Hi Sachin,
You mention password vaulting for Network device, Network device Seems it is a very generic term, Not sure if all the network device will be supported by PAM. For your pointers let me say what is possible in my knowledge.
For Cisco Device : Router/Switches/ASA Firewall local or Tacas there will be no issue, I have all this working in my environment. I don't see any issue here with password change etc.
For devices like Palo Alto,Citrix and other vendors, PAM doesn't has the connector. But using Unix or Cisco connector their account can be managed at some extent.
1) All the AD Users who have access to Network Devices should login to appliances in Normal Mode, but no password change should happen on the AD User Credentials
Yes you can configure pam to do this.
2) ENABLE Level Mode / Expert Level Mode Password should be managed by PAM, and should be passed to the user on demand by the user.
Not sure
3)Integration with Active Directory / TACACS
Integration with Active Directory is possible and works very well, Even you can manage accounts which are mapped with Tacas,
4)If the logged in user on the Network Device with Admin Permission changes the password manually, then PAM should override it once the user checks out
This is a functionality of master and slave account which does the work of password change admin account with the help of another admin account, but not sure if it does immediately after the checkout, This is something which i have not tested.
5)Password Can be changed on the Network Devices using Web Based Access of the Devices, for example the user should login --> select from the Web Page Change Password Option --> Type the current password and then Updated Password...
NO, Currently password change option is not avaialbe for users, Only admin can do the password change.