Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

limit DCR crendentials to CiscoWorks software with ACS 5.1

Hi !

we are currently deploying ACS 5.1 in our network, I would like to limit DCR crendentials to CiscoWorks software if-sefl not only to the server itself is it possible ?

We would like to make sure nobody can use DCR crendential to open an administrative session on AAA Clients without CiscoWorks sofware (even if the attempt is make from the CiscoWorks server it-self, by taking in remote control the server and trying an Telnet or SSH session from that point)

2 REPLIES
New Member

Re: limit DCR crendentials to CiscoWorks software with ACS 5.1

I don't think the end device would know the source application, only the source IP address, so even with ACL's etc if the CiscoWorks server and credentials are compromised the user will be able to access.

To prevent this we got two admins to each generate a complex 8 character password, and then got them to set these in turn for the ACS account used by CiscoWorks (thus it has a 16 character password) and then set these using the "Default Device Credentials" in CiscoWorks.


Then as CiscoWorks is ACS integrated removed the functionality to export the device credentials from users within the ACS shared profile components.


Thus the only way to exploit the credentials is to have both people remember the 8 character password they set and combine them into 16 character password, or get the ACS administrator to reenable device credential export.

Slightly convoluted but it works - all comes down to suitable role seperation between individuals.

Hope this helps

New Member

Re: limit DCR crendentials to CiscoWorks software with ACS 5.1

Hi !

this is a working solution, but I think this will not be possible in our situation, individual users in our team should be able to add, removed, modify device credentials in CiscoWorks software.

431
Views
4
Helpful
2
Replies
CreatePlease login to create content