in the Credential Set Name field. This is mandatory.

The specified name will be appended with the screen name.

Specify the credential set name with the constrains listed below:

•Alphabets A-Z and a-z

•Numbers 0-9

•Special Characters -, _, .

Step 4 Enter the credential set description in the Set Description field.

Step 5 Select a credential type from the Default Credentials list panel and enter the respective credential information. You can select any of these credential types from the panel.

•Standard Credentials

•SNMP Credentials

•HTTP Credentials

•Auto Update Server Managed Device Credentials

•Rx-Boot Mode Credential

Step 6 Enter the following credentials as required:

•Standard Credentials (See Setting Standard Credentials)

•SNMP Credentials (See Setting SNMP Credentials)

•HTTP Credentials (See Setting HTTP Credentials)

•Auto Update Server Managed Device Credentials (See Setting Auto Update Server)

•Rx-Boot Mode Credential (See Setting Rx Boot Mode Credentials)

You must enter a value for at least one credential before applying the default credentials.

Step 7 Click Apply to apply the credential set details in Common Services. You can also apply the changes by clicking Next.

To cancel the changes, click Cancel.

To delete a default credential set, click Remove. A delete confirmation popup appears.

---

Setting Standard Credentials

To set Standard credentials:

---

Step 1 Click Standard Credentials in the Default Credential Sets page.

The Standard Credential page appears.

Step 2 Add the following credentials:

•Primary credentials (Username, Password, Enable Password)

•Secondary credentials (Username, Password, Enable Password)

Step 3 Re-enter the passwords in the Verify fields.

---

Setting SNMP Credentials

To set SNMP credentials:

---

Step 1 Click SNMP Credentials in the Default Credential Sets page.

The SNMP Credential page appears.

Step 2 Add the following credentials:

•SNMPv2c/SNMPv1 credential

•SNMPv3 credential

You must select the SNMPv3 checkbox to enter the SNMPv3 Credentials. By default, these fields are disabled.

Step 3 Enter the Read-Only Community String and Read-Write Community String for SNMPv2c/SNMPv1 credentials.

Step 4 Select any one of the following security levels in the Mode field for SNMPv3 credentials.

•NoAuthNoPriv

•AuthNoPriv

•AuthPriv

You can enter the SNMPv3 credentials based on the selected mode.

Step 5 Enter the Authentication Username and Authentication Password.

Step 6 Select an Authentication Algorithm from the drop-down list.

The Authentication Algorithm field value can be MD5, SHA-1, or None.

Step 7 Enter the Privacy password.

Step 8 Select a Privacy algorithm from the drop-down list.

The Privacy Algorithm field value can be DES, 3DES, AES128, AES192, AES256, or None.

Step 9 Re-enter the passwords in the Verify fields.

---

Setting HTTP Credentials

To set HTTP credentials:

---

Step 1 Click HTTP Credentials in the Default Credential Sets page.

The HTTP Credential page appears.

Step 2 Add the following credentials:

•Primary credential

•Secondary credential

Step 3 Enter the username and passwords for Primary and Secondary credentials.

Step 4 Re-enter the passwords in the Verify fields.

Step 5 Enter:

•HTTP Port

•HTTPS Port

Step 6 Select either HTTP, HTTPS, or None from the Current Mode drop-down list.

---

Setting Auto Update Server

To set Auto Update Server Managed Device credentials:

---

Step 1 Click Auto Update Server Managed Device Credentials in the Default Credential Sets page.

The Auto Update Server Managed Device Credential page appears.

Step 2 Enter the username and password.

Step 3 Re-enter the password in the Verify field.

---

Setting Rx Boot Mode Credentials

To set Rx Boot Mode credentials:

---

Step 1 Click Rx Boot Mode Credentials in the Default Credential Sets page.

The Rx Boot Mode Credentials page appears.

Step 2 Enter the username and password.

Step 3 Re-enter the password in the Verify field.

---

Editing a Default Credential Set

To edit a default credential set,

---

Step 1 Click Credential Set Name in the Default Credential Sets page.

The Credential Set page appears.

Step 2 Select an existing credential set which needs to be edited, from the Credential Set drop-down list.

The details relevant to the selected credential set will be displayed for editing.

Specify the credential set name with the constrains listed below:

•Alphabets A-Z and a-z

•Numbers 0-9

•Special Characters -, _, .

Step 3 Edit the required details, by selecting relevant credential type from the Default Credentials list panel. The available credentials details are:

•Standard Credentials

•SNMP Credentials

•HTTP Credentials

•Auto Update Server Managed Device Credentials

•Rx-Boot Mode Credential

Step 4 Click Apply to apply the changes in Common Services. You can also apply the changes by clicking Next.

To cancel the changes, click Cancel.

---

Viewing Credential Sets Status

To view the Credential Sets status:

---

Step 1 Click Next after entering the credentials.

The Credential Sets Progress page is displayed.

This process takes some time to check the status of various tasks.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. You can then exit from the workflow before the tasks are complete.

You can view the status after you get the e-mail notification that the task have completed. You should do this after getting an e-mail notification.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the relevant step link to view the detailed status report.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for this step. It will not display anything, if the step is successful.

See User Guide for CiscoWorks Common Services 3.3 for more information on Default Credentials.

Step 3 Click Next to go to the Configuring Device Credential Policies step. See Configuring Device Credential Policies for details.

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

You will receive an e-mail notification only if you have configured the e-mail address. See Setting up E-mail Notification After Managing Server Tasks for details.

---

Configuring Device Credential Policies

You can configure device credential policies and apply the credentials for a range of devices to be added or imported to DCR. The recommended device credentials policy configurations are set to 50.

You can create device credential policies based on the following policy types:

•IP Address

•Hostname

•Display Name

To configure a device credentials policy:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Device Credentials Policy Configuration.

The Device Credentials Policy Configuration page appears.

You can:

•Add a device credentials policy (See Adding a Device Credentials Policy)

•Edit a device credentials policy (See Editing a Device Credentials Policy)

•Delete a device credentials policy (See Deleting a Device Credentials Policy)

•Define the order of device credential policies (See Defining the Order of Device Credential Policies)

Step 2 Click Next to complete the device credentials policy configuration.

The Device Credentials Policy Configuration Progress page appears. This page provides the status of the policy configuration. See Viewing Device Credentials Policy Configuration Status.

---

Adding a Device Credentials Policy

To add a new device credentials policy:

---

Step 1 Click Add in Device Credentials Policy Configuration page to add a device credentials policy.

The Add Device Credentials Policy Configuration dialog box appears.

Step 2 Construct a rule expression. To do so:

a. Select a parameter from the Select a Policydrop-down list.

The listed parameters are IP Range, Hostname and Display Name.

b. Enter a value for the selected rule parameter in the text field.

