Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1262
Views
15
Helpful
3
Replies

Device Password Vault for NSO

Go to solution
hkubota
Level 1
Level 1

‎01-15-2019 07:57 PM

Hi,

 

In NSO I can configure hard-coded accounts and password to connect to devices (authgroups).

If I do not want that (our security team does not like that) and instead I have to to keep device passwords in a system like HashiCorp Vault, how can this be integrated into NSO?

 

Typically I'd give NSO at startup time a one-time password which it would use to get a token out of Vault which it can use to get the passwords out of Vault. But I see no way to integrate this in NSO.

Am I missing something or is this simply not implemented and not (easily) implementable?

Is there maybe a hook to get a password out from an external system or Python/Java program instead of having it hard-coded in an authgroup configuration?

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to vleijon

‎01-16-2019 02:31 AM

Actually, I was behind the curve, it is included in nso-4.7.2, from the CHANGES file:

ncs: Authentication groups are extended to support action callbacks to
retrieve southbound user and credentials for a local user, device and
the authgroup that device belongs to.

(ENG-17868)

 

It is the 'callback-node' and 'action-name' settings in the umap or default-map configuration.

View solution in original post

3 Replies 3

Go to solution
joepak
Cisco Employee
Cisco Employee

‎01-16-2019 12:03 AM - edited ‎01-16-2019 01:29 AM

 
0 Helpful

Go to solution
vleijon
Cisco Employee
Cisco Employee

‎01-16-2019 12:32 AM

It is not currently possible to do what you want, but it is a feature that will come in a future release. We have had this request from other customers as well.

 

I am not entirely sure which release it will be in or when that will be released. If someone from the product management team is watching, they might know.

0 Helpful

Go to solution
vleijon
Cisco Employee
Cisco Employee
In response to vleijon

‎01-16-2019 02:31 AM

Actually, I was behind the curve, it is included in nso-4.7.2, from the CHANGES file:

ncs: Authentication groups are extended to support action callbacks to
retrieve southbound user and credentials for a local user, device and
the authgroup that device belongs to.

(ENG-17868)

 

It is the 'callback-node' and 'action-name' settings in the umap or default-map configuration.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the NSO Developer community:

Customers Also Viewed These Support Documents