CW2K supports using external authentication for logins like TACACS+ etc. After you select and configure a login module, all authentication transactions are performed by that source. The CW2K Server still determines user roles; therefore, all users must be in the local database of user IDs and passwords. Users who are authenticated by an alternative service and who are not in the local database are assigned to the same role as the guest user (by default, the Help Desk role). To assign a user to a different role, such as the System Admin role, you must configure the user locally. Such users must have the same user ID locally as they have in the alternative authentication source. Users log in with the user ID and password associated with the current login module. See the User Guide for more details:
http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cw2000/cw2000_d/5steditn/gs_guide/setup.htm