Safeguard for Privileged Passwords supports both Cisco Private Internet eXchange (PIX) firewall security appliances and PIX Internetwork Operating System (IOS) routers and switches. Cisco PIX and Cisco IOS use the SSH protocol to connect to the Safeguard for Privileged Passwords Appliance. Safeguard for Privileged Passwords supports both SSH version 1 and version 2.
The following applies:
-
Safeguard for Privileged Passwords uses SSH to manage accounts on the Cisco platform. The SSH server must be enabled and configured to allow the service account to log in remotely.
-
Safeguard for Privileged Passwords manages accounts found in the startup configuration file, not in the running configuration file.
-
The selected service accounts must have sufficient privileges to update configuration. If the user does not have sufficient privileges on login, then the Privilege Level Password (that is, the system enable password) must be configured for the asset in Safeguard for Privileged Passwords.
Local configuration
The following information is for preparing a Cisco device using a local service account.
To prepare a Cisco device for Safeguard for Privileged Passwords using a local service account
- Create a service account on the asset and assign it a password.
- Enable and configure the SSH server to allow the service account to log in remotely.
-
If required, configure the Privilege Level Password (that is, the system enable password).
- Add the Cisco device to Safeguard for Privileged Passwords using password authentication.
Directory Configuration using Cisco ISE Directory
IMPORTANT: For full details on how to configure your Cisco ISE server and ISE policy, refer to your system documentation.
If the Cisco device is configured (using AAA) to authenticate and authorize login requests to a Cisco ISE server that will be managed by Safeguard for Privileged Passwords, then you can use a directory account in the Cisco ISE directory asset to manage the Cisco device.
Alternatively, if the Cisco ISE server is integrated with an Active Directory domain that will be managed by Safeguard for Privileged Passwords, then you can use a service account from the integrated AD directory to manage the asset. In this scenario, you only need to create the AD asset; you do not need to create a Cisco ISE server asset in Safeguard for Privileged Passwords.
To prepare the Cisco ISE server to manage the Cisco IOS/ASA asset using a directory account
-
Create a service account in the Cisco ISE server:
-
To authenticate to the Cisco ISE server:
-
Create a local Network Access user.
-
Set PasswordType to Internal Users. This authenticates the user locally.
-
Assign a password for the user.
-
To authenticate to Active Directory:
-
Create an External Identity Source for the domain that will be managed by Safeguard for Privileged Passwords.
-
Join the Cisco ISE server to the domain, and import any AD groups that you wish to use in the ISE policy.
-
Create a Network Access user with the username matching the AD username.
-
Set PasswordType to <domainname>. Do NOT assign the user a password (the password is authenticated to AD).
-
Configure a Network Device to permit TACACS+ access from the Cisco device to the Cisco ISE server. Configure the TACACS+ shared secret to match the shared secret you have configured using AAA on the Cisco device.
-
Configure a Device Admin Policy to grant shell login for the selected Network Access user to the selected Network Device. The policy can be configured in ISE based on many different session, user, or group settings.
NOTE: For example:
-
Create an Identity Group to represent all the Network Access users to be managed by Safeguard for Privileged Passwords.
-
Import an AD group that represents all the AD users that will be used by Safeguard for Privileged Passwords to access the network device.
-
Create a policy to grant shell login to all members of these groups.
A CheckPassword request or SPS session from Safeguard for Privileged Passwords will then fail for any Network Access user not in either group.
To prepare the Cisco IOS/ASA asset to be managed by an ISE account
-
Enable and configure the SSH server to allow the service account to log in remotely.
-
Configure AAA to use TACACS+ to authorize login requests to the Cisco ISE server for directory users, using the shared secret configured for this network device in the Cisco ISE server.
NOTE: Refer to your system documentation for details of how to configure AAA.
-
Test that the selected Cisco ISE Network Access user can login to the Cisco device. This can be tested by logging in from the command line using SSH.
-
As appropriate, add the selected service account to the Cisco ISE or AD directory asset in Safeguard for Privileged Passwords.
-
If required, configure the Privilege Level Password for the Cisco IOS asset.
-
Add the Cisco device to Safeguard for Privileged Passwords using directory authentication.
-
If you need to configure the asset for SPS session access, check that the server-side SSH algorithms configured in Safeguard for Privileged Sessions include algorithms supported by the Cisco device.