Customer would like to use CA PAM to manage the below network management devices:
They want to use PAM for both session as well as password management on these devices. So far, we managed to secure the below details from the customer:
Uses ACS/TACACS for authentication.
Configured to use local authentication when ACS is not availlable
Uses AD for authentication.
Has local admin accounts
We believe there is no OOTB connector available to manage these devices. Wanted to reach out to the greater team for your inputs on:
We are operating under tight timelines to deliver a response back to the customer. Appreciate your inputs!!
This is what I can suggest.
Access Management :
Device management depends on the way device is configured to access ie (ssh/rdp/web), In your case it would most likely be web and ssh. I don't see any issue in integrating these device for access management,It should be smooth.I have configured many device with web based and access method, almost all of them have worked except VCenter 6.0. So you should be good to go.
Password Management :
I understand you are going to use Tacas authentication(ACS) and Active directory(LDAP) and local account.
Again you need not worry, Because there is a connector available called "Cisco" in the Targert application, Using that you can use tacas based authentication, I have this working in my setup without any issue.
For RSA you mention using AD authentication, For that there is a Connector called Windows Domain services. This should suffice your requirement.
To Learn more on this you may refer to the document "CA-PAM-2.6_ImplementationGuide_v1_GA.pdf" Page 10 onwards if you haven't seen.
Hope this will give you jump start, Let me know if you need any thing else.
The ask is for local accounts on RSA, and the Cisco Infrastructure servers, not the accounts or credentials that these servers are managing.
It's an subtle, but important distinction.
It all depends on what OS's those servers are running, and if they have CLI-based interfaces that accommodate password changes.
If the server is Windows, we can use the Windows Proxy to mange local accounts. The Windows Proxy doesn't have to be installed on the appliance itself.
If the server is running on Linux/UNIX, we can use the UNIX connector for local accounts.