How to configure CA PAM to manage local accounts in Cisco devices

Document ID : KB000009713
Last Modified Date : 17/09/2018
Show Technical Document Details



The purpose of this document is to show you how to configure CA PAM to manage passwords for local accounts in a Cisco IOS or ASA IOS device.




Your best chance of success is to begin by understanding how an administrator would change a password when logged into a device directly.  In this figure you can see the login of a standard user, privilege 0.  Notice the ">" at the end of the prompt, and that it changes to a "#" when the enable command is used elevate the users privileges.  You must be in enable mode in order to make configuration changes, which includes changing the password.  Going into enable mode is the same as elevating privileges on a unix system with the su command.  Please note that CA PAM seems to need to see the standard mode prompt in order for this to work properly. 


Figure 1 - Cisco login.png



















A privilege 15 user, which goes directly to enable mode, currently cannot be used by CA PAM to manage Cisco local passwords.  This next picture shows the configuration of local user accounts in a Cisco switch.

Figure 11 - Cisco local users.png


The next step is to configure the device into CA PAM.  The next figure shows the device details.  In order for you to manage passwords for this device you must check the Password Management box.  This will enable you to see this device when you configure the Target Application.  Figure 2 - Cisco device detail.png



On the Application page, you need to fill out the Host Name, Device Name, Application Name and Application Type fields.  The first two you can fill out together, by clicking on the magnifying lens(highlighted) and selecting the desired device from this list.  You will only see a device listed here if the Password Management box was checked on the Device page.  Set the Application Name to whatever you like and select Cisco in the Application Type pull down menu.  You have to select the Cisco Variant using the Radio buttons and change the Timeout and Prompts, if necessary, to match what is seen on the device.  The default prompts on the device will vary depending on the Cisco Variant, and the Cisco Admin has the option of changing the prompts.  Make sure that the regular expressions you include in the prompt fields, or the defaults if you specify nothing, will match the prompts that are actually used on the Cisco device.  You can see that by logging in to the device directly and going through the password change process manually, as was demonstrated on the first picture included in this document.Figure 3 - Target Application.png



Configuring the account to be managed is a 3 step process.  First, on the Account page you fill in the first 3 fields.  Do this by clicking on the second magnifying lens, and select the Cisco application you configured in the previous step.  Enter an account from the target server to be managed.  Enter the current password, as it is on the Target Server.  The default is ssh-2, but you may need to select telnet for devices that do not support ssh.  Be cautious, as telnet is inherently not secure.  According to this page it should be possible to specify that  the account is Priv Mode(Privilege 15), but likely that this will not work.  You should specify a standard user, set its password, select Update only the Password Authority server and click Save.Figure 4 - Target Account.png






















You now need to create a dummy account to hold the enable password.  Add the account, select your Cisco application or Generic Application and enter the enable password.  Select Connect As This Account and click Save.  Notice that Access Privilege Mode As another user is selected.  You have to first create a dummy user to hold the Enable password.  The dummy account can be either a Generic Application or a Cisco Application.  Once these fields are set, click Update only Password Authority.  Click Figure 5 - Target Account for enable password.pngSave. 























Click the Account Name in the Account List and go back into the account.  Click Update Both and kept the account in sync.  With this account created first it will be possible to enter the accounts you want to manage, as in the upper panel.  You can also use one account to change the passwords for others, by specifying Connect As the following account.

Figure 6 - Target Account with enable.png


When you click save with "Update both" selected CA PAM will use the password you gave it to login the the target device.  Assuming it matches, and the login is successful, you will have verified the account.  You will be taken back to the account list, where you will see a green ball, with a check mark, on the right side of the line on which your account is listed.  Once you have verified an account its password may be updated manually, by a scheduled job, or by password aging.  What to do when the account doesn't verify is a subject for another document.

Figure 7 - Account list.png

There may be other ways to perform this task, but this one is proven. 


Additional Information:
Cisco privilege 15 accounts can be managed by a privilege 0 account with the fix in DE385053, in Patch 3.1.3,Patch 3.0.4,Patch 3.2.3