There are 4 Cisco platforms supported in Safeguard for Privileged Passwords:
-
Cisco ISE CLI platform: Safeguard for Privileged Passwords uses a local service account to manage accounts on the ISE CLI platform using SSH.
-
Cisco IOS/ASA platform: Cisco IOS/ASA platforms can be configured in the following ways to manage local accounts using SSH:
- Safeguard for Privileged Passwords uses a local service account to manage accounts on the Cisco device.
-
If the Cisco device is configured (using AAA) to authenticate and authorize login requests to a Cisco ISE server that will be managed by Safeguard for Privileged Passwords, then you can use a directory account in the Cisco ISE directory asset to manage the Cisco device.
-
If the Cisco device is configured (using AAA) to authenticate and authorize login requests to a Cisco ISE server that is integrated with an Active Directory domain that will be managed by Safeguard for Privileged Passwords, then you can use a directory account in the Active Directory asset to manage accounts on the Cisco device.
-
If the service account is not configured with privilege level 15, then the enable password for privilege level 15 will be required when creating the asset.
-
Cisco ISE platform: Cisco ISE is managed as a directory asset in Safeguard for Privileged Passwords. It uses REST and TACACS+ to manage local accounts. It supports account discovery and password management. It does not support directory synchronization, asset discovery, or service discovery.
-
Cisco NX-OS platform: In order to perform all required operations on users, the service account used requires at least network-admin privileges.
Safeguard for Privileged Passwords manages local accounts on the ISE CLI platform using SSH.
To manage local accounts on the Cisco ISE CLI platform
-
Enable and configure the SSH server to allow the service account to log in remotely.
-
Create a service account (with the admin role) on the asset and assign it a password.
Safeguard for Privileged Passwords supports both Cisco Private Internet eXchange (PIX) firewall security appliances and PIX Internetwork Operating System (IOS) routers and switches. Cisco PIX and Cisco IOS use the SSH protocol to connect to the Safeguard for Privileged Passwords Appliance. Safeguard for Privileged Passwords supports both SSH version 1 and version 2.
The following applies:
-
Safeguard for Privileged Passwords uses SSH to manage accounts on the Cisco platform. The SSH server must be enabled and configured to allow the service account to log in remotely.
-
Safeguard for Privileged Passwords manages accounts found in the startup configuration file, not in the running configuration file.
-
The selected service accounts must have sufficient privileges to update configuration. If the user does not have sufficient privileges on login, then the Privilege Level Password (that is, the system enable password) must be configured for the asset in Safeguard for Privileged Passwords.
Local configuration
The following information is for preparing a Cisco device using a local service account.
To prepare a Cisco device for Safeguard for Privileged Passwords using a local service account
- Create a service account on the asset and assign it a password.
- Enable and configure the SSH server to allow the service account to log in remotely.
-
If required, configure the Privilege Level Password (that is, the system enable password).
- Add the Cisco device to Safeguard for Privileged Passwords using password authentication.
Directory Configuration using Cisco ISE Directory
If the Cisco device is configured (using AAA) to authenticate and authorize login requests to a Cisco ISE server that will be managed by Safeguard for Privileged Passwords, then you can use a directory account in the Cisco ISE directory asset to manage the Cisco device.
Alternatively, if the Cisco ISE server is integrated with an Active Directory domain that will be managed by Safeguard for Privileged Passwords, then you can use a service account from the integrated AD directory to manage the asset. In this scenario, you only need to create the AD asset; you do not need to create a Cisco ISE server asset in Safeguard for Privileged Passwords.
To prepare the Cisco ISE server to manage the Cisco IOS/ASA asset using a directory account
-
Create a service account in the Cisco ISE server:
-
To authenticate to the Cisco ISE server:
-
Create a local Network Access user.
-
Set PasswordType to Internal Users. This authenticates the user locally.
-
Assign a password for the user.
-
-
To authenticate to Active Directory:
-
Create an External Identity Source for the domain that will be managed by Safeguard for Privileged Passwords.
-
Join the Cisco ISE server to the domain, and import any AD groups that you wish to use in the ISE policy.
-
Create a Network Access user with the username matching the AD username.
-
Set PasswordType to <domainname>. Do NOT assign the user a password (the password is authenticated to AD).
-
-
-
Configure a Network Device to permit TACACS+ access from the Cisco device to the Cisco ISE server. Configure the TACACS+ shared secret to match the shared secret you have configured using AAA on the Cisco device.
