Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
605
Views
4
Helpful
2
Replies

limit DCR crendentials to CiscoWorks software with ACS 5.1

xine xine
Level 1
Level 1

‎12-14-2009 12:14 PM - edited ‎02-21-2020 03:49 AM

Hi !

we are currently deploying ACS 5.1 in our network, I would like to limit DCR crendentials to CiscoWorks software if-sefl not only to the server itself is it possible ?

We would like to make sure nobody can use DCR crendential to open an administrative session on AAA Clients without CiscoWorks sofware (even if the attempt is make from the CiscoWorks server it-self, by taking in remote control the server and trying an Telnet or SSH session from that point)

0 Helpful
2 Replies 2

Mike Bailey
Level 1
Level 1

‎12-14-2009 01:35 PM

I don't think the end device would know the source application, only the source IP address, so even with ACL's etc if the CiscoWorks server and credentials are compromised the user will be able to access.

To prevent this we got two admins to each generate a complex 8 character password, and then got them to set these in turn for the ACS account used by CiscoWorks (thus it has a 16 character password) and then set these using the "Default Device Credentials" in CiscoWorks.


Then as CiscoWorks is ACS integrated removed the functionality to export the device credentials from users within the ACS shared profile components.


Thus the only way to exploit the credentials is to have both people remember the 8 character password they set and combine them into 16 character password, or get the ACS administrator to reenable device credential export.

Slightly convoluted but it works - all comes down to suitable role seperation between individuals.

Hope this helps

xine xine
Level 1
Level 1
In response to Mike Bailey

‎12-16-2009 03:43 AM

Hi !

this is a working solution, but I think this will not be possible in our situation, individual users in our team should be able to add, removed, modify device credentials in CiscoWorks software.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card