Idea Details

Ability to assign multiple target account under policy(transparent login)

Last activity 06-03-2019 08:43 PM
AsifShaikh's profile image
08-18-2016 03:25 AM

I have configured a policy between user group and a Cisco device and mapped 2 accounts for ssh connection.

But I am unable to assign both account under transparent login option inside the same policy, Software allows only one account. This is creating a problem for me.


I have notified this bug to CA support but CA support is has asked me to create an idea.


There should be a way where bug can be treated separately instead of posting on community as idea.


Hoping for a quick reply from CA Product team.


01-08-2019 07:57 AM

Hi community


Any idea of when CA developed this idea? it is very crtitical and necesary functionality

06-21-2018 02:54 AM

When is this Planned? This is a 2-year-old idea with 22 votes, But still, there is no progress. CA should increase their development speed to keep it up with the demand.

05-20-2018 02:55 AM

Absolutely right. Missed it was about SSH accounts.

05-20-2018 02:48 AM

Not sure how come Rdp application came into the picture, we are discussing a simple SSH connection with multiple target account and same target account under secondary transparent login.

05-17-2018 11:36 PM

A workaround can be to use multiple RDP applications. The user will see multiple applications with the same client, but named slightly different.


ClientApp as acc1

ClientApp as acc2

ClientApp as acc3



In the RDP application path, the command line used must be unique. You can create the uniqueness by adding a dummy parameter to the execution command.


"c:\program files\ClientApp.exe" -useAcc1

"c:\program files\ClientApp.exe" -useAcc2

"c:\program files\ClientApp.exe" -useAcc3


The extra parameter does not need to be recognized by the ClientApp.exe, just add it to create a unique execution command. If you try to create a policy using different RDP applications, but having the same execution path, this will not be accepted when you try to create a policy using multiple RDP applications. Thus by using the dummy parameter your execution path is unique and you can create a policy using different RDP applications all calling the same ClientApp.exe, but using different second login accounts. The different RDP applications should use different accounts for second login. 


When you specify the execution command, use double quotes (" ") around the command path and program, but not the dummy parameter. If you include the dummy parameter within the quotes, the TL script will not start.

05-17-2018 06:04 AM

I want Transparent login to give me the option to specify the same number of accounts which i have to specify in the auto login. 


Meaning, If I have specified 2 accounts in the auto login then i should be able to specify same two accounts in the transparent login. but currently, we cannot specify more than one account under transparent login which is an issue. Refer screenshot below.


05-15-2018 12:37 PM

Right, that's what sudo transparent login does. It uses the password of the target account that was used for auto-login. And you want the same to happen for the enable command. So I think you want two options : (1) use auto-login account (2) Use other account -> here you would specify some other account that would always be used independent of who logged on. Right now we only offer (2) for a custom TL command.

05-15-2018 12:28 PM

Hi Ralf,


Idea is very simple and logical, I will try to explain it as clear as possible.


Let say you have a device where you have enabled command string with key word "enable", Now the expected behavior is that when ever an admin logs in to the device through pam by selecting the target account mapped in the policy(root or admin etc), he will automatically get the credential feed by pam if he initiates "enable" command which we have defined.

This is possible because in the Policy we have a new option called Transparent login right at the end wherein we have supplied the same account which we have configured under access method.

So far all good !!.


Now The second scenario (which is a problems statement or an idea)


Let say we have configured two accounts under the policy--access( ie : root and admin1 )

Now logically we should have option to select both account under the transparent login option of the same policy but there you can only select 1 account at a time. This is an issue.


So here is my IDEA.


1. The transparent login option should allow multiple account search hand selection just the access option under the policy.

2. The logic of the access management/password management should change so that it understands which account is selected by the admin(incase of multiple account) so that the same account password is supplied when command string is invoke by the admin.


Hope i was able to explain better this time around.

05-08-2018 11:35 AM

Hi Asif, I am not aware of a change. My impression is that you don't really want to configure multiple target accounts. What you want is that the "enable” command can be configured the same way that you can configure sudo or pbrun transparent logon for UNIX systems: When the user runs the enable command, PAM transparently inserts the password of the target account that was used for auto-logon. Is that right? If true, you would want to rephrase the idea.

05-08-2018 11:11 AM

Would you elaborate this? Is there something thing new which was released and I am unaware? 

05-07-2018 01:33 AM

You can use device group or user group to manage more than one transparent account.

02-27-2018 12:13 PM

Product Team, Would you specify in which version can we expect this feature to be delivered


This is a two year old idea and it is in wish list aswell. 

03-23-2017 06:24 AM

yes i think this mandatory needed now, cause our competitor also can do it in they feature,

from User admin perspective must be common can access to GUI app on using more than one account and it's not helping us as admin if we must delete and create policy for cover this activity

03-13-2017 01:27 PM

Hi AsifShaikh - This has been added to our wishlist for future consideration.  Thanks again for your submission.



08-21-2016 12:49 AM

In user Access policy user will see cisco ASA firewall,

Upon clicking on SSH connection method he will see two Accounts,

Based on account selection ssh applet with transparent login will take him to normal user mode.

Here user needs to move into privilege or exec mode ,he will  type "enable" command , doing so PAM will feed the "enable" password transparently.(enable password is the same password of the account he selected , doesn't require any separate provisioning in pam)


Problem arises when user selects 2nd account in access policy page while launching ssh connection, The first stage is done successfully meaning pam is taking him in normal user mode ,Now users enters "enable" command , here pam will feed the credential of first account because there is no option of mapping two account under the policy->Transparent login.


Hope this is clear.

08-18-2016 03:33 PM

HI AsifShaikh - Thank you for your submission.  Could you elaborate on the expected behavior?