Idea ID 2813229
Nowaday, and in the most scenario, network/security devices have both GUI and CLI. Especially firewalls and ADC products, GUI (WebUI or Client App) is the primary way to operate these devices. In order to onboard the GUI access to NETIQ PAM for recording, we need App SSO. But in NETIQ PAM implementation, there is 2 different credentials for:
- CLI (Linux/Unix/AD/Ldap).
- GUI (SSO)
It's good practise to have 2 separate privilege ID for CLI and GUI, but in most cases, customer only maintain 1 to be used for both CLI and GUI. In either cases, I'm seeing the shortcoming of App SSO:
- 2 separate ID - We can utilize the script the change the CLI/SSH password, but there is no way to perform password management for App SSO's credential. You have to manually update both PAM and the Application password manually. That defeat the purpose of onboarding those account to PAM.
- single ID - You don't have the option to select non App SSO (like CLI/SSH) credential when defining the rules. If that is supported, then we can utilize the AD/Linux/Unix password, and also reduce the overhead of maintaining another set of credential for SSO.
By the way, can we have clone feature for the scripts? I wish i can clone and edit the default script to suite my need. I'm not a programer!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.