HOW-TO: Set up a device for RDP or SSH with automatic login in CA PAM 3.x.

Document ID : KB000010775
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

How do I set up a device to allow automatic login through RDP or SSH?

Background:

This guide describes the minimal settings to get automatic login to a device set up. For further customization and options refer to the CA PAM documentation.

Environment:
Any Supported Linux/UNIX SSH deviceAny Supported Windows RDP deviceCA PAM 3.xIf you are looking for information on 2.x please see the older version of this guide:https://support.ca.com/us/knowledge-base-articles.TEC1069574.html
Instructions:

In order to set up a Device for automatic login you will need to set up the minimum 4 pieces (in order): Device, Target Application, Target Account & Access Policy.
Note: Windows specific items will be tagged "WINDOWS" and Linux/UNIX specific items will be tagged "UNIX".

1) Create a Device

I- Navigate to: Devices > Manage Devices > Create Device
II- Fill in the following:

Basic Info Tab:
Device Name: Name of the device (Can be whatever you want)
Address: IP Address or Hostname/FQDN to access the device.
Operating System: You should select the closest to the actual OS. (This field currently has no effect on settings or functionality, it is only used for informational purposes & filters.)
Device Type: Ensure Access & Password Management are both checked.

Access Methods Tab:
WINDOWS: Click the + (plus) button, then under Name select RDP
UNIX: Click the + (plus) button, then under Name select SSH
--For the purposes of this guide leave all other fields at their default setting.
III- Click OK to Save

2) Create a Target Application 

I- Navigate to: Credentials > Manage Targets > Applications > Add
II- Click the magnifying glass greymag.jpg next to the Host Name box & select your device. This will populate Host Name and Device Name based on the Device settings.
III- Fill in the following:
WINDOWS: Application Name: We suggest something descriptive like "RDP - hostname", however you can name it whatever you want. It will be specific to this device only.
WINDOWS: Application type: Generic
UNIX: Application Name: We suggest something descriptive like "SSH - hostname", however you can name it whatever you want. It will be specific to this device only.
UNIX: Application type: UNIX
UNIX: Click on script processor & select the radio button for your OS. If your OS is not listed or you are unsure use "Generic".
--For the purposes of this guide leave all other fields at their default setting.
IV- Click OK to Save

3) Create a Target Account

I- Navigate to: Credentials > Manage Targets > Accounts > Add
II- Click the magnifying glass greymag.jpg next to the Application Name box & select the target application you made.
--This will fill in Host Name & Device name for you.
III- Fill in the following:
Account Name: The username of the account you wish to use to login.
Password: Fill in the current password for the user.
--For the purposes of this guide leave all other fields at their default setting.
IV- Click OK to Save

4) Create an Access Policy

I- Navigate to: Policies > Manage Policies > Add
II- Click the user box and start typing the username of the CA PAM user who should be able to use the device/account you set up. This will bring up a list of users, click the user to select it. (if you don't click the user it won't be selected properly)
III- Click the device box and start typing the name of the device set up. This will bring up a list of devices, click the device to select it. (if you don't click the device it won't be selected properly)
IV- To add the access method & account move to the Access tab and you will see a list of available access methods in the Available Access box.
WINDOWS: Select RDP and then click the right arrow to move it to the Selected Access box.
UNIX: Select SSH and then click the right arrow to move it to the Selected Access box
V- Next to the access method in the Selected Access box there will be a magnifying glass and #. Click on the Magnifying Glass and select the desired Target Account. The # shows how many accounts are already set to be available to this policy.

--For the purposes of this guide leave all other fields at their default setting.
--Tip: To make the password viewable by the user you can add it under the Password tab like you did for Access.

VI- Click OK to Save

5) Test it out!

I- Log in with the account you set for the policy (if you aren't already) and go to the access page. You should see the device with Access Method of RDP or SSH (depending on OS).
II- Start the session: Click RDP or SSH (depending on OS) and it will open the session and log the user in automatically.

accesspage.jpg

Additional Information:

If you have any questions about this please refer first to the CA PAM Documentation.

This doc link has additional information on what Devices, Target Applications & Target Accounts are and how they interact:

https://docops.ca.com/ca-privileged-access-manager/3-0-2/EN/implementing/configure-credential-manager-targets/register-target-accounts

 

If you are looking for information on 2.x please see the older version of this guide:

https://support.ca.com/us/knowledge-base-articles.TEC1069574.html