Examples are provided with the relevant Online help link below, based on the selection made.

See the following sections in the Administering Device and Credential Repository of Managing Device and Credentials chapter in User Guide for CiscoWorks Common Services 3.3 for more details:

–Patterns in IP Address Default Credential Set Policy Rules

–Regular Expressions in Default Credential Set Policy Rules

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html

c. Select a default credential set name or No Default from the Credential Set drop-down list.

Step 3 Click OK to go back to Device Credentials Policy Configuration page.

The policy that you have configured is listed in the Device Credentials Policy Configuration page.

To close the Add Device Credentials Policy Configuration dialog box, click Cancel.

Step 4 Click Next to apply the device credential policies.

The Device Credentials Policy Configuration Progress page appears. See Viewing Device Credentials Policy Configuration Status.

---

Editing a Device Credentials Policy

To edit a device credentials policy:

---

Step 1 Select a policy in the Device Credentials Policy Configuration page.

Step 2 Click Edit.

The Edit Device Credentials Policy Configuration dialog box appears.

This dialog box has pre-populated values.

Step 3 Edit the required details in the Edit Device Credentials Policy Configuration dialog box.

Step 4 Click OK to go back to Device Credentials Policy Configuration page.

The policy that you have edited is listed in the Device Credentials Policy Configuration page.

To close the Edit Device Credentials Policy Configuration dialog box, click Cancel.

Step 5 Click Next to apply the device credential policies.

The Device Credentials Policy Configuration Progress page appears. See Viewing Device Credentials Policy Configuration Status.

---

Deleting a Device Credentials Policy

To delete a device credentials policy:

---

Step 1 Select a policy in the Device Credentials Policy Configuration page.

Step 2 Click Delete.

The Delete Confirmation popup appears.

Step 3 Click OK to delete the selected policy.

Step 4 Click Next to apply the changes.

The Device Credentials Policy Configuration Progress page appears. See Viewing Device Credentials Policy Configuration Status.

---

Defining the Order of Device Credential Policies

To specify the order of device credential policies:

---

Step 1 Select a policy in the Device Credentials Policy Configuration page.

Step 2 Click either:

•The Up Arrow icon to move the selected device credentials policy up in the displayed order

or

•The Down Arrow icon to move the selected device credentials policy down in the displayed order.

Step 3 Click Next to apply the changes.

The default credential set policies are applied in the order they appear on the Credentials Sets Policy Configuration page. The default credential set policies appearing at the top of the list are applied first.

The Device Credentials Policy Configuration Progress page appears. See Viewing Device Credentials Policy Configuration Status.

---

See Administering Device and Credential Repository section in the Managing Device and Credentials chapter of the User Guide for CiscoWorks Common Services 3.3 for more information on Defining the Order of Device Credential Policies:

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html

Viewing Device Credentials Policy Configuration Status

To view the Device Credentials Policy Configuration status:

---

Step 1 Click Next after adding or editing device credentials policy.

The Device Credentials Policy Configuration Progress page is displayed.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. You can then exit from the workflow before the tasks are complete.

You can view the status after you get the e-mail notification that the tasks have completed. See Setting up E-mail Notification After Managing Server Tasks for details.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the relevant step link to view the detailed status report.

If a step fails, the Last Accessed URL column in the report displays the shortcut URL for that particular step. It will not display anything, if the step is successful.

Step 3 Click Next to go to the Adding Devices step. See Adding Devices for details.

---

Adding Devices

You can add devices to the Device and Credentials Repository (DCR) using the following methods:

•Bulk Import from File (See Adding Devices Using Bulk Import From File)

•Bulk Import from Network Management Station (NMS) (See Adding Devices Using Bulk Import From NMS)

•Common Services Device Discovery (See Adding Devices Using Common Services Device Discovery)

CiscoWorks Assistant allows you to add devices using multiple methods, simultaneously. You can add devices using the Import from File feature, Import from NMS, and Common Services Device Discovery at the same time.

You can also:

•View Add Devices Status (See Viewing Add Devices Status)

•Set SNMP Parameters (See Setting SNMPv2 Parameters and Setting SNMPv3 Parameters)

•Delete SNMP Details (See Deleting SNMPv2 Details and Deleting SNMPv3 Details)

To add devices you can either:

•Select CiscoWorks Assistant > Workflows > Server Setup > Add Devices

Or

•Select Manage Servers, and continue in the wizard mode.

Adding Devices Using Bulk Import From File

To import from a file:

---

Step 1 Select the Import From File check box from the Select Methods pane, and click the Import From File link.

The File Information pane appears. This is the default.

Step 2 Enter the file name.

Or

a. Click Browse

The Server Side File selector dialog box appears.

b. Select the filename.

The Server Side File Selector dialog box displays the files on the remote server on which the Server Setup workflow is running.

Step 3 Select either CSV or XML file formats.

Only CSV 2.0 and CSV 3.0 file formats are supported.

See the User Guide for CiscoWorks Common Services 3.3 for sample CSV and XML files.

Step 4 Select either the Use data from Import source or the Use data from Device and Credential Repository.

This is to resolve conflicts that may occur if the devices are present both in the import source and DCR, but differ in their attributes.

•If you select Use data from Import source, the credentials from the import source will be used, and credentials for the device in DCR will be modified.

•If you select Use data from Device and Credential Repository, the device credentials in DCR will be used.

Step 5 Select any one of the following from the Select A Default Credential Set drop-down list.

•default credential set name

•Policy Configuration

•No Default

---

Adding Devices Using Bulk Import From NMS

To import from NMS:

•Select CiscoWorks Assistant > Workflows > Server Setup > Add Devices

Or

•Select Manage Servers and continue in the wizard mode.

The NMS Information screen appears.

You can do a bulk import either from:

•Local NMS (See Performing Bulk Import From Local NMS)

Or

•Remote NMS (See Performing Bulk Import From Remote NMS)

Performing Bulk Import From Local NMS

To perform a bulk import from Local NMS:

---

Step 1 Select the Import From NMS check box from the Select Methods pane, and click the Import From NMS link.

Step 2 Select the Network Management System type from the NMS type drop-down list. HPOV and Netview are supported.

Step 3 Enter the installation location of Network Management System in the Install Location field.

For example: C:\Program Files\HP OpenView

Step 4 Select either Use data from Import source or Use data from Device and Credential Repository

This is to resolve conflicts that may occur if the devices are present both in the import source and DCR, but differ in their attributes.

•If you select Use data from Import source, the credentials from the import source will be used, and credentials for the device in DCR will be modified.

•If you select Use data from Device and Credential Repository, the device credentials in DCR will be used.

Step 5 Select any one of the following from the Select A Default Credential Set drop-down list.

