Cisco Support Community
Community Member

secureid and cisco works

We want to use SecureID (thru Tacacs+) login for all our administrators for logging in to the routers. But we also want to use CW2000 for using netconfig and archive configurations. CW2000 uses snmp and telnet access. Because of that snmp and user/password info must be configured in CW. Because there is no secureid software token available for cw2000 i have to find another way to give CW access to routers. On the other hand i want no unsecure (level 7) password on routers because of password recovery possibilities showing the password. The best i found was defing a account on the tacacs server which can be used to login to the routers and if the user is not in the tacacs server it will ask the ace server. That works fine but now i can login to ALL routers from all destinations and that is also not secure. I tried using aaa authorisation to make a acl active on the vty and debugging shows the acl is activated for the CW user but i can still connect to all routers from all destinations and the acl does not seem to work. Should this work? Another good way would be if it is possible to tell the tacacs server that it should only grant access if the CW user tried to connect from the CW machine but i dont think this option exists because it is not the end station asking for loging but the router. So to conclude: Is there a way to use SecureID with the changing passwords and also give ONLY CW2000 (ficed ip address) access with a static username/password.


Re: secureid and cisco works

use a fixed password for the CW user and in ACS, under the user profile Network Access Restrictions area, NAS (telnet, login, exec) Access Control, enter the IP address of CW as the only permitted source address for this user.

Community Member

Re: secureid and cisco works

In addition to using a dedicated userid that only has access from a single IP address you might also apply an ACL to the VTY ports of you NAS. Here is what I do


! This ACL only allows my management host telnet access


! I also include the IP address of the upstream hub. This is incase

! there is no routing. I can always telnet from the hub across the

! connect network


access-list 123 permit ip host a.b.c.d any

access-list 123 permit ip host w.x.y.z any

access-list 123 deny ip any any log

line vty 0 4

access-class 123 in

This will only allow host a.b.c.d and w.x.w.y telnet access to the NAS.

I also use ACLs on SNMP RO and RW as follows


! This ACL only allows my management hosts RW SNMP access


access-list 80 permit RW-HOST1

access-list 80 permit RW-HOST2


! This ACL only allows my management hosts RO SNMP access


access-list 85 permit RO-HOST1

access-list 85 permit RO-HOST2

snmp-server community RW-Community RW 80

snmp-server community RO-Community RO 85

This will only allow the hosts in the ACLs to have SNMP access

CreatePlease to create content