Cisco SSH Target Account Configuration

If you configure a target account for a Cisco target application, the Cisco SSH tab is added to the Target Account page.
capam32
If you configure a target account for a Cisco target application, the Cisco SSH tab is added to the Target Account page.
PAM
supports only Cisco IOS and ASA IOS devices.
To enable the appliance to manage passwords, follow the procedure Manage Local Accounts on Cisco IOS or ASA IOS Devices.
On the Cisco SSH tab, complete the following fields:
  • Protocol:
    Select whether the connection to the target is using SSH-2 or Telnet.
  • Account Type
    : Select one of the following two options. The selected option indicates which account
    PAM
    uses to change the password.
    • Login (User EXEC):
      To restrict the target account to only User EXEC permissions, select this option. Configure any other active settings on the page.
    • TACACS+
      : If the user account resides on a TACACS+ server, select this option.
    Do not select the
    Enable (Privileged EXEC)
    option. The appliance cannot manage passwords using this option.
  • Change Password for Lines
    : Select which type of line on the Cisco router for which this user account can change passwords. The choices are:
    • VTY (virtual terminal) lines
    • AUX (auxiliary) port
    • Console (CTY) line for a console terminal
  • Connect As
    (Available for accounts of type Login (User EXEC) only): Specify whether to use the target account or a different account. Accept the default,
    This account
    , to use the target account. To specify another account, select
    The following account
    radio button and then enter the account name.
  • Verify Through Other Account
    (Available for accounts of type Login (User EXEC) only): If you specify an account other than the target account for password management, verify the user access configuration. Select one of the following options:
    • Verify using own credentials
    • Verify using other account's credentials
  • Access Privileged EXEC As
    (Available for accounts of type Login (User EXEC) only): To elevate permissions to the Privileged EXEC level, select this option and specify a fake target account that holds the Enable mode password.
Manage Local Account Passwords on Cisco Devices
To manage passwords on a Cisco IOS or ASA IOS device, the account that connects to the Cisco device must be elevated to Privileged EXEC mode. The Enable command promotes an account to Privileged EXEC mode so a user can execute privileged tasks, such as changing passwords.
PAM
must initially log in to the Cisco device using an account with only User EXEC permissions. That account must then be elevated to Privileged EXEC mode.
To elevate the connection to Privileged EXEC mode, configure two accounts:
  • Enable password account. This account stores the password for the Enable command which is used to execute Privileged EXEC level tasks. You must know the Enable password to create this account.
  • Standard User EXEC account. This account initially logs in to the Cisco device.
The following procedures explain how to configure these two accounts.
Configure the Enable Password Account
Set up an account that holds the Enable command password. This account is a fake account that does not exist at the Cisco device. After you create this account, you can use it for any standard user account that you want to promote to Privileged EXEC level.
Follow these steps:
  1. Create a target account that is associated with the Cisco target application.
  2. On the Account tab:
    • For the Account Name field, assign a name that indicates the purpose of this account, such as enableacct.
    • In the Password field, enter the Enable password.
    account_tab_enableacct.PNG
  3. On the Password tab, ensure that the Synchronized setting is using the
    Update only the Credential Manager Server
    option.
  4. On the Cisco SSH tab, use the following settings:
    • Account type: Login (User EXEC)
    • Connect As: This account
    • Access Privileged EXEC As: This account
    enableacct.PNG
  5. Select OK.
Configure Standard User Account
After creating the Enable password account, create an account with User EXEC permissions. This account uses the Enable account to elevate its permissions. This user can then update passwords.
Follow these steps:
  1. In the UI, create a Cisco target account that is associated with the Cisco target application. For this example, the account name is ciscouser.
  2. On the Account tab, enter the current password for the account at the Cisco device.
  3. On the Password tab, change the Synchronized setting to
    Update both the Credential Manager Server and the target system
    .
  4. On the Cisco SSH tab, use the following settings:
    • Account type:
      Login (User EXEC)
    • Connect As:
      This account
    • Access Privileged EXEC As: The following account:
      Select the Enable account. In this example, that account is enableacct.
  5. Select
    OK
    to save the account
    The following picture shows an example:
    CiscoSSH_StdUser.png
PAM
can now use this standard user account (ciscouser) to manage passwords for other Cisco accounts, both standard and privileged.
If you configure more accounts, you can use this standard user account to manage passwords. For those other accounts:
  • For the
    Connect As
    option, select
    This following account
    and specify the standard user account.
  • Leave the
    AccessPrivileged EXEC As
    option set to
    This account