•default credential set name

•Policy Configuration

•No Default

---

Performing Bulk Import From Remote NMS

To do a bulk import from Remote NMS:

---

Step 1 Select the Import From NMS check box from the Select Methods pane, and click the Import From NMS link.

Step 2 Select the Remote NMS check box.

Step 3 Select the Network Management System type from the NMS type drop-down list. HPOV, Netview and ACS are supported.

Step 4 Select the Operating System type from the OS type drop-down list.

Step 5 Enter the host name, root username, and install location in the corresponding fields.

If you select the NMS type as ACS, enter the root password, port and protocol along with the hostname and root username in the corresponding fields.

Step 6 Select either Use data from Import source or Use data from Device and Credential Repository

This is to resolve conflicts that may occur if the devices are present both in the import source and DCR, but differ in their attributes.

•If you select Use data from Import source, the credentials from the import source will be used, and credentials for the device in DCR will be modified.

•If you select Use data from Device and Credential Repository, the device credentials in DCR will be used.

Step 7 Select any one of the following from the Select A Default Credential Set drop-down list.

•default credential set name

•Policy Configuration

•No Default

---

Adding Devices Using Common Services Device Discovery

To run Discovery:

•Select CiscoWorks Assistant > Workflows > Server Setup > Add Devices.

Or

•Select Manage Servers and continue in the wizard mode.

The Add Devices page appears. This page contains the Run Discovery check box for each server.

To specify Device Discovery Settings:

---

Step 1 Select the Run Discovery on host_name check box, and click the Run Discovery on host_name link.

The Discovery window appears with the following tabs.

•Discovery Module Tab

•Seed Devices Tab

•SNMP Settings Tab

•Filter Settings Tab

•Global Settings Tab

Step 2 Enter the following details to specify the Discovery settings.

For more information, see the User Guide for Common Services 3.3 on the Discovery Settings.

Discovery Module Tab

The following are the various protocols and options in the Discovery module:

Table 3-5 displays the Layer 3 Discovery Protocols.

Table 3-5 Layer 3 Discovery Protocol

Field	Description
Address Resolution Protocol (ARP)	Internet Protocol that maps IP Address to a MAC address
Border Gateway Protocol (BGP)	Exterior gateway protocol. This protocol uses Border Gateway Peer Table to identify its BGP peer.
Open Shortest Path First Protocol (OSPF)	Interior gateway routing protocol.
Routing Table	Queries and analyzes routing tables on seed routers, and discovers the subnets and next-hop routers.

Table 3-6 displays the Layer 2 Discovery Protocol.

Table 3-6 Layer 2 Discovery Protocol

Field	Description
Cisco Discovery Protocol	Discovers devices independent of media and protocol used. This protocol runs on all Cisco-manufactured equipment, including routers, access servers, bridges, and switches.

Table 3-7 displays the Ping Discovery options.

Table 3-7 Ping Discovery Options

Field	Description
Ping Sweep On IP Range	Gets a list of IP Address ranges from Discovery configuration and pings each IP Address starting from the seed devices, to check the reachability of devices.

Table 3-8 displays the Cluster Discovery and Hot Standby Router Protocol module details.

Table 3-8 Cluster Discovery and Hot Standby Router Protocol Modules

Field	Description
Cluster Discovery Module	Discovers the devices in a DSBU cluster. This queries the Cluster MIB to discover all members of the cluster.
Hot Standby Router Protocol (HSRP)	Discovers the devices from the HSRP group which consists of an active router and Standby routers. If the active router fails, one of the Standby router will server as an active router.

Seed Devices Tab

Seed devices are the devices used to initiate network Discovery. A seed device is the starting point from which Common Services Device Discovery discovers the network and its peer or neighbor devices.

The following module specific details are displayed in the Seed Devices tab. These modules are displayed based on the selection in the Discovery Module tab.

•Address Resolution Protocol

•Border Gateway Protocol

•Open Shortest Path First Protocol

•Routing Table

•Cisco Discovery Protocol

•Ping Sweep On IP Range

•Cluster Discovery

•Hot Stand by Router Protocol

To add seed devices from this tab:

---

Step 1 Click Module Specific or Global from the Seed devices panel at the left.

The list of modules selected in the Module Settings page is displayed if you have selected
Module Specific.

Step 2 Select a module from the list of displayed modules.

The Module Specific or Global Seed Devices settings appears at the right.

Step 3 Enter the name of the file with its full path in the From File field, if you want to specify the seed devices from a file.

If you do not know the path, you can click Browse and select a file from the list.

Step 4 Select Use DCR As Seed List, if you want to specify the devices in DCR as seed devices.

This option is not available for the Ping Sweep On IP Range option. You must enter the credentials mentioned in Step 6.

Step 5 Select Jump Router Boundaries to extend Discovery beyond the boundaries set by routers on your network.

This option is available only for CDP Module.

You must be cautious about enabling Discovery to occur beyond router boundaries. This is because Discovery could take much longer if you do not selectively choose the boundaries by excluding specific IP addresses.

Step 6 Enter the following fields which appears only for Ping Sweep On IP Range Discovery module.

•ICMP Retry— No of retries to connect to a device using ICMP protocol if the device is not reachable or network is down. The default is 1 retry.

•ICMP Timeout— Time within which the device should send its response to the network. The default timeout is 1000 milliseconds.

•InterPacket Timeout—Time delay between two ICMP packets. The default timeout is 20 milliseconds.

Step 7 Perform the following if you want to specify the seed devices manually:

a. Click Add to add a new row.

b. Enter the IP Address or hostname of the seed device in the Seed Device field.

c. Enter the number of hops in the Hop Count field.

This field is available for all Discovery modules except Ping Sweep On IP Range.

Hop count limits the scope of Device Discovery. Device Discovery cycle may take a longer time if you enter a greater value of hop count.

You must enter values greater than 1 as hop count.

d. Enter the Subnet Mask in the Subnet Mask field.

The default value is 255.255.255.255. This field is available only for Ping Sweep On IP Range Discovery module.

If you enter a smaller Subnet Mask value, it may result in a longer Discovery cycle because Discovery has to sweep IP Addresses from more networks. The addresses in the Seed Device and Subnet Mask fields also support IPv6.

You can also do the following:

•To add more seed devices, click Add to introduce more rows and enter the seed devices.

•To delete seed devices, select the checkboxes corresponding to the seed devices and click Delete.

SNMP Settings Tab

You can configure SNMP credentials to run Device Discovery. You must configure either SNMPv2 or SNMPv3 credentials by selecting the appropriate radio buttons.

•If you have selected the SNMPv2 radio button, you can select SNMPv2c fallback to SNMPv1.

•If you have selected the SNMPv3 radio button, you can select SNMPv3 fallback to SNMPv2c.

