Downloads |
 Feedback
|
Table Of Contents
Setting Up the CiscoWorks2000 Server
Using the Pluggable Authentication Modules
Understanding Fall Back Options
Installing Client Application Manager
Setting Up the CiscoWorks2000 Server
The CiscoWorks2000 Server includes tools required to properly set up the server to support other CiscoWorks2000 applications. These features include:
•
Using the Pluggable Authentication Modules
•
Setting Up User Accounts
Several CiscoWorks2000 network management and application management operations are potentially disruptive to either the network or to the applications themselves and must be protected.
To prevent such operations from being used accidentally or maliciously, CiscoWorks2000 uses a multilevel security system that only allows access to certain features to users who can authenticate themselves at the appropriate level.
CiscoWorks2000 provides two predefined login IDs, but you create additional unique login IDs for users at your company:
•
•
Note
Caution
Understanding Security Levels
System administrators determine user security levels when they are granted access to CiscoWorks2000. When users are granted logins to the CiscoWorks2000 application, they are assigned one or more roles. The user role or combination of roles dictates which CiscoWorks2000 applications are presented to the user on the navigation tree. shows available security levels.
Table 3-1 Security Levels
0
Help Desk
1
Approver
2
Network Operator
4
Network Administrator
8
System Administrator
Other roles are displayed, depending on your applications. For example, two additional user roles (Developer and Export Data) are displayed in the security user account windows. These roles are available only for Management Connection and third-party developers.
To see which security levels are allowed to use the CiscoWorks2000 applications, run the CiscoWorks2000 Server > Setup > Security > Permissions Report.
Performing Security Tasks
Users can perform some tasks for their own accounts, but most security tasks require system administrator role privileges. When performing these security tasks (see Table 3-2), consider the following:
•
•
•
Using the Pluggable Authentication Modules
Pluggable authentication using the CiscoWorks2000 Server security feature allows administrators to authenticate users by another source of authentication, such as a directory service. CiscoWorks2000 provides several standard pluggable authentication modules that allow the administrator of the CiscoWorks2000 Server to authenticate any CiscoWorks2000 login with NT, UNIX, TACACS+, Radius or other authentication sources.
Understanding Fall Back Options
Three login module fall back options are available on all platforms. Fall back options allow you to access the software should you accidentally lock yourself or others out. Table 3-3 describes the login module fall back options.
It is recommended that you select the option that allows specific users to fall back to the CiscoWorks2000 Local login if a preceding login fails. This way, if your server cannot authenticate the user, and the user has a local CiscoWorks2000 account, the CiscoWorks2000 Local login module authenticates the same name and password. If authentication occurs, the user can access CiscoWorks2000 even if their first-choice server is down. You may also want to test the new login module by having a user log in using the new authentication module.
Note
Selecting a New Login Module
Depending on your platform, different login module features are available (see Table 3-4).
Table 3-4 Login Module Options on Supported Platforms
CiscoWorks2000 Local
X
X
UNIX System Module
X
NT Local
X
Microsoft Active Directory
X
X
Netscape LDAP
X
X
Radius
X
X
TACACS+
X
X
1 This includes the Solaris platform, but will also include other platforms as new platforms are added to the CMF support.
The following procedure describes how to select a specific login module. For information on selecting other login modules, refer to the online help.
Step 1
Step 2
a.
b.
The Login Module Options window opens. Depending on your module, you might see one of the following modules:
•
•
•
•
•
•
•
Step 3
Step 4
jsm-cw2000/logs directory.
Note
Installing Client Application Manager
You can improve the performance of some CiscoWorks2000 applications by downloading and installing server files on your local machine. Whenever a client browser connects to a CiscoWorks2000 Server, you can choose to install Client Application Manager.
You can install Client Application Manager by selecting CiscoWorks2000 Server > Setup > Client Manager Admin or choosing to install when the Client Application Manager dialog box appears. This dialog box appears after you access a CiscoWorks2000 application that uses Client Application Manager.
If the Client Application Manager dialog box appears after you make a selection from the navigation tree, you can choose not to install it. Click on the check box to not show the message again and click No. If you do not select the check box, the dialog box appears each time you select an application that supports client-side installed files.
Configuring the ANI Server
Some CiscoWorks2000 applications require the Asynchronous Network Interface (ANI) Server to automatically discover network devices. If your application does not use or require the ANI Server, it is not available in the navigation tree.
For applications that require the ANI Server, it is critical that you set up your network and the ANI Server to ensure that the network is properly discovered.
Setting Up Your Network
The Network Setup Overview table (see Table 3-5) provides an overview of the tasks required to ensure that ANI properly discovers your network. Detailed information and instructions are available in the online help (select CiscoWorks2000 > Setup > ANI Server Admin).
To perform these tasks, use the Command Line Interface (CLI) of the network devices in your network. Refer to the command reference guides for specific devices to obtain instructions about performing these tasks.
Table 3-5 Network Setup Overview
Upgrade software versions on devices.
To ensure that ANI Server successfully discovers and supports your network devices, upgrade your device software to the latest general deployment (GD) software release.
Verify connectivity to seed devices.
The workstation on which ANI Server is installed must have connectivity to the seed devices in your network. If devices are not reachable, they cannot be discovered.
Enable SNMP.
ANI communicates with network devices using SNMP.
Enable Cisco Discovery Protocol.
ANI Server uses Cisco Discovery Protocol (CDP) to discover your network devices and layout.
Set unique sysName variable on devices.
Using CDP, ANI identifies Cisco IOS devices by the sysName variable. If multiple devices share the same sysName variable, the devices cannot be discovered properly.
Enable ILMI on ATM devices.
ANI Server uses Integrated Local Management Interface (ILMI) to discover the ATM devices in your network.
Configure DNS.
ANI uses Domain Name Services (DNS), if available, to perform device name lookups. If DNS is not available, ANI uses IP addresses.
If you use DNS, ensure that all devices have unique host names and that DNS is properly configured.
Note
properly configured the network for device discoveries.Configure VLAN Trunk Protocol.
VLAN Trunk Protocol (VTP), and at least one VTP Server per VTP domain is required to discover, display, and configure VLANs.
Configure VLAN trunks on Fast Ethernet and Gigabit Ethernet.
If a switch is connected to Fast Ethernet links and you want to configure it to carry more than one VLAN, you must enable ISL or IEEE 802.1Q.
Create the default LANE configuration server for ATM devices.
If you are running LAN Emulation (LANE) in your network, you must set up the main configuration server.
Note
properly configured the network for device and logical
discoveries.Connect users and hosts to the network.
ANI can retrieve information about end-user devices and hosts only if those devices are actively connected to the network.
Also, ANI can automatically collect user names only if users are actively connected to the network.
Note
properly configured the network for device, logical, and
user discoveries.Enable source routing.
ANI might not be able to trace a reliable path between two end points if source routing is disabled on any intervening routers.
Enable CDR logging on all Cisco Call Managers
The call detail record (CDR) provides information such as the IP address of the phones and gateways, telephone numbers of the involved parties, and the time that the call was made.
This information is used to determine a path involving any Cisco Call Manager devices.
Setting Up the ANI Server
The ANI Server automatically discovers devices in your network at a defined interval. To do this, the ANI Server must have access to your network devices and a discovery starting point (seed device).
You provide ANI access to your network devices by ensuring that the community strings on your devices are known to the ANI Server. The ANI Server uses your specified seed device (or a set of seed devices) to initiate discovery. See Table 3-6 for a description of these and other tasks you can perform with the ANI Server.
