topic Re: TACACS and CyberArk Intergrate? in Network Access Control

TACACS and CyberArk Intergrate?

ashvaras — Tue, 19 Sep 2017 07:56:24 GMT

This question is around TACACS, we use CyberArk to manage our passwords is there a way to use CyberArk to manage the router/switch (TACACS) accounts with CyberArk?

Re: TACACS and CyberArk Intergrate?

Craig Hyps — Tue, 19 Sep 2017 17:35:08 GMT

ISE provides similar services (and more) than ACS. There is ACS integration documentation here: Cisco Secure ACS 5.4 Integration Guide (RADIUS) - SecureAuth IdP 8.0.x Documentation - SecureAuth Documentation Portal

/Craig

Re: TACACS and CyberArk Intergrate?

ashvaras — Tue, 19 Sep 2017 23:50:23 GMT

So based on that it should be able to integrate with CyberArk

Re: TACACS and CyberArk Intergrate?

hslai — Wed, 20 Sep 2017 16:05:18 GMT

It seems CyberArk has either RADIUS or LDAP or both interfaces, that can be used to integrate with ISE as the ID sources.

Please confirm it with CyberArk directly.

Re: TACACS and CyberArk Intergrate?

oeortiz01 — Thu, 31 Oct 2019 17:38:43 GMT

Hi there

We were able to integrate Cisco with TACACS and Cyberark. The solution was for users to log in to a protected AD account in Cyberark and in turn Cyberark was the one to log in via SSH through a TACACS user.

I hope that it helps to you!

Re: TACACS and CyberArk Intergrate?

Jason Kunst — Thu, 31 Oct 2019 22:44:05 GMT

It would be great if you can provide a basic write-up document to share with everyone on how you did it

Re: TACACS and CyberArk Intergrate?

oeortiz01 — Thu, 07 Nov 2019 23:36:30 GMT

Hello again!

Im afraid that I dont have the Cyberark configuration, but I know that we make the connection with a string with this format for Putty:

cyberark_IP@Domain_Username@Cyberar_Username#Domain.net@Device_IP

Example:

192.168.1.1@MyUser@CyberarkUsr#Mydomain.net@192.168.2.1

here is a link:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PSSO-PMSP.htm

We integrate ACS with AD and we add the CyberarkUsr as a local account with domain password in ACS (https://www.youtube.com/watch?v=qQdBEBK3TPk&t=301s), and give permissions as device administrator.

So when a user log in to ssh it goes to CA (not to ACS), CA validate the user and password and 2FA, and then CA makes the login to the device via ACS with it own user.

I hope I have explained myself and this work works for you!

Regards!

Re: TACACS and CyberArk Intergrate?

RavitejaRudrapaka3201 — Wed, 04 Aug 2021 14:42:53 GMT

Hello,

We are using Cisco ISE for authentication to all Network devices, We would like to use CyberARk to manage the Cisco ISE local accounts for password rotation. Has anyone implemented this successfully. Please share the configuration steps for both CyberArk and Cisco ISE.

Re: TACACS and CyberArk Intergrate?

Greg Gibbs — Wed, 04 Aug 2021 22:43:47 GMT

I worked with a large finance customer that uses CyberArk to manage and rotate the CLI admin account. To do so, they created a second CLI admin account for 'cyberark' with a very strong password. Admins login to the CLI using the default 'admin' account from the CyberArk console (which handles MFA and password storage for this admin account). Upon logout, CyberArk uses the 'cyberark' account to change the password for the 'admin' account to a new randomly generated password using the CLI commands:

config terminal
username admin password plain <password> role admin

Re: TACACS and CyberArk Intergrate?

RavitejaRudrapaka3201 — Thu, 05 Aug 2021 12:57:14 GMT

Hello Greg,

Thanks for the reply, We tried to use CyberArk Directly to manage the passwords on devices, but we are currently using Cisco ISE for authentication. If we configure the Tacacs server on cisco devices it will not look for local users for authentication. so I don't want to remove ISE in middle and want to manage the ISE Tacacs accounts with CyberArk. (Rotating passwords for ISE Identities using CyberArk ).

Re: TACACS and CyberArk Intergrate?

Greg Gibbs — Thu, 05 Aug 2021 22:34:57 GMT

So, if I understand correctly, you are using TACACS+ with internal Network Access Users in ISE to authenticate network admins logging into the devices. You want to use CyberArk to rotate the passwords of these Network Access Users. Is that correct?

There is no way to manage Network Access Users from the CLI, so CyberArk would need to be able to navigate the GUI, screenscrape the password location, modify the strings, and save the configuration. I'm not experienced with CyberArk, but I doubt that is possible.

You can use the ERS API to create and update Network Access User accounts.

The other (and more common) option would be to use an external identity store (like Active Directory) that has built-in controls for password lifecycle.

Re: TACACS and CyberArk Intergrate?

RavitejaRudrapaka3201 — Fri, 06 Aug 2021 13:18:21 GMT

Hello Greg,

Yes, I am using TACACS+ with internal Network Access Users in ISE to authenticate network admins logging into the devices. I want to use CyberArk to rotate the passwords of these Network Access Users.
I was wondering if anyone can share the CyberArk side Config 🙂

Thank you for the below link , I will check this one :
https://developer.cisco.com/docs/identity-services-engine/3.0/#!internal-user/update

Re: TACACS and CyberArk Intergrate?

RavitejaRudrapaka3201 — Wed, 11 Aug 2021 17:01:57 GMT

Hello Greg,

We are currently running the below version for ISE, Can you please share the API documentation for this Version:

Version : 2.4.0.357

Installed Patches: 7,13

Product Identifier (PID): SNS-3515-K9

Version Identifier (VID): A0

ADE-OS Version:3.0.4.070

Thanks!

Re: TACACS and CyberArk Intergrate?

Greg Gibbs — Wed, 11 Aug 2021 23:16:32 GMT

There is no separate online SDK for ISE 2.4, but the API reference guide includes the Internal User api call.

You can confirm it's supported by accessing the SDK built into your ISE platform via the URL "https://<ISE-ADMIN-NODE>:9060/ers/sdk."