You must configure the respective protocols to enable the fallback options.

For example, to fallback to SNMPv2c from SNMPv3, you should have configured SNMPv2c settings.

Table 3-9 displays the SNMPv2 details.

Table 3-9 SNMPv2 Credentials

Field	Description
SNMP Version	Displays the SNMP version
Target	Denotes the target device. Enter the IP Address of the target device. You can also use wildcard characters to specify the target device. For example, you can enter 2001:*:*:*:*:*:*:* as the target device. Entering a target device is mandatory.
Read Community	SNMP Read Community string of the device. Entering the read community string is mandatory
Time Outs	Time period after which the SNMP query times out. You must enter the timeout value in seconds. The default value of timeout is 3 seconds. The Discovery time may increase if you specify a larger value for timeout. The timeout doubles for every retry. For example, if the timeout value is 5 seconds and number of retries is 3. Common Services Device Discovery waits for 5 seconds to get the response from the device for the first try, 10 seconds for second retry, and 20 seconds for last retry. Common Services Device Discovery stops querying the device after three retries and the time lapses by 35 seconds.
Retries	Number of attempts made to query the device. You can specify any value between 0 to 8 as number of retries. The default number of retries is 2.
Comments	You can enter any remarks in this field.

Table 3-10 displays the SNMPv3 field details.

Table 3-10 SNMPv3 Credentials

Field	Description
Target	Target device. Enter the IP Address of the target device. You can also use wildcard characters to specify the target device. For example, you can enter 2001:*:*:*:*:*:*:* as the target device. Entering a target device is mandatory
User Name	SNMPv3 username used to access the device
Auth Password	SNMP V3 authentication password used to operate the devices in AuthNoPriv and AuthPriv modes.
Auth Algorithm	SNMP V3 authentication algorithm used in AuthNoPriv and AuthPriv modes. The authentication algorithm can be MD5 or SHA-1.
Privacy Password	SNMP V3 privacy password of the device in AuthPriv mode.
Privacy Algorithm	SNMP V3 privacy algorithm used in AuthPriv mode. The privacy algorithm can be DES, 3DES, AES128, AES192, and AES256.
Timeout	Time period after which the SNMP query times out. You must enter the timeout value in seconds. The default value of timeout is 3 seconds. The discovery time may increase if you specify a larger value for timeout. The timeout doubles for every retry. For example, if the timeout value is 5 seconds and number of retries is 3. Common Services Device Discovery waits for 5 seconds to get the response from the device for the first try, 10 seconds for second retry, and 20 seconds for last retry. Common Services Device Discovery stops querying the device after 3 retries and the time lapses by 35 seconds.
Retries	Number of attempts made to query the device. You can specify any value between 0 to 8 as number of retries. The default number of retries is 2.
Comments	You can enter any remarks in this field.

Filter Settings Tab

Filters allow you to include or exclude devices from the network. For more information on Filters, see Configuring Discovery Filter Settings section in the User Guide for Common Services 3.3.

You can select a filter from the Use Filter drop-down list.

The supported filters are:

•IP Address

•DNS Domain

•SysObjectID

•SysLocation

You can either include or exclude a filter by selecting either the Include or Exclude radio buttons.

From the filter settings you can Add and Delete a Filter.

To add a filter:

---

Step 1 Select a filter from the Use Filter drop-down list.

IP Address is the default filter. The address also supports IPv6.

Step 2 Select either the Include or Exclude radio button.

Step 3 Enter the filter in the field corresponding to the Add button.

For SysObjectID filter, you can either enter the value manually or select a SysObjectID from the Device Type Selector. The Device Type Selector appears after you have selected a SysObjectID filter from the Use Filter drop-down list.

Step 4 Click Add.

The filter is added into the Added List field.

---

To delete the filter, select the filter from the Added List and click Delete.

Global Settings Tab

In the Global Settings tab, you can view the details shown in Table 3-11.

Table 3-11 Global Settings Tab Details

Field	Description
Preferred DCR Display Name	You can set the display name of the discovered devices in DCR as any one of the following: •IP Address—Preferred management IP Address of the device. •Hostname—DNS resolvable name of preferred management IP Address. This is the default option. •FQDN — Fully Qualified Domain Name consisting of a hostname and a domain name. Select the appropriate radio button in the Preferred DCR Display Name panel. When you select the preferred management IP Address as None: •Hostname of the device is added as the display name in DCR. •Device interface addresses are also added as separate devices in DCR.
Update DCR Display Name	Select this checkbox if you want to update the display name of the devices that already exist in DCR, in the next Device Discovery cycle. For example, consider a device that is discovered by Common Services Device Discovery, exists in DCR with the display name as its hostname. If you change the Preferred DCR Display Name to IP Address for the next Device Discovery, Common Services Device Discovery will update the display name of the device as its IP Address in DCR after the next Device Discovery. The display name of devices are not overwritten in the future Discovery cycles if you have not selected this option.
Use Default Credentials	Select either default credential set name, Policy Configuration or No Default from the Select A Default Credential Set drop-down list, while adding the devices to DCR.
Preferred Management IP	Select one of the following options as preferred Management IP address of the device: •Use LoopBack Address Select this option to manage a device in the address assigned to the loopback interface. If there are multiple loopback IP addresses, the highest loopback address is used to manage the device. •Resolve By Name Common Services Device Discovery uses Domain Name Services (DNS), if available, to perform device name lookups. Select this option to resolve names using the device name. •Resolve By SysName Select this option to contact the DNS Server to select the device hostname. •None Select this option if you do not want to manage the devices with preferred management IP Address. When you select this option, the devices are added in DCR with their IP Addresses. The Resolve By Name option is the default option for this field.
Add Discovered Devices to a Group	Select this checkbox when you want to add the discovered devices to a group. You can later select the devices in this group to perform device operations.
Group Name	Displays the name of the group you have selected already. You can also change the group name. Click Select to open the Select a Group popup window and change the group name. In the Select a Group popup window, you can either specify a new group name or select an existing group from the list of user-defined groups.
E-mail	Enter a valid e-mail ID in this field. Multiple e-mail IDs are allowed in this field. The system uses the e-mail ID to notify you about: •Completion status of Device Discovery jobs. •Stopped Device Discovery jobs Caution There may be a problem in sending e-mails if you enable virus scanner in the CiscoWorks Server.

Setting SNMPv2 Parameters

To add or edit SNMPv2 parameters:

---

Step 1 Select Run Discovery on the host_name check box, and click the Run Discovery on the host_name link.

Step 2 Click the SNMP Settings tab.

Step 3 Select the SNMPv2c radio button.

You can select the SNMPv2c to SNMPv1 Fallback check box, to enable fallback to SNMPv1 from SNMPv2c.

