OpenText product name changes coming to the community soon! Learn more.

Wikis - Page

Command Control Access on Network Devices

0 Likes

Abstract:



The main objective of this article is to give a step by step procedure to configure the command control access for the network devices like router and switch using NPUM.


Table of Contents




    1. Introduction

 

    1. Creation of Privileged Account

 

    1. Creation of the Command group

 

    1. Creation of Command Control Rule

 

    1. How to Execute Rules

 

    1. Glossary of Terms




1. Introduction



NetIQ Privileged User Management (PUM) helps IT administrators manage the identity and access for superuser, root accounts, and application users by providing controlled superuser/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms.

SSH relay is a new feature added to PUM that enables delegation of privileged credentials to those hosts where PUM agents are not installed. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with LDAP domain.

This article talks about the various configurations that need to be performed by a customer to enable user status.

2. Creation of Privileged Account


To create the privileged accounts, follow the steps below:

Before we can integrate PUM to use authentication domain, the account domain details need to be added to the PUM manager. The PUM manager supports creation of the account domain under the command control console installed as part of the default manager installation. The various steps to add the authentication account domain to PUM are as follows:

2.1 Goto Home/Command Control console -> Privileged Accounts.
2.2 Now choose the option Add Account Domain to add a new account domain to the PUM manager framework.
2.3 Provide all the details as shown in the picture below. Name and SSH host should be network device IP address.

cca-1

We have created an authentication domain for admin users. We can add more accounts to this authentication group, follow the steps below for adding non admin authentication accounts.

2.4 - Goto Home/Command Control console -> Privileged Accounts. Select the privileged account which we created earlier. Click on add credential.
cca-2

We have created another credential domain for non admin users.

3. Creation of the Command group



3.1 Goto Home/Command Control/Command group---> Add 2 Command groups ( ex-Admin command group and Non Admin command group).
3.2 Modify the "Commands group"--> select Admin command group, click on the modify command, under commands add admin commands like "<ssh>*no shutdown", this way we can add multiple commands.

cca-3

3.3 Modify the "Commands group"--> select Non Admin command group, click on modify command, under commands add admin commands like "<ssh>*show version", this way we can add multiple commands.

cca-4

4. Creation of Command Control Rule



After adding the Privileged account details and User group, the next step is to create rules in Command Control so that authorization to access the SSH relay host is given based on the rule. This can be achieved by following the steps below:

4.1 Goto Home/Command Control -> Rules.
4.2 Choose Add rule option from the left panel and add 2 rules, "Admin Rule for Router" and "Non Admin Rule for Router".
4.3 Modify Admin Rule for the Router Rule. Set Session capture to On and Authorize to Yes and Stop, Select credential as cisco@192.178.1.254 and run user as cisco.

4.4 Modify Non Admin Rule for Router Rule. Set Session capture to On and Authorize to Yes and Stop, Select credential as nonadmin@192.178.1.254 and run user as nonadmin.


5. How to Execute Rules


After adding the Privileged account details, command group, and rules, the next step is to execute the commands.

5.1 Connect to the router etc using SSH client and login as admin user i.e "cisco".

FOR ADMIN COMMANDS
5.2 On the shell prompt, execute "ssh -t -p 2222 admin@<PUM_Manager_IP_address> <cisco@Router_IP_address> <any command which is part of admin command group> and press enter, you will be asked to provide the PUM Manager console password.
5.3 On the shell prompt, execute "ssh -t -p 2222 admin@<PUM Manager_IP_address> <cisco@Router_IP_address> <any command which is not part of admin command group> and press enter, you will be asked to provide the PUM Manager console password. You will see that the command will not be executed. The user will receive a permission denied message.

FOR NON ADMIN COMMANDS
5.4 On the shell prompt, execute "ssh -t -p 2222 admin@<PUM_Manager_IP_address> <nonadmin@Router_IP_address> <any command which is part of nonadmin command group> and press enter, you will be asked to provide the PUM Manager console password. You will see that the command will be executed.

5.5 On the shell prompt execute "ssh -t -p 2222 admin@<PUM_Manager_IP_address> <nonadmin@Router_IP_address> <any command which is not part of non admin command group> and press enter, you will be asked to provide the PUM Manager console password. You will see that the command will not be executed. The user will receive a permission denied message.

This way command control access can be achieved using NPUM.

6. Glossary of Terms



    • PUM - Privileged User Manager

 

    • SSH - Secure Shell



Labels:

How To-Best Practice
Collateral
Comment List
Related
Recommended