09-19-2017 12:56 AM
This question is around TACACS, we use CyberArk to manage our passwords is there a way to use CyberArk to manage the router/switch (TACACS) accounts with CyberArk?
Solved! Go to Solution.
09-20-2017 09:05 AM
It seems CyberArk has either RADIUS or LDAP or both interfaces, that can be used to integrate with ISE as the ID sources.
Please confirm it with CyberArk directly.
09-19-2017 10:35 AM
ISE provides similar services (and more) than ACS. There is ACS integration documentation here: Cisco Secure ACS 5.4 Integration Guide (RADIUS) - SecureAuth IdP 8.0.x Documentation - SecureAuth Documentation Portal
/Craig
09-19-2017 04:50 PM
So based on that it should be able to integrate with CyberArk
09-20-2017 09:05 AM
It seems CyberArk has either RADIUS or LDAP or both interfaces, that can be used to integrate with ISE as the ID sources.
Please confirm it with CyberArk directly.
10-31-2019 10:38 AM
Hi there
We were able to integrate Cisco with TACACS and Cyberark. The solution was for users to log in to a protected AD account in Cyberark and in turn Cyberark was the one to log in via SSH through a TACACS user.
I hope that it helps to you!
10-31-2019 03:44 PM
11-07-2019 03:36 PM
Hello again!
Im afraid that I dont have the Cyberark configuration, but I know that we make the connection with a string with this format for Putty:
cyberark_IP@Domain_Username@Cyberar_Username#Domain.net@Device_IP
Example:
192.168.1.1@MyUser@CyberarkUsr#Mydomain.net@192.168.2.1
here is a link:
https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PSSO-PMSP.htm
We integrate ACS with AD and we add the CyberarkUsr as a local account with domain password in ACS (https://www.youtube.com/watch?v=qQdBEBK3TPk&t=301s), and give permissions as device administrator.
So when a user log in to ssh it goes to CA (not to ACS), CA validate the user and password and 2FA, and then CA makes the login to the device via ACS with it own user.
I hope I have explained myself and this work works for you!
Regards!
08-04-2021 07:42 AM
Hello,
We are using Cisco ISE for authentication to all Network devices, We would like to use CyberARk to manage the Cisco ISE local accounts for password rotation. Has anyone implemented this successfully. Please share the configuration steps for both CyberArk and Cisco ISE.
08-04-2021 03:43 PM
I worked with a large finance customer that uses CyberArk to manage and rotate the CLI admin account. To do so, they created a second CLI admin account for 'cyberark' with a very strong password. Admins login to the CLI using the default 'admin' account from the CyberArk console (which handles MFA and password storage for this admin account). Upon logout, CyberArk uses the 'cyberark' account to change the password for the 'admin' account to a new randomly generated password using the CLI commands:
config terminal username admin password plain <password> role admin
08-05-2021 05:57 AM
Hello Greg,
Thanks for the reply, We tried to use CyberArk Directly to manage the passwords on devices, but we are currently using Cisco ISE for authentication. If we configure the Tacacs server on cisco devices it will not look for local users for authentication. so I don't want to remove ISE in middle and want to manage the ISE Tacacs accounts with CyberArk. (Rotating passwords for ISE Identities using CyberArk ).
08-05-2021 03:34 PM
So, if I understand correctly, you are using TACACS+ with internal Network Access Users in ISE to authenticate network admins logging into the devices. You want to use CyberArk to rotate the passwords of these Network Access Users. Is that correct?
There is no way to manage Network Access Users from the CLI, so CyberArk would need to be able to navigate the GUI, screenscrape the password location, modify the strings, and save the configuration. I'm not experienced with CyberArk, but I doubt that is possible.
You can use the ERS API to create and update Network Access User accounts.
The other (and more common) option would be to use an external identity store (like Active Directory) that has built-in controls for password lifecycle.
08-06-2021 06:18 AM
Hello Greg,
Yes, I am using TACACS+ with internal Network Access Users in ISE to authenticate network admins logging into the devices. I want to use CyberArk to rotate the passwords of these Network Access Users.
I was wondering if anyone can share the CyberArk side Config
Thank you for the below link , I will check this one :
https://developer.cisco.com/docs/identity-services-engine/3.0/#!internal-user/update
08-11-2021 10:01 AM
Hello Greg,
We are currently running the below version for ISE, Can you please share the API documentation for this Version:
08-11-2021 04:16 PM
There is no separate online SDK for ISE 2.4, but the API reference guide includes the Internal User api call.
You can confirm it's supported by accessing the SDK built into your ISE platform via the URL "https://<ISE-ADMIN-NODE>:9060/ers/sdk
."
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide