12-14-2009 12:14 PM - edited 02-21-2020 03:49 AM
Hi !
we are currently deploying ACS 5.1 in our network, I would like to limit DCR crendentials to CiscoWorks software if-sefl not only to the server itself is it possible ?
We would like to make sure nobody can use DCR crendential to open an administrative session on AAA Clients without CiscoWorks sofware (even if the attempt is make from the CiscoWorks server it-self, by taking in remote control the server and trying an Telnet or SSH session from that point)
12-14-2009 01:35 PM
I don't think the end device would know the source application, only the source IP address, so even with ACL's etc if the CiscoWorks server and credentials are compromised the user will be able to access.
To prevent this we got two admins to each generate a complex 8 character password, and then got them to set these in turn for the ACS account used by CiscoWorks (thus it has a 16 character password) and then set these using the "Default Device Credentials" in CiscoWorks.
Then as CiscoWorks is ACS integrated removed the functionality to export the device credentials from users within the ACS shared profile components.
Thus the only way to exploit the credentials is to have both people remember the 8 character password they set and combine them into 16 character password, or get the ACS administrator to reenable device credential export.
Slightly convoluted but it works - all comes down to suitable role seperation between individuals.
Hope this helps
12-16-2009 03:43 AM
Hi !
this is a working solution, but I think this will not be possible in our situation, individual users in our team should be able to add, removed, modify device credentials in CiscoWorks software.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide