limit DCR crendentials to CiscoWorks software with ACS 5.1
we are currently deploying ACS 5.1 in our network, I would like to limit DCR crendentials to CiscoWorks software if-sefl not only to the server itself is it possible ?
We would like to make sure nobody can use DCR crendential to open an administrative session on AAA Clients without CiscoWorks sofware (even if the attempt is make from the CiscoWorks server it-self, by taking in remote control the server and trying an Telnet or SSH session from that point)
Re: limit DCR crendentials to CiscoWorks software with ACS 5.1
I don't think the end device would know the source application, only the source IP address, so even with ACL's etc if the CiscoWorks server and credentials are compromised the user will be able to access.
To prevent this we got two admins to each generate a complex 8 character password, and then got them to set these in turn for the ACS account used by CiscoWorks (thus it has a 16 character password) and then set these using the "Default Device Credentials" in CiscoWorks.
Then as CiscoWorks is ACS integrated removed the functionality to export the device credentials from users within the ACS shared profile components.
Thus the only way to exploit the credentials is to have both people remember the 8 character password they set and combine them into 16 character password, or get the ACS administrator to reenable device credential export.
Slightly convoluted but it works - all comes down to suitable role seperation between individuals.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :