Symantec Privileged Access Management

  • 1.  CA Privileged access manager

    Posted Jun 14, 2017 04:41 AM

    Dear Team,

     

    We would like to configure central user administration without agent on target on endpoint.

    Is it possible with PAM ?

     

    Can AD users login to Linux machine without having agent on endpoint ?

    Or

    Can Local PAM users login to Linux without any agent on endpoint ?

     

    Thanks

    ITSAT

    VOLVOCARS 



  • 2.  Re: CA Privileged access manager

    Posted Jun 14, 2017 05:32 AM

    Basically , we dont want any user accounts local to the endpoint.

     

    Thanks

    ITSAT

    VOLVOCARS



  • 3.  Re: CA Privileged access manager
    Best Answer

    Broadcom Employee
    Posted Jun 14, 2017 09:46 AM

    Hello Team Volvo,

     

    PAM can act as a password vault & it can act as an access method to reach devices. Passwords from the password vault can be used to login to the devices. This does not change the authentication behavior of the device itself. 

     

    Q: We would like to configure central user administration without agent on target on endpoint. Is it possible with PAM ?

    A: Yes. PAM does not require any agents on the devices that it connects to (although some agents are available to add functionalities). PAM can be used to manage the passwords through various methods. PAM is NOT a replacement for your current user administration system (like AD), it can however interact with these systems to manage passwords and allow authentication.

     

    Q: Can AD users login to Linux machine without having agent on endpoint ?

    A: In general Linux is not able to use AD for authentication without some kind of agent installed to broker the connection. PAM does not change this.

     

    Q: Can Local PAM users login to Linux without any agent on endpoint ?

    A: Local PAM users in general are only used to login to PAM. It is possible to set PAM up as a SAML IdP, which may allow you to use PAM local accounts for access to other systems. I have not personally tested this situation, but i suspect that this would also require some sort of agent on the linux end to enable this type of authentication.

     

    Doc link on using PAM as IdP:

    Act as an Identity Provider (IdP) - CA Privileged Access Manager - 2.8.2 - CA Technologies Documentation 

     

     

    -Christian

     



  • 4.  Re: CA Privileged access manager

    Broadcom Employee
    Posted Jun 14, 2017 10:10 AM

    To add to what Christian said: We do have Kerberos authentication for Windows targets, where the credentials of the user logged on to CA PAM are used to logon to the target device, see https://docops.ca.com/ca-privileged-access-manager/2-8-2/EN/implementing/log-in-to-the-ca-pam-server/log-in-to-a-windows-target-with-a-smart-card-kerberos, but this is only available for Windows devices imported through an LDAP integration. For Linux target devices you will need to have target accounts configured in PAM.



  • 5.  Re: CA Privileged access manager

    Posted Jun 15, 2017 03:21 AM

    Thank you.
    we have couple of challenges which i would ask again in sometime.



  • 6.  Re: CA Privileged access manager

    Posted Jun 15, 2017 03:19 AM

    Thanks for your valuable feedback, i would keep all the points in mind while setting up the environment.