Symantec Privileged Access Management

 View Only
  • 1.  CA PAM support for Password Management of Network Devices

    Broadcom Employee
    Posted Aug 25, 2016 01:27 PM

    Hi All,

     

    I am currently working on a POC Requirements from customer where the key requirement is to have Password Vaulting for all the Network Devices which includes Cisco,Palo Alto Firewalls,Citrix NetScalers, Cisco ASA Firewalls etc.

     

    Expectation from Customer

    • All the local users created in Network Devices password should be managed by PAM
    • All the AD Users who have access to Network Devices should login to appliances in Normal Mode, but no password change should happen on the AD User Credentials
    • ENABLE Level Mode / Expert Level Mode Password should be managed by PAM, and should be passed to the user on demand by the user.
    • Integration with Active Directory / TACACS
    • If the logged in user on the Network Device with Admin Permission changes the password manually, then PAM should override it once the user checks out.
    • Password Can be changed on the Network Devices using Web Based Access of the Devices, for example the user should login --> select from the Web Page Change Password Option --> Type the current password and then Updated Password...
    • List of OOB Connectors available for Network Devices

     

    Regards

    Sachin Sawant

    +91 9008622533



  • 2.  Re: CA PAM support for Password Management of Network Devices

    Posted Aug 25, 2016 07:25 PM

    Hello Sachin,

     

    Please open this question under the PAM communities page:
    PAM Community

     

    Thanks.



  • 3.  Re: CA PAM support for Password Management of Network Devices

    Posted Aug 29, 2016 01:41 PM

    I've added this question to the PAM category.



  • 4.  Re: CA PAM support for Password Management of Network Devices

    Posted Aug 30, 2016 03:08 AM

    Hi Sachin,

     

    You mention password vaulting for Network device, Network device Seems it is a very generic term, Not sure if all the network device will be supported by PAM. For your pointers let me say what is possible in my knowledge.

     

    For Cisco Device : Router/Switches/ASA Firewall local or Tacas there will be no issue, I have all this working in my environment. I don't see any issue here with password change etc.

    For devices like Palo Alto,Citrix and other vendors, PAM doesn't has the connector. But using Unix or Cisco connector their account can be managed at some extent.

     

    1) All the AD Users who have access to Network Devices should login to appliances in Normal Mode, but no password change should happen on the AD User Credentials

     

    Yes you can configure pam to do this.

     

    2) ENABLE Level Mode / Expert Level Mode Password should be managed by PAM, and should be passed to the user on demand by the user.

    Not sure

     

    3)Integration with Active Directory / TACACS

    Integration with Active Directory is possible and works very well, Even you can manage accounts which are mapped with Tacas,

     

    4)If the logged in user on the Network Device with Admin Permission changes the password manually, then PAM should override it once the user checks out

     

    This is a functionality of master and slave account which does the work of password change admin account with the help of another admin account, but not sure if it does immediately after the checkout, This is something which i have not tested.

     

    5)Password Can be changed on the Network Devices using Web Based Access of the Devices, for example the user should login --> select from the Web Page Change Password Option --> Type the current password and then Updated Password...

     

    NO, Currently password change option is not avaialbe for users, Only admin can do the password change.



  • 5.  Re: CA PAM support for Password Management of Network Devices

    Broadcom Employee
    Posted Aug 30, 2016 04:33 AM

    Thanks Asif, but I am facing issues on Cisco ASA Firewalls, where I am not able to update the passwords for any accounts. It would be great help if you can share the script or some snapshots related to the configuration.

     

    To summarize the other points

    • Point No4: As per the logic I should have an account which will be like a master account who will manage the credentials for all the slave account.
    • Point No 5: We dont support password changes via HTTP

    regards

    Sachin Sawant

    +91 9008622533



  • 6.  Re: CA PAM support for Password Management of Network Devices
    Best Answer

    Posted Aug 30, 2016 06:14 AM

    Hi Sachin,

     

    For Cisco ASA Firewal, I have a Active Directory account which is integrated with TACAS, I am able to update the password by using Cisco as application type and selecting TACAS option under Accounts.

    For local account of Cisco ASA, I am yet to schedule password change. May be I can update you on this later once i have tested(Have you checked with support on this).

    But if you are facing issue then there might be a problem with the connector..

     

    I agree with you on the Point no 4 and 5 understanding.