HOW-TO: Set up a device for RDP or SSH with automatic login in CA PAM 2.x.

Document ID : KB000009634
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How do I set up a device to allow automatic login through RDP or SSH?

Background:

The first thing you will need to know is the 2 sides of CA PAM that you will be using. The first side is commonly referred to as the Access side. This is the part of the application that you are brought to when you first log in. Here you can manage the Global Settings, Services, CA PAM Users (Not Target users), Devices, and Policy. On the Access side you can also find session logs and basic information about the CA PAM appliance. The other side is referred to as the Password Management side. On this side you can manage Account Credentials, Target Applications, Password Rules & Rotation, Reports, and A2A settings. To get to the Password Management side from the Access side choose Policy > Manage Passwords.


Note: This guide describes the minimal settings to get automatic login to a device set up. For further customization and options refer to the CA PAM documentation.

Environment:
Any Supported Linux/UNIX SSH deviceAny Supported Windows RDP deviceCA PAM 2.xIf you are looking for information on 3.x please see this updated version of this guide:https://support.ca.com/us/knowledge-base-articles.TEC1927705.html
Instructions:

In order to set up a Device for automatic login you will need to set up the minimum 4 pieces (in order): Device, Target Application, Target Account & Access Policy.

Note: Windows specific items will be tagged "WINDOWS" and Linux/UNIX specific items will be tagged "UNIX".

1) Create a Device

I- On the Access Side go to Devices > Manage Devices > Create Device
II- Fill in the following:
Device Name: Name of the device (Can be whatever you want)
Address: IP Address or Hostname/FQDN to access the device.
Operating System: You should select the closest to the actual OS. (This field currently has no effect on settings or functionality, it is only used for informational purposes & filters.)

Device Type: Ensure Access & Password Management are both checked.
WINDOWS: Access Methods: Click the RDP link, if your server uses a non-standard port for RDP change it under port.
UNIX: Access Methods: Click the SSH link, if your server uses a non-standard port for SSH change it under port.
--For the purposes of this guide leave all other fields at their default setting.
III- Save

2) Create a Target Application

I- Enter the Password Management side. (Policy > Manage Passwords) 
II- Targets > Applications > Add
III- Click the magnifying glass mag.jpg next to the Host Name box & select your device. This will populate Host Name and Device Name based on the Device settings.
IV- Fill in the following:
WINDOWS: Application Name: We suggest something descriptive like "RDP - hostname", however you can name it whatever you want. It will be specific to this device only.
WINDOWS: Application type: Generic
UNIX: Application Name: We suggest something descriptive like "SSH - hostname", however you can name it whatever you want. It will be specific to this device only.
UNIX: Application type: UNIX
UNIX: Click on script processor & select the radio button for your OS. If your OS is not listed or you are unsure use "Generic".
--For the purposes of this guide leave all other fields at their default setting.
V- Save

3) Create a Target Account

I- On the Password Management side: Targets > Accounts > Add
II- Click the magnifying glass mag.jpg next to the Application Name box & select the target application you made.
--This will fill in Host Name & Device name for you.
III- Fill in the following:
Account Name: The username of the account you wish to use to login.
Password: Fill in the current password for the user.
--For the purposes of this guide leave all other fields at their default setting.
IV- Save

4) Create an Access Policy

I- On the Access Side select: Policy > Manage Policies
II- Click the user box and start typing the username of the CA PAM user who should be able to use the device/account you set up. This will bring up a list of users, click the user to select it. (if you don't click the user it won't be selected properly)
III- Click the device box and start typing the name of the device set up. This will bring up a list of devices, click the device to select it. (if you don't click the device it won't be selected properly)
IV- With both filled in click Create Policy.
V- Add the access method & account
WINDOWS: In the new policy box: Access > Add > Check RDP, A text box will appear, click in it and select the account you added in step 3.
UNIX: In the new policy box: Access > Add > Check SSH, A text box will appear, click in it and select the account you added in step 3.
--For the purposes of this guide leave all other fields at their default setting.
--Tip: To make the password viewable by the user you can add it under Passwords like you did for Access.
VI- Save

5) Test it out!

I- Log in with the account you set for the policy (if you aren't already) and go to the access page. You should see the device with Access Method of RDP or SSH (depending on OS).
II- Start the session: Click RDP or SSH (depending on OS) and it will open the session and log the user in automatically.

devlist.jpg

 

Additional Information:

If you have any questions about this please refer first to the CA PAM Documentation.

This doc link has additional information on what Devices, Target Applications & Target Accounts are and how they interact:

https://docops.ca.com/ca-privileged-access-manager/2-8-3/EN/implementing/configure-credential-manager-targets/register-target-accounts

 

If you are looking for information on 3.x please see the updated version of this guide:

https://support.ca.com/us/knowledge-base-articles.TEC1927705.html