So based on that it should be able to integrate with CyberArk

Hello again!

Im afraid that I dont have the Cyberark configuration, but I know that we make the connection with a string with this format for Putty:

cyberark_IP@Domain_Username@Cyberar_Username#Domain.net@Device_IP

Example:

192.168.1.1@MyUser@CyberarkUsr#Mydomain.net@192.168.2.1

here is a link:

https://docs.cyberark.com/Product-Doc/OnlineHelp/PAS/Latest/en/Content/PASIMP/PSSO-PMSP.htm

We integrate ACS with AD and we add the CyberarkUsr as a local account with domain password in ACS (https://www.youtube.com/watch?v=qQdBEBK3TPk&t=301s), and give permissions as device administrator.

So when a user log in to ssh it goes to CA (not to ACS), CA validate the user and password and 2FA, and then CA makes the login to the device via ACS with it own user.

I hope I have explained myself and this work works for you!

Regards!

I worked with a large finance customer that uses CyberArk to manage and rotate the CLI admin account. To do so, they created a second CLI admin account for 'cyberark' with a very strong password. Admins login to the CLI using the default 'admin' account from the CyberArk console (which handles MFA and password storage for this admin account). Upon logout, CyberArk uses the 'cyberark' account to change the password for the 'admin' account to a new randomly generated password using the CLI commands:

config terminal
username admin password plain <password> role admin

Hello Greg, 

Thanks for the reply, We tried to use CyberArk Directly to manage the passwords on devices, but we are currently using Cisco ISE for authentication. If we configure the Tacacs server on cisco devices it will not look for local users for authentication. so I don't want to remove ISE in middle and want to manage the ISE Tacacs accounts with CyberArk. (Rotating passwords for ISE Identities using CyberArk ).

So, if I understand correctly, you are using TACACS+ with internal Network Access Users in ISE to authenticate network admins logging into the devices. You want to use CyberArk to rotate the passwords of these Network Access Users. Is that correct?

There is no way to manage Network Access Users from the CLI, so CyberArk would need to be able to navigate the GUI, screenscrape the password location, modify the strings, and save the configuration. I'm not experienced with CyberArk, but I doubt that is possible.

You can use the ERS API to create and update Network Access User accounts.

The other (and more common) option would be to use an external identity store (like Active Directory) that has built-in controls for password lifecycle.

There is no separate online SDK for ISE 2.4, but the API reference guide includes the Internal User api call.

You can confirm it's supported by accessing the SDK built into your ISE platform via the URL "https://<ISE-ADMIN-NODE>:9060/ers/sdk."