Discovering Privileged Accounts from Cisco IOS Devices

You can connect with network devices and discover the accounts present in them. To discover accounts from Cisco IOS devices, navigate to Accounts >> Add >> Discover Accounts >> Cisco IOS Devices.

Discovering accounts from network devices is a two-step process:

1. Step 1: Connecting to the network devices
2. Step 2: Enter credentials and discover

Step 1: Connecting to the Network Devices

For Securden to establish connectivity, you need to specify the IP addresses of the target network devices. You have the option to discover devices from a single device or from a set of devices in an IP range.

If you choose Single Device, you need to specify the Hostname/IP address of the target network device.

If you choose Devices in IP Range, you need to specify the IP Range of the target devices. i.e., You need to specify the Start IP and End IP of the range of devices to be scanned.

Once the IP addresses of the devices have been specified, you need to provide the following details.

Connectivity Timeout

The maximum time in seconds Securden can attempt to establish connectivity with the devices before terminating the process.

Time delay for subsequent attempts

If connectivity to one or more devices cannot be established at present, Securden can attempt to connect with the devices at a later time. You need to specify the time (in hours) after which the attempt to connect should be made.

Discovering through Remote Gateway

If the devices reside in a different network than the Securden server, you can route the connection through a remote gateway. You can select the appropriate remote gateway from the drop-down and the discovery will happen through the selected gateway.

If no suitable gateway is available, navigate to Admin >> Remote Sessions and Recordings >> Remote Gateway and add the required gateway.

Step 2: Enter Credentials and Discover

Securden needs to authenticate the connection with devices to perform discovery. You can specify the root account credentials or sudo (Superuser Do) user credentials for this purpose. Securden will also use the administrator credentials for performing remote actions like password verification and reset apart from accounts discovery.

Note

If each machine in the specified IP range has different administrator credentials, you need to repeat discovery separately for each device. In such scenarios, importing accounts from files would be a better option than account discovery.

You need to supply two sets of credentials, one for remote log in and the other to fetch the accounts and onboard it to Securden.

Supply remote login credentials

You need to provide the credentials of an administrator user on the target device for Securden to login securely.

1. You need to specify the Account Name of the administrator account.
2. You can choose between a Password or a Public Key Infrastructure (PKI file) as the authentication type.

If you choose to authenticate using a PKI file, you have two options. You can either:

1. Choose an SSH key stored in Securden from the drop-down menu.
2. Upload an SSH key file from your computer. Here, you need to provide the passphrase required to access the file.

Credentials for fetching privileged accounts

Once the credentials for remote login are supplied, you need to specify the administrator credentials which are required to fetch the accounts present in the devices.

If the account used for remote login has administrative privilege, then you can use the same credentials for fetching accounts. To use the same credentials, select the checkbox named Use remote login credentials as specified above.

If you are using separate administrator credentials for fetching accounts, you need to specify the account name and password for the same.

Important

When choosing to use the same remote login credentials for fetching accounts,

1. For Password based authentication, you need not specify the account name or the password.
2. For PKI authentication, you need to specify the password of the account alone.

Advanced Options

Once you've doscovered privileged accounts from network devices, you have the option to add all the discovered accounts into a specific folder and assign them a specific account type. This will help mitigate the efforts required for classifying the accounts at a later time.

1. If you want to assign a specific account type to all the imported accounts, you can select the required account type from the drop down.

   

2. If you want to add all the imported accounts to a folder, you can select the required folder from the drop down. If you want to create a new folder for this purpose, you need to click on [Add Folder].

   

3. You have the option to assign strong and unique passwords to the accounts at the time of discovery.

   

   If you choose this option, Securden generates passwords based on the password policy specified and assigns them to the accounts on target devices.

Note

The credentials used for authentication will not be randomized if this option is chosen.

Once all the required parameters have been specified, click Discover.

The discovery process take a few minutes to complete. Once it is completed, complete results with a list of accounts, their status is displayed. You can view how many accounts were successfully imported.