Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

secureid and cisco works

We want to use SecureID (thru Tacacs+) login for all our administrators for logging in to the routers. But we also want to use CW2000 for using netconfig and archive configurations. CW2000 uses snmp and telnet access. Because of that snmp and user/password info must be configured in CW. Because there is no secureid software token available for cw2000 i have to find another way to give CW access to routers. On the other hand i want no unsecure (level 7) password on routers because of password recovery possibilities showing the password. The best i found was defing a account on the tacacs server which can be used to login to the routers and if the user is not in the tacacs server it will ask the ace server. That works fine but now i can login to ALL routers from all destinations and that is also not secure. I tried using aaa authorisation to make a acl active on the vty and debugging shows the acl is activated for the CW user but i can still connect to all routers from all destinations and the acl does not seem to work. Should this work? Another good way would be if it is possible to tell the tacacs server that it should only grant access if the CW user tried to connect from the CW machine but i dont think this option exists because it is not the end station asking for loging but the router. So to conclude: Is there a way to use SecureID with the changing passwords and also give ONLY CW2000 (ficed ip address) access with a static username/password.

  • Other Security Subjects
1 REPLY
Anonymous
N/A

Re: secureid and cisco works

use a fixed password for the CW user and in ACS, under the user profile Network Access Restrictions area, NAS (telnet, login, exec) Access Control, enter the IP address of CW as the only permitted source address for this user.

89
Views
0
Helpful
1
Replies
This widget could not be displayed.