Step 4 Click Add to add the SNMP settings.

The SNMP V2 popup appears.

Step 5 Enter the following details in the popup:

•Target—Target device

•Read Community—Read community string.

•Timeouts—Time period after which the query times out.

•Retries—Number of attempts.

•Comments—Remarks, if any.

Step 6 Click either

•OK to save the changes

Or

•Cancel to exit.

Step 7 Select a row, and click Edit to edit the community strings.

The SNMPv2 popup appears with the existing values.

Step 8 Edit the details in the popup and click either:

•OK to save the changes

Or

•Cancel to exit.

Step 9 Select a row, and click Delete to delete the community string.

---

Setting SNMPv3 Parameters

To add or edit SNMPv3 parameters:

---

Step 1 Select Run Discovery on host_name check box, and click the Run Discovery on host_name link.

Step 2 Click the SNMP Settings tab.

Step 3 Select the SNMPv3 radio button.

You can select the SNMPv3 to SNMPv2c Fallback check box, to enable fallback to SNMPv2c from SNMPv3. You should have configured SNMPv2c settings, to enable fallback to SNMPv2c from SNMPv3.

Step 4 Click Add to add the SNMP settings.

The SNMPv3 popup appears.

Step 5 Enter the following details in the popup window:

•Target—Target device.

•Username—Name of the user who has access to the views configured on the device.

•Password—Password of the user.

•Timeouts—Time period after which the query times out.

•Retries—Number of attempts.

•Authentication—Method of authentication. Either SHA-1 or MD5.

•Comments—Remarks, if any.

Step 6 Click either:

•OK to save the changes.

Or

•Cancel to exit.

Step 7 Select a row, and click Edit to edit the community strings.

The SNMPv3 popup appears with the existing values.

Step 8 Edit the details in the popup and click either:

•OK to save the changes.

Or

•Cancel to exit.

Step 9 Select a row, and click Delete to delete the community string.

---

Viewing Add Devices Status

To view the Add Devices status:

---

Step 1 Click Next after adding the devices.

The Add Devices Progress page is displayed.

This process takes some time to check the status of various tasks.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. mail notification. You can then exit from the workflow before the tasks are complete.

You can view the status after you get the e-mail notification that the tasks have completed. You should do this only after getting an e-mail notification. See Setting up E-mail Notification After Adding Devices for details.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the relevant step link to view the detailed status report.

If a step fails, the Last Accessed URL column in the report will display the shortcut URL for that particular step. It will not display anything, if the step is successful.

---

Click Next to go to Manage Devices Tasks. See Managing Devices for details.

Setting up E-mail Notification After Adding Devices

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

---

Step 1 Select the Notify me When Add Devices Tasks are Complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

E-mail ID can contain any characters, numbers, and special characters ($, _, ^, &, #). For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail after the tasks have been completed.

Step 4 Click Enter Setup to view the Add Devices Progress page after you receive the e-mail notification.

---

Deleting SNMPv2 Details

To delete the SNMPv2 details:

---

Step 1 Select Run Discovery on the host_name check box, and click the Run Discovery on the host_name link.

Step 2 Click the SNMP Settings tab.

Step 3 Select the row to be deleted.

Step 4 Click Delete.

The Delete SNMPV2 Confirmation dialog box appears.

Step 5 Click OK in the Delete SNMP V2 Confirmation dialog box.

---

Deleting SNMPv3 Details

To delete the SNMPv3 details:

---

Step 1 Select Run Discovery on the host_name check box, and click Run Discovery on the host_name link.

Step 2 Click the SNMP Settings tab.

Step 3 Select the row to be deleted.

Step 4 Click Delete.

The Delete SNMPV3 Confirmation dialog box appears.

Step 5 Click OK in the Delete SNMPV3 Confirmation dialog box.

---

Managing Devices

This page helps you to allocate devices to be managed by the applications installed in the CiscoWorks servers. It lists the CiscoWorks servers and the applications that are present in each server.

You can select devices from the device selector and add them to the application that you want the device to be managed.

You can also:

•Use Device Selector to search for devices in DCR (See About Device Selector)

•View Device Management status (See Viewing Allocate Devices Status)

To manage devices:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Allocate Devices.

The Allocate Devices page appears.

Step 2 Go to the Device Selector and select the devices that you want to add.

Step 3 Select the applications to which you want to allocate the devices.

Initially, devices must be added to DCR. After a device is added to DCR, you can add it to the applications.

Step 4 Click Add Devices to add.

Or

Click Reset to reset the added devices in the application.

The Manage Devices screen displays:

•LMS Server—LMS Server IP Address

•Applications—Applications installed in the LMS Server

•Selected Devices —Number of devices selected to add in that application

Step 5 Click Next to complete the Manage Devices tasks.

The Device Management Progress page appears. You can view the Device Management status in this page. See Viewing Allocate Devices Status for details.

---

About Device Selector

The Device Selector allows you to search for the devices in Device and Credential Repository (DCR). It helps you to locate the devices and perform the device management tasks quickly. With the Device Selector, you need not remember the device type or application group hierarchy to locate the devices.

The devices are categorized under the Device Type based groups, User Defined groups, Subnet Based groups, Application Specific groups or under All Groups.

The CiscoWorks Assistant uses the Common Services Device Selector.

See the Configuring Device Selector section in the Managing Device and Credentials chapter of the User Guide for CiscoWorks Common Services 3.3 for information on using Device Selector:

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html

You can also access this information from Common Services Online help. From CiscoWorks help, select:

Common Services > Managing Device and Credentials > Configuring Device Selector > Searching Devices.

Viewing Allocate Devices Status

You can view the device management status after you complete the Allocate Devices tasks.

To view the status:

---

Step 1 Click Next after entering the credentials.

The Allocate Devices Progress page appears. This process takes some time to check the status of various tasks.

You can either:

•Set up CiscoWorks Assistant to send you an e-mail notification. mail notification. You can then exit from the workflow before the tasks are complete.

You can view the status after you get the e-mail notification that the tasks have completed. You should do this only after getting an e-mail notification.

See Setting up E-mail Notification After Device Management Tasks for details.

Or

•Wait until the status check has completed to view the status.

Step 2 Click on the step link to view the detailed status report.

Table 3-12 describes the fields in the status report.

Table 3-12 Status Report Fields

Field	Description
Server	Host name or IP Address of the local or remote server.
Application	Name of the application to which the devices are added after allocation.
Status	Status of the Allocate Devices tasks. This status could be Success or Failure.
Last Accessed URL	Displays the shortcut URL for a particular step if it fails. It will not display anything if the step is successful.
Details	Displays the details of failure, if the Allocate Devices task for an application is not successful. It will not display anything if the step is successful.