-
Configure a Device Admin Policy to grant shell login for the selected Network Access user to the selected Network Device. The policy can be configured in ISE based on many different session, user, or group settings.
NOTE: For example:
-
Create an Identity Group to represent all the Network Access users to be managed by Safeguard for Privileged Passwords.
-
Import an AD group that represents all the AD users that will be used by Safeguard for Privileged Passwords to access the network device.
-
Create a policy to grant shell login to all members of these groups.
A CheckPassword request or SPS session from Safeguard for Privileged Passwords will then fail for any Network Access user not in either group.
-
To prepare the Cisco IOS/ASA asset to be managed by an ISE account
-
Enable and configure the SSH server to allow the service account to log in remotely.
-
Configure AAA to use TACACS+ to authorize login requests to the Cisco ISE server for directory users, using the shared secret configured for this network device in the Cisco ISE server.
NOTE: Refer to your system documentation for details of how to configure AAA.
-
Test that the selected Cisco ISE Network Access user can login to the Cisco device. This can be tested by logging in from the command line using SSH.
-
As appropriate, add the selected service account to the Cisco ISE or AD directory asset in Safeguard for Privileged Passwords.
-
If required, configure the Privilege Level Password for the Cisco IOS asset.
-
Add the Cisco device to Safeguard for Privileged Passwords using directory authentication.
-
If you need to configure the asset for SPS session access, check that the server-side SSH algorithms configured in SPS include algorithms supported by the Cisco device.
Cisco ISE is managed as a directory asset in Safeguard for Privileged Passwords. It supports account discovery and password management. It does not support directory synchronization, asset discovery, or service discovery.
A Cisco ISE directory user can be used:
-
as a service account to manage a Cisco IOS/ASA asset that is configured to authenticate login requests to the Cisco ISE server.
-
to run an SPS managed SSH session on a Cisco IOS/ASA asset that is configured to authenticate login requests to the Cisco ISE server.
Safeguard for Privileged Passwords manages Network Access (internal) users in the Cisco ISE server (it does NOT manage local Admin Users). The Network Access users are directory accounts that can be used to login to other network devices (e.g. Cisco IOS assets). The managed network devices must be configured to use AAA to authenticate and authorize requests to the Cisco ISE server (For more information, see your system documentation).
The service account on the ISE platform must be a Network Access user with administrative privileges.
Preparing Cisco ISE
-
Safeguard for Privileged Passwords uses the ISE REST API (ERS) to manage passwords in Cisco ISE. This is disabled by default, so must be enabled for read/write access in the System Settings before Cisco ISE can be configured.
-
Safeguard uses the TACACS+ protocol to verify passwords in Cisco ISE. This is disabled by default, so must be configured by enabling the Device Admin Service in the Cisco ISE server's Global Settings.
-
Create a Network Access user (set PasswordType to Internal Users) and assign it a password. Do NOT configure an Enable Password.
-
Assign Administrative access to the new user by creating an Admin User, and select the new user from the list of existing Network Access users instead of creating a new user.
-
Add the selected Admin User to either of the following Admin groups:
-
Super Admin
-
ERS Admin and Elevated System Admin
-
-
Configure a Network Device for your SPP cluster.
-
Add the IP addresses of appliances in your SPP cluster.
-
Configure the TACACS+ secret for the cluster to use.
NOTE: This must match the TACACS+ shared secret configured on the Cisco IOS/ASA network devices that you wish to manage using directory users in this asset.
-
-
Configure a Device Admin Policy Set that includes the following:
-
Grant TACACS+ access to the Network Device configured for your SPP cluster.
-
Allow all TACACS+ protocols.
-
Grant shell access to the Network Access users that you wish to manage using SPP. The policy can be configured in ISE based on many different session, user or group settings.
NOTE: For example:
-
Create an Identity Group to represent all the Network Access users to be managed by Safeguard for Privileged Passwords.
-
Create a policy to grant shell login to all members of this group.
A CheckPassword request or SPS session from Safeguard for Privileged Passwords will then fail for any Network Access user not in either group.
-
-
-
Configure port 49 for TACACS+.
Safeguard for Privileged Passwords manages local accounts on the Cisco NX-OS platform using NX-API.
To manage local accounts on the Cisco NX-OS platform
-
Enable the NX-API feature to allow the service account to log in remotely and execute commands over NX-API.
-
Create a service account (with the network-admin role) on the asset and assign it a password.