limit DCR crendentials to CiscoWorks software with ACS 5.1

Unanswered Question
Dec 14th, 2009
User Badges:

Hi !

we are currently deploying ACS 5.1 in our network, I would like to limit DCR crendentials to CiscoWorks software if-sefl not only to the server itself is it possible ?

We would like to make sure nobody can use DCR crendential to open an administrative session on AAA Clients without CiscoWorks sofware (even if the attempt is make from the CiscoWorks server it-self, by taking in remote control the server and trying an Telnet or SSH session from that point)

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Mike Bailey Mon, 12/14/2009 - 13:35
User Badges:

I don't think the end device would know the source application, only the source IP address, so even with ACL's etc if the CiscoWorks server and credentials are compromised the user will be able to access.

To prevent this we got two admins to each generate a complex 8 character password, and then got them to set these in turn for the ACS account used by CiscoWorks (thus it has a 16 character password) and then set these using the "Default Device Credentials" in CiscoWorks.

Then as CiscoWorks is ACS integrated removed the functionality to export the device credentials from users within the ACS shared profile components.

Thus the only way to exploit the credentials is to have both people remember the 8 character password they set and combine them into 16 character password, or get the ACS administrator to reenable device credential export.

Slightly convoluted but it works - all comes down to suitable role seperation between individuals.

Hope this helps

xine xine Wed, 12/16/2009 - 03:43
User Badges:

Hi !

this is a working solution, but I think this will not be possible in our situation, individual users in our team should be able to add, removed, modify device credentials in CiscoWorks software.


This Discussion