Step 3 Click Next to go to the Change ACS Setup tasks. See Changing ACS Setup for details.

---

Setting up E-mail Notification After Device Management Tasks

You can exit the workflow after you complete the tasks and return later to view the status. You should do this only after getting an e-mail notification.

To do this:

---

Step 1 Select the Notify me When Manage Devices Tasks are Complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail, after the tasks have completed.

Step 4 Click Enter Setup to view the Manage Devices Status page after you receive the e-mail notification.

---

Changing ACS Setup

The CiscoWorks server provides mechanisms used to authenticate users for CiscoWorks applications. The login module determines the type of authentication and authorization CiscoWorks uses.

By default, the login module is set to the native CiscoWorks authentication mechanism, that is, the CiscoWorks Local Login module. You can change this default value to use Cisco Secure ACS for user authentication and authorization.

In CiscoWorks Local mode, you cannot create custom roles, or modify the predefined roles. Cisco Secure ACS allows you to create custom roles and also limit the access to network devices within LMS using Network Device Groups (NDGs).

The details for setting up the CiscoWorks server for non-ACS mode are available in User Guide for CiscoWorks Common Service 3.3.

Change ACS Setup page shows the ACS Mode Status for each CiscoWorks server in the setup. From this page you can:

•Configure ACS Mode (See Configuring the ACS Mode)

•Assign Device Group (See Assigning Device Group)

The tasks to be performed to complete AAA mode change to ACS can be classified as:

•Cisco Secure ACS Initial Setup Tasks—This includes:

–Adding the ACS administrator user

–Adding CiscoWorks server and devices managed by it as AAA clients in Cisco Secure ACS.

When you change the mode to ACS using CiscoWorks Assistant, you need to manually add the DCR Master server in ACS as an AAA client.

When you change the mode of a Slave, CiscoWorks Assistant adds it to the NDG group you specify.

See Cisco Secure ACS Initial Setup Tasks for details.

•AAA mode configuration in CiscoWorks Assistant—Specifying the Cisco Secure ACS server details and credentials in the Configure ACS Mode page. See Configuring the ACS Mode for details.

•User Configuration in Cisco Secure ACS—Adding users and defining roles in Cisco Secure ACS. See User Configuration in Cisco Secure ACS for details and pointers to documentation.

You can also perform the following tasks:

•View the ACS mode configuration status after you complete the Configure ACS Mode tasks. See Viewing the Configure ACS Mode Status

•Update the ACS server details using this option. You should have already completed the ACS Mode change to do this. See Updating ACS Configuration

•Assign Device Groups. See Assigning Device Group

Cisco Secure ACS Initial Setup Tasks

You must define an Administrator in ACS server to provide remote access. To access the Cisco Secure ACS HTML interface from a browser on a remote machine, you must log in to Cisco Secure ACS using an administrator account.

You can perform the necessary steps to do this in the Administration Control tab in the ACS UI. See the white paper, CiscoWorks LMS Integration with Cisco Secure ACS, or the User Guide for Cisco Secure ACS 4.1 for detailed information.

You must then add the CiscoWorks server and the devices it manages as AAA clients in ACS. The ACS workflow does not support IPv6 devices. Hence, IPv6 devices will not be added in ACS.

To add CiscoWorks server as an AAA client:

---

Step 1 In the Cisco Secure ACS navigation bar, click Network Configuration.

The Network Configuration page appears.

Step 2 Do either of the following:

•If you are using Network Device Groups (NDGs), click the name of the NDG to which the AAA client is to be assigned. Then click Add Entry below the AAA Clients table.

If NDG option is not visible, you can enable Network Device Groups in ACS under Interface Configuration > Advanced.

Or

•Click Add Entry below the AAA Clients table, to add an AAA client when you have not enabled NDGs.

The Add AAA Client page appears.

Step 3 In the AAA Client Hostname box, enter the name of your CiscoWorks server (up to 32 characters).

Step 4 In the AAA Client IP Address box, enter the IP address of your CiscoWorks server.

Step 5 In the Key box, enter the Shared Secret key that your CiscoWorks server and ACS use to encrypt the data.

Step 6 From the Authenticate Using list, select TACACS + (CiscoIOS) as the network security protocol used by the AAA client.

Step 7 Click Submit + Restart.

---

Apart from adding your CiscoWorks server as an AAA client, you also need to add the devices to be managed by the CiscoWorks server as AAA clients to Cisco Secure ACS.

When you are integrating the AAA clients with Cisco Secure ACS, your devices will not be visible from your CiscoWorks server if you have not added them as AAA clients in Cisco Secure ACS.

For information on adding network device groups and AAA client configuration, see the Network Configuration section of the User Guide for Cisco Secure ACS 4.1.

To change ACS settings:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup.

The Change ACS Setup page appears.

Change ACS Setup page contains these ACS Mode Status details.

•Server—Name or IP Address of the server.

•Mode—The current mode of the server. It can be ACS or Non-ACS.

If the mode is ACS, a link is displayed. Click this link to view the ACS Connection Status for the server.

Step 2 Select the Change Mode to ACS check box in the Login Module pane to change the login mode to ACS.

If the server is in ACS mode, the Change ACS Setup page will contain the ACS Tasks pane instead of the Login Module pane. The ACS Tasks pane has these radio buttons:

•Update ACS Configuration (See Updating ACS Configuration.)

•Assign Group for missing devices (See Assigning Device Group.)

---

Configuring the ACS Mode

To change the mode to ACS:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup.

CiscoWorks Assistant checks whether there are pending devices in DFM and RME. If it finds any pending devices, the Pending Device Count table is displayed. It displays:

•Server—Server name.

•Application—Application that contains pending devices. Value will be DFM or RME.

•Pending Count—Number of pending devices.

•Details—Reason why CiscoWorks Assistant could not fetch the pending devices count.This column will be blank if the pending devices count is found.

Along with the table, a Notification pop up window appears with the following message:

Pending devices exist or could not check for pending devices in some LMS applications

Step 2 Click OK.

Step 3 Click Next.

A confirmation pop up appears with the following message:

LMS server(s) ACS configuration will not be proper if there are pending devices in the LMS applications. Make sure there are no pending devices and click OK to continue.

To get further details on pending devices in the applications, go to:

•RME > Devices > Device Management > Pending Devices

•Device Fault Manager > Device Management > Device Summary

The details are displayed in the screens that appear when you select these menu paths.

See RME and Device Fault Manager User Guides for more information on pending devices.

The Change ACS Setup page appears after you click OK.

Step 4 Select the Change Mode to ACS check box and click Next to go the Configure ACS Mode page.

---

Note Ensure that the local server is an AAA client to ACS server.

---

Step 5 Click OK on the Notification pop-up window to continue with the ACS Mode change.

