We want to use SecureID (thru Tacacs+) login for all our administrators for logging in to the routers. But we also want to use CW2000 for using netconfig and archive configurations. CW2000 uses snmp and telnet access. Because of that snmp and user/password info must be configured in CW. Because there is no secureid software token available for cw2000 i have to find another way to give CW access to routers. On the other hand i want no unsecure (level 7) password on routers because of password recovery possibilities showing the password. The best i found was defing a account on the tacacs server which can be used to login to the routers and if the user is not in the tacacs server it will ask the ace server. That works fine but now i can login to ALL routers from all destinations and that is also not secure. I tried using aaa authorisation to make a acl active on the vty and debugging shows the acl is activated for the CW user but i can still connect to all routers from all destinations and the acl does not seem to work. Should this work? Another good way would be if it is possible to tell the tacacs server that it should only grant access if the CW user tried to connect from the CW machine but i dont think this option exists because it is not the end station asking for loging but the router. So to conclude: Is there a way to use SecureID with the changing passwords and also give ONLY CW2000 (ficed ip address) access with a static username/password.