Command Control Access on Network Devices

ashishmrt

By: ashishmrt

January 14, 2014 8:37 am

Reads: 258

Comments:0

Rating:1.0

Abstract:

The main objective of this article is to give a step by step procedure to configure the command control access for the network devices like router and switch using NPUM.

Table of Contents

  1. Introduction
  2. Creation of Privileged Account
  3. Creation of the Command group
  4. Creation of Command Control Rule
  5. How to Execute Rules
  6. Glossary of Terms

1. Introduction

NetIQ Privileged User Management (PUM) helps IT administrators manage the identity and access for superuser, root accounts, and application users by providing controlled superuser/privileged access to administrators, allowing them to perform jobs without needlessly exposing root account credentials. It also provides a centralized activity log across multiple platforms.

SSH relay is a new feature added to PUM that enables delegation of privileged credentials to those hosts where PUM agents are not installed. This feature makes use of the underlying SSH functionality of Unix/Linux systems to provide privileged access and monitoring of the activities after the delegation. PUM has been designed to work with its own framework user management. With the new release of PUM 2.3, LDAP group support has been added which helps to achieve easy integration with LDAP domain.

This article talks about the various configuration that needs to be performed by a customer to enable user status.

2. Creation of Privileged Account

To create the privileged accounts, follow steps

Before we can integrate the PUM to use authentication domain, the account domain details needs to be added to PUM manager. PUM manager supports creation of the account domain under the command control console installed as part of default manager installation. The various steps to be followed to add authentication account domain to PUM are as follows:

2.1 Goto Home/Command Control console -> Privileged Accounts.
2.2 Now choose the option Add Account Domain to add a new account domain to PUM manager framework.
2.3 Provide all the details as shown in the picture below. Name and SSH host should be network device IP address.

cca-1

We have created an authentication domain for admin users. We can add more accounts to the this authentication group, follow steps below for adding non admin authentication accounts.

2.4 – Goto Home/Command Control console -> Privileged Accounts. And select the privileged account which we created in the step before. Click on the add credential on the left.
cca-2

We have created an another credential domain for non admin users.

3. Creation of the Command group

3.1 Goto Home/Command Control/Command group—> Add 2 Command groups ( ex-Admin command group and Non Admin command group).
3.2 Modify the “Commands group”–> select Admin command group, click on the modify command, under commands add admin commands like “<ssh>*no shutdown” like this way we can add multiple commands here.

cca-3

3.3 Modify the “Commands group”–> select Non Admin command group, click on the modify command, under commands add admin commands like “<ssh>*show version”ike this way we can add multiple commands here.

cca-4

4. Creation of Command Control Rule

After adding the Privileged account details and User group, the next step is to create rules in Command Control so that authorization to access the SSH relay host is given based on the rule. This can be achieved by following the steps below:

4.1 Goto Home/Command Control -> Rules.
4.2 Choose Add rule option from the left panel and add 2 rules “Admin Rule for Router” and “Non Admin Rule for Router”
4.3 Modify Admin Rule for Router Rule. Set Session capture to On and Authorize to Yes and Stop, Select credential as cisco@192.178.1.254 and run user as cisco.

4.4 Modify Non Admin Rule for Router Rule. Set Session capture to On and Authorize to Yes and Stop, Select credential as nonadmin@192.178.1.254 and run user as nonadmin.

5. How to Execute Rules

After adding the Privileged account details and command group and rules, the next step is to execute the commands, follow below steps.

5.1 Connect to the router etc using SSH client and login as admin user i.e “cisco”.

FOR ADMIN COMMANDS
5.2 On the shell prompt execute “ssh -t -p 2222 admin@<PUM_Manager_IP_address> <cisco@Router_IP_address> <any command which is part of admin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will be executed.
5.3 On the shell prompt execute “ssh -t -p 2222 admin@<PUM Manager_IP_address> <cisco@Router_IP_address> <any command which is not part of admin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will not be executed. And user will receive an permission denied message.

FOR NON ADMIN COMMANDS
5.4 On the shell prompt execute “ssh -t -p 2222 admin@<PUM_Manager_IP_address> <nonadmin@Router_IP_address> <any command which is part of nonadmin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will be executed.

5.5 On the shell prompt execute “ssh -t -p 2222 admin@<PUM_Manager_IP_address> <nonadmin@Router_IP_address> <any command which is not part of non admin command group> and press enter, you would be asked to provide PUM Manager console password, provide that and press enter. You will see that the command will not be executed. And user will receive an permission denied message.

By this way command control access can be achieved using NPUM.

6. Glossary of Terms

  • PUM – Privileged User Manager
  • SSH – Secure Shell
VN:F [1.9.22_1171]
Rating: 1.0/5 (1 vote cast)
Command Control Access on Network Devices, 1.0 out of 5 based on 1 rating

Tags:
Categories: Privileged User Manager, Technical Solutions

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Comment