Step 6 Enter the required information in the ACS Mode Setup table to change the login mode to ACS.

If the DCR Master (local server) is already in ACS mode, the fields other than the passwords and secret keys will be pre-populated.

Table 3-13 describes the fields in the ACS Mode Setup table.

Table 3-13 ACS Mode Setup Fields

Field	Description
Server Details
Primary IP Address/Hostname	Enter the Primary IP Address/Hostname of the ACS server.
ACS TACACS+ port	Enter the ACS TACACS+ port number. The default port number is 49. You can change the port based on the value configured in ACS.
Secondary IP Address/Hostname	Enter the Secondary IP Address/Hostname of the ACS server.
ACS TACACS+ port	Enter the ACS TACACS+ port number. The default port number is 49. You can change the port based on the value configured in ACS.
Tertiary IP Address/Hostname	Enter the Tertiary IP Address/Hostname of the ACS server
ACS TACACS+ port	Enter the ACS TACACS+ port number. The default port number is 49. You can change the port based on the value configured in ACS.
Login
ACS Admin Name	Enter the administrator username in ACS
ACS Admin Password	Enter the administrator password in ACS
Confirm Password	Re-enter the administrator password in ACS
ACS Shared Secret Key	Enter the secret key shared between ACS and the CiscoWorks server.
Confirm Key	Re-enter the ACS Shared Secret key
System Identity
User Name	Enter the system identity user name. This user should be already configured in ACS, with all privileges.
Password	Enter the system identity password value
Confirm Password	Re-enter the password.
Network Device Group Name
Network Device Group Name	Enter the Network Device Group Name value. Network Device Group name should present in the ACS. This field appears only in a Multi-server set up, when you change the mode of a Slave. You must manually add the local server (DCR Master) as an AAA client in ACS, before you change the mode to ACS. The workflow converts the other servers part of the Multi-server to ACS mode and also add missing devices to the NDG that you specify here.

Step 7 Select the Register all Installed Applications with ACS check box, if you are registering the applications for the first time.

In case an application is already registered with ACS, the current registration will overwrite the previous registration. When you select the Register all Installed Applications with ACS check box, you are prompted to confirm whether you want to continue with the settings.

See Common Services Online help for details.

Step 8 Select the HTTP or HTTPS radio button under Current ACS Administrative Access Protocol.

Step 9 Click Next to complete the Mode change.

The Configure ACS Mode Progress page is displayed. You can view the ACS mode configuration status in this page. See Viewing the Configure ACS Mode Status for details.

---

Note In a Multi-server setup, ACS configuration may fail, when master and slave servers are trying to register the applications at the same time. At the time of failure, repeat the above steps to continue with ACS configuration.

---

---

User Configuration in Cisco Secure ACS

The System Identity User has to be created in ACS, and assigned Super Admin role in all applications in ACS.

You should create a user in ACS with the current System Identity username, and assign Super Admin role to that user in all applications in the TACACS + options pane in Group Setup or User Setup UI in ACS.

See Configuring Device Management Command Authorization for a User Group in User Guide for Cisco Secure ACS 4.1.

---

Note Restart daemon manager after you create the System Identity User in ACS, and assign the Super Admin role for the changes to take effect.

---

The final step in integrating CiscoWorks Common Services Software with Cisco Secure ACS is to configure the CiscoWorks users within Cisco Secure ACS. Cisco Secure ACS allows you to define access permissions and policies for the registered CiscoWorks applications either for individual users or for a group of users.

See the following sections of the Cisco Secure ACS User Guide for more information on managing users and user groups:

•User Group Management

•User Management

While adding the user, you can configure access policies to define what the user is authorized to do, depending on the role.

See Configuring Users in ACS section in User Guide for CiscoWorks Common Services 3.3 for information on:

•Assigning Privileges in ACS

•Creating and Modifying Roles in ACS

See also the white paper on CiscoWorks LMS Integration with Cisco Secure ACS, available on Cisco.com

---

Viewing the Configure ACS Mode Status

You can view the ACS mode configuration status after you complete the Configure ACS Mode tasks.

To view the status, click Next after configuring the ACS mode.

The Configure ACS Mode Progress page is displayed.

This process takes some time to check the status of various tasks.

You can either:

•Exit the workflow after you complete the tasks and return later to view the status. You should do this only after getting an e-mail notification. See Setting up E-mail Notification After Configuring ACS Mode for details.

Or

•Wait until the status checks complete to view the status.

The Configure ACS Mode Result page is displayed. See Viewing the Configure ACS Mode Result for details.

Setting up E-mail Notification After Configuring ACS Mode

You can exit the workflow after you complete the tasks and return later to view the status. You should do this after getting an e-mail notification.

To do this:

---

Step 1 Select the Notify me When ACS Tasks are Complete check box, and click OK.

Step 2 Enter the e-mail ID in the text field.

The e-mail ID will be displayed in the text field if you had entered an e-mail ID in the Manage Servers flow. Only one e-mail ID is allowed.

The e-mail ID can contain alphabets, numbers, and special characters ($, _, ^, &, #).

For example:

•user_cwa1@cisco.com

•Name_12#@abc.co.in

The following message appears:

An e-mail will be sent to the selected E-mail address after the process has completed.

Step 3 Click Cancel.

The initial Server Setup workflow page is displayed.

You will receive an e-mail after the tasks have been completed.

Step 4 Click Enter Setup to view the ACS Mode Progress page after you receive the e-mail notification.

---

Viewing the Configure ACS Mode Result

Configure ACS Mode Result page displays the ACS Connection Status of all servers in the setup. To access the Configure ACS Result page you should have changed the server into ACS Mode.

To view the Configure ACS Mode Result page:

---

Step 1 Click Next, after the Configure ACS Mode tasks are complete.

The Configure ACS Mode result page appears with the following popup message:

Restart the LMS Daemon Manager of the following servers for the ACS changes to take effect:

<Server details>

Make sure the configured System Identity User is available in ACS Server.

Step 2 Restart daemon manager, and click OK to view the Configure ACS Mode Result page.

To restart daemon manager:

a. Stop daemon manager.

–On Solaris:

Run /etc/init.d/dmgtd stop

–On Windows:

Run net stop CRMdmgtd or net stop crmdmgtd

b. Start daemon manager.

–On Solaris:

Run /etc/init.d/dmgtd start

–On Windows:

Run net start CRMdmgtd or net start crmdmgtd

The following ACS Connection Status details are shown:

•TACACS+ Connectivity With ACS Status—Reachability status of the ACS server

• HTTP/HTTPS Connectivity With ACS—Reachability status of the ACS server using HTTP or HTTPS

•CiscoWorks System Identity User Configuration in ACS— Information on privileges for the ACS server.

