Example: Cisco IOS XE

Overview

This document provides step by step instructions for creating a post-rotation script that will rotate the password for a Cisco IOS XE device such as a Catalyst 9000.

1. Create the Cisco authentication record

Create a new PAM User record to store the Cisco Catalyst administrative credentials that have permission to rotate another user’s password. This record is referenced by the post-rotation script when performing the password update on the device.

Add a Custom Field of type "Text" with the label host_endpoint and set the value to the IP address or hostname of the Cisco IOS XE device.

2. Create the target user record

Create a second PAM User record for the user account whose password will be rotated. Enter the current username and password for this account.

3. Configure rotation settings.

Under the Rotation Settings section, select Set Up to configure password rotation.

• For Rotation Profile, choose Run PAM scripts only.

• For PAM Resource, select the appropriate PAM configuration for your Gateway.

• Click Update to save the rotation configuration.

4. Upload the post-rotation script

Still in the PAM User record, under the PAM Scripts section, click Add PAM Script. Upload the Python script by browsing for it on your device or by dragging and dropping the file into the upload field.

Attach the below Python file as a PAM script which will connect to the Cisco IOS XE endpoint and perform the password rotation.

5. Associate the Cisco authentication record

In the "Additional Credentials" dropdown, select the Cisco authentication record created in Step 1. This record will be used by the script to authenticate to the device.

• Enable Run with Command Prefix and specify the full path to the Python executable.

• For Gateways deployed via Docker, the path is typically /usr/local/bin/python3

Save the configuration

Click Save on the PAM User record to complete the configuration.