Symantec Privileged Access Management

  • Private Community
 View Only

  • 1.  Manage Cisco Prime Infrastructure and RSA Authentication Appliance using CA PAM

    Posted Jun 01, 2016 05:04 PM


    Team,

     

    Customer would like to use CA PAM to manage the below network management devices:

    • Cisco Prime Infrastructure Server
    • RSA Authentication Appliance

     

    They want to use PAM for both session as well as password management on these devices. So far, we managed to secure the below details from the customer:

     

    Device NameAuthentication
    Cisco Prime Infrastructure Server

    Uses ACS/TACACS for authentication.

    Configured to use local authentication when ACS is not availlable

    RSA Authentication Appliance

    Uses AD for authentication.

    Has local admin accounts

     

    We believe there is no OOTB connector available to manage these devices. Wanted to reach out to the greater team for your inputs on:

    • whether anyone has implemented PAM with the above mentioned device types?
    • If so, what was the level of effort to make them work with PAM? And are there any 'how to' (or) 'as configured' documents outlining the instructions?

     

    We are operating under tight timelines to deliver a response back to the customer. Appreciate your inputs!!

     

    Regards,

    Aravind G



  • 2.  Re: Manage Cisco Prime Infrastructure and RSA Authentication Appliance using CA PAM

    Posted Jun 02, 2016 03:06 AM

    HI Aravind,

     

    This is what I can suggest.

     

    Access Management :

    Device management depends on the way device is configured to access ie (ssh/rdp/web), In your case it would most likely be web and ssh. I don't see any issue in integrating these device for access management,It should be smooth.I have configured many device with web based and access method, almost all of them have worked except VCenter 6.0. So you should be good to go.

     

    Password Management :

     

    I understand you are going to use Tacas authentication(ACS) and Active directory(LDAP) and local account.

     

    Again you need not worry, Because there is a connector available called "Cisco" in the Targert application, Using that you can use tacas based authentication, I have this working in my setup without any issue.

     

    For RSA you mention using AD authentication, For that there is a Connector called Windows Domain services. This should suffice your requirement.

     

    To Learn more on this you may refer to the document "CA-PAM-2.6_ImplementationGuide_v1_GA.pdf" Page 10 onwards if you haven't seen.

     

    Hope this will give you jump start, Let me know if you need any thing else.



  • 3.  Re: Manage Cisco Prime Infrastructure and RSA Authentication Appliance using CA PAM
    Best Answer

    Broadcom Employee
    Posted Jun 02, 2016 01:52 PM

    The ask is for local accounts on RSA, and the Cisco Infrastructure servers, not the accounts or credentials that these servers are managing. 


    It's an subtle, but important distinction. 


    It all depends on what OS's those servers are running, and if they have CLI-based interfaces that accommodate password changes. 


    If the server is Windows, we can use the Windows Proxy to mange local accounts. The Windows Proxy doesn't have to be installed on the appliance itself.  


    If the server is running on Linux/UNIX, we can use the UNIX connector for local accounts.