See the Setting up AAA Mode to ACS section in the User Guide for CiscoWorks Common Services 3.3, for further details.

---

Updating ACS Configuration

You can update the ACS server details using this option. You should have already completed the ACS Mode change to do this.

To update ACS server details:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup

CiscoWorks Assistant checks whether there are pending devices in DFM and RME. If it finds any pending devices, the Pending Device Count table is displayed with the following:

•Server—Server name.

•Application—Application that contains pending devices. Value will be DFM or RME.

•Pending Count—Number of pending devices.

•Details—Reason why CiscoWorks Assistant could not fetch the pending device count.This column will be blank if the pending devices count is found.

Along with the table, a Notification pop up window appears with the following message:

Pending devices exist or could not check for pending devices in some LMS applications

Step 2 Click OK.

Step 3 Click Next.

A confirmation pop up appears with the following message:

LMS server(s) ACS configuration will not be proper if there are pending devices in the LMS applications. Make sure there are no pending devices and click OK to continue.

To get further details on pending devices in the applications, go to:

•RME > Devices > Device Management > Pending Devices

•Device Fault Manager > Device Management > Device Summary

The details are displayed in the screens that appear when you select these menu paths.

See RME and Device Fault Manager User Guides for more information on pending devices.

The Change ACS Setup page appears after you click OK.

Step 4 Select the Update ACS Configuration radio button from the ACS Tasks pane.

The Update ACS Configuration check box appears in the ACS Tasks pane only if the server is in ACS mode.

Step 5 Click Next.

The following popup message appears:

Please ensure that local server is an AAA client to ACS server.

Step 6 Click OK to continue.

The Configure ACS Mode page appears with the pre-populated values in the ACS Mode Setup.

Step 7 Enter the new details in the ACS Mode Setup window.

You need to provide the current System Identity Username and Password. The NDG should be already be preset in ACS. You must also provide the Shared Secret key.

Step 8 Click Next to complete updating ACS configuration.

---

Note In a Multi-server setup, ACS configuration may fail, when master and slave servers are trying to register the applications at the same time. At the time of failure, repeat the above steps to continue with ACS configuration.

---

Step 9 Restart daemon manager for the changes to take effect.

---

Assigning Device Group

After you have integrated the CiscoWorks server with Cisco Secure ACS and assigned appropriate roles to the user you would not be able to see the devices added in DCR if the devices are not added as AAA clients to Cisco Secure ACS. CiscoWorks Assistant lets you add the missing devices into the appropriate NDG in ACS.

Common Services displays a report that has the list of DCR devices that need to be configured in ACS. See Generating Reports in DCR section of the User Guide for CiscoWorks Common Services 3.3, for details.

The Assign Device Group check box appears only if there are missing DCR devices in ACS. You can assign the devices to the appropriate NDG.

To assign device groups:

---

Step 1 Select CiscoWorks Assistant > Workflows > Server Setup > Change ACS Setup

CiscoWorks Assistant checks whether there are pending devices in DFM and RME. If it finds any pending devices, the Pending Device Count table is displayed with the following details:

•Server—Server name.

•Application—Application that contains pending devices. Value will be DFM or RME.

•Pending Count—Number of pending devices.

•Details—Reason why CiscoWorks Assistant could not fetch the pending device count.This column will be blank if the pending devices count is found.

Along with the table, a Notification pop up window appears with the following message:

Pending devices exist or could not check for pending devices in some LMS applications

Step 2 Click OK.

Step 3 Click Next.

A confirmation pop up appears with the following message:

LMS server(s) ACS configuration will not be proper if there are pending devices in the LMS applications. Make sure there are no pending devices and click OK to continue.

To get further details on pending devices in the applications, go to:

•RME > Devices > Device Management > Pending Devices

•Device Fault Manager > Device Management > Device Summary

The details are displayed in the screens that appear when you select these menu paths.

See RME and Device Fault Manager User Guides for more information on pending devices.

The Change ACS Setup page appears after you click OK.

Step 4 Select the Assign group for missing devices radio button in the ACS Tasks pane.

Step 5 Click Next.

The Assign Device Group page appears.

Step 6 Enter the following information in the Export Devices to ACS table to add the missing devices into ACS:

•Server details—IP address and port number of the ACS server.

•Login details—ACS administrator name, password, and the shared secret key.

•Current ACS Administrative Access Protocol—Protocol used to connect to ACS server.

•Network Device Group name—NDG to which you want to add the missing devices.

Step 7 Click Next to complete assigning device group.

---

Viewing the Server Setup Summary

You can view a summary of the tasks that you performed during the workflow, after you complete the workflow steps.

To view the summary, click Next after you perform the workflow steps.

The Server Setup Summary page is displayed. with the following details:

•Session Details

•Server Summary

•ACS Summary

•Operation Summary

The information on this page depends on the tasks that you performed.

You need not perform all of the Server Setup workflow tasks to view the Summary. You may skip the steps that you do not need to perform during a workflow session.

For example, you may perform the Manage Servers tasks and skip all the other tasks to get to the Summary page. In such a case, the Summary page displays only the summary related to the Manage Servers tasks.

Session Details

The Session Details table displays the Start Time and the User Name for the current session.

Server Summary

The Server Summary lists all servers in the setup. The fields in the Server Summary and their descriptions are given below.

•LMS Server—Host Name or IP Address of the server.

•Protocol—Protocol of the server. This can be HTTP or HTTPS

•Port—Port Number of the CiscoWorks server.

•DCR—DCR mode of the server. Mode can be DCR Master, Slave, or Standalone.

•SSO—SSO mode of the server. SSO Mode can be Master, Slave, or Standalone.

When you click the Expand button of the CiscoWorks server, it lists the applications installed in that server.

ACS Summary

The ACS Summary table lists all the servers and their current mode. The mode can be ACS or Non-ACS.

Operation Summary

The Operation Summary tables display the tasks that you performed during the Server Setup workflow. The fields in the Operation Summary, and their descriptions are given below

•Step—Step Name of the workflow.

•Last run—Date and Time when the step was performed.

•Details—Click the View link to view the Step Summary dialog box.

Click Finish to go to the Server Setup home page and end the current session.

Related Documentation

For more information on Multi-server setups, DCR and SSO, see the latest versions of following documents on Cisco.com:

•User Guide for CiscoWorks Common Services 3.3

http://www.cisco.com/en/US/products/sw/cscowork/ps3996/products_user_guide_list.html

•White Paper on CiscoWorks LMS Integration with Cisco Secure ACS

http://www.cisco.com/en/US/products/sw/cscowork/ps2425/prod_white_papers_list.html

•LMS application User Guides.

http://www.cisco.com/en/US/products/sw/netmgtsw/tsd_products_support_category_home.html