We are using CA PAM 2.8.3 now and we have Cisco devices added to PAM. The Cisco OS version is 15.4.
We could successfully configure the Cisco for accessing by SSH. And we followed the document How to configure CA PAM to manage local accounts in Cisco devices to setup the Cisco application and its account.
When we click generate credential for normal account (privilege 0), the credential could be updated without error on PAM side. While there is no credential updated on Cisco side.
Thus, I'd like to know whether PAM supports password management (changing password) on Cisco OS 15.4 or not. If yes, it would be grateful if you could share the setting. If no at this moment, will CA team carry out an investigation on this issue? As I thought that Cisco should be the common device which should be fully supported by CA PAM.
I am looking forward to your reply. Thanks.
Our Support Compatibility Matrix doesn't mention any specific versions for Cisco devices, so I believe any should work. For Cisco specifically it is important to make sure you selected the correct radio button for version when you created the Target Application. Please check your Target Application to confirm that you have selected "IOS 12.4 or higher". Assuming that is correct, you may be able to slightly modify the defaults under the "Script Processor" to get this working in your version.
There are also a few options when creating Cisco Target Accounts that may be relevant. Please check the Target Account definition for additional settings like privileged user execution options, which may be important in your environment.
If you want to troubleshoot this yourself a bit, you can increase the CA PAM Tomcat Log level to Config, reproduce this issue, then use View Recent Entries button to see the results in the Tomcat log. This should give you more info on why the password change failed. You could also get more info from the Cisco device side by setting it's SSH into debug mode and monitoring the outputs there.
If you find that there is a security problem connecting to the Cisco device, you may need to change the Target Application's SSH-2 or Telnet settings to comply with your devices expectations.
If you are still unable to rotate passwords after checking theses, you should open a support ticket to have this better looked at.
CA Technologies - North America
Sorry for late reply due to on leave. Your suggestion is very helpful. I followed your instruction to change Tomcat log level to Config and then I found below clue:
INFO: received data 'username user secret 0 xxxxxxxxxxERROR: Can not have both a user password and a user secret.Please choose one or the other.
In our Cisco device, we change account password by using command "username user privilege 0 password xxxx". That should be the reason why Cisco side could not update the new password. I will discuss with the CA support and see if they can provide some updates about it.
recently one of our colleagues had to deal with a partner configuring password rotation for Cisco 15.x devices and he was successful, so I assume those versions are also supported.
(Very useful technical note: How to configure CA PAM to manage local accounts i - CA Knowledge ) from Ed V. on support site.