Element Type

In the Element Type function, it is possible to define a new element and configure its properties. There are frequently used elements already defined in Kron PAM. These elements can be edited if necessary.
 Elements can be personalized by adding or editing properties on the Element Type screen. To set the properties of an element type, follow the steps below:
Navigate to Devices> Element Type.
Click the Element Type Option button, and go to Next.
Select the Show Properties according to the preferred Association Tags.
Save.
Property Name
Description
Sample Values
aaa.auth.username.case.sensitive
If the device type is expected to recognize a case-sensitive username, the property must be set as true.
false
cli.clean.line.bytes
 This property is used to define the method of how to clean the line on the prompt if the command is not permitted on the target device. The property can have the values of ENQ_NAK_CR, ETX, and ENQ_CAN_CR.
ENQ_NAK_CR: Some switches/routers might require this method to clean the prompt line when the command is detected as a black key command. (MikroTik, etc.)
ETX: When a command is run, if it is detected as a black key command, the “ctrl+c” command is not run.
ENQ_CAN_CR: Some switches/routers might require this method to clean the prompt line when the command is detected as a black key command. ( HP, etc.)
The proper method should be defined according to the specifications of the device.
ETX

cli.login.password.prompt.pattern
Telnet connections behave differently during the authentication process based on the device, such as only the password or only the username being asked for authentication.
 Set this parameter if only the password is required for authentication.
(?i).*password[:|>].*
cli.login.username.and.
password.prompt.pattern
Telnet connections behave differently during the authentication process based on the device, such as only the password or only the username being asked for authentication. Set this parameter, if only the username is required for authentication.                               
(?i).*username.*password.*





cli.login.username.prompt.pattern
Telnet connections behave differently during the
authentication process based on the device, such as only the password or only the username being asked for authentication. Set this parameter, if only the username is required for authentication.
(?i).(username|user|login)[:|>].
discovery.commands.hostname
Command to get the hostname during device discovery.
hostname
discovery.commands.hostname.pattern
Regex pattern to get the hostname from the  output of the hostname command during device discovery.
Hoctamectl
discovery.commands.version.command
Command to get the version of the operating system during discovery.
cat /etc/os-release

discovery.model.match.regex
Match the word or regex for output of version command during device discovery.
Linux
discovery.name.server.lookup.hostname
If this value is set as true, devices will be discovered with their name by executing the nslookup command during auto-device discovery.
true
enforcer.terminal.behaviour.context
This property can keep the actual context in the device and the context in XML policies synchronized.
ALCATEL and CISCO can locate deeper contexts when a user enters them sequentially in one command line whereas HUAWEI cannot.
When a command does not exist in the current context, HUAWEI and ALCATEL look for it in the root context whereas CISCO does not.
ALCATEL




enforcer.terminal.behaviour.ctrl_c
This property can keep the actual context in the device and context in the XML policies synchronized. Devices have different behaviors when the user presses CTRL+C.
DO_NOTHING: Does not change the context.
ABORT: Ignores what the user wrote, does not change the context.
ABORT_AND_GO_TO_ROOT: Changes the context to root.
ABORT_AND_GO_TO_ROOT_WHEN_NO_COMMAND: Changes the context to root only when the user did not write anything.
ABORT
enforcer.terminal.behaviour.ctrl_c
This property can keep the actual context in the device and context in the XML policies synchronized. Devices have different behaviors when the user presses CTRL+Z.
DO_NOTHING: Does not change the context.
ABORT_AND_GO_TO_ROOT: Does not execute the command if the user wrote something, then changes the context to root.
EXECUTE_AND_GO_TO_ROOT: Executes the command if the user wrote something, then changes the context to root.
ABORT_AND_GO_TO_ROOT




enforcer.terminal.behaviour.error_message_pattern
This property is used to see whether the command
has executed successfully or not in the command log entries. The expected failure message returned by the command needs to be defined in this property.
(command not found)|(Error:)

enforcer.terminal.behaviour.exc_last_line_patterns
Skips command detection, policy enforcement
and command logging when the last line matches one of these patterns.
.(?i)password[:|>].
^\s*-+\s*(?i)more\s*-+.*
enforcer.terminal.behaviour.has_prompt
If the device type has no prompt, such as #,$,
set the value as false.
true
enforcer.terminal.behaviour.prompt_pattern
When the user presses ENTER, the system tries to
find this pattern in the last line. If found, the system considers the rest of the characters as a command.
.*?(>|#|]|$)
enforcer.terminal.behaviour.second_attempt_for_prompt
This property applies to when the user presses ENTER but the command could not be detected because no prompt was found in the last line. The command may not be detected because sometimes, while the user is typing a command, the device may suddenly send messages to the user, causing the characters of the command to mix with the characters of the message when the user presses ENTER.
DONT_TRY_AND_CLEAN_LINE: Sends a specific byte series to the device in order to clean the line (guaranteed to cancel possible command).
DONT_TRY_AND_SEND_ENTER: Sends ENTER to the device (may cause it to execute a possible command without policy enforcement and logging).
TRY_AND_CLEAN_LINE: Sends TAB to the device and waits for a short while. If still no prompt is found in the last line, sends a specific byte series to the device to clean the line (guaranteed to cancel possible command).
TRY_AND_SEND_ENTER: Sends TAB to the device and waits for a short while. If still no prompt is found in the last line, sends ENTER to the device (may cause it to execute the possible command without policy enforcement and logging).
TRY_AND_CLEAN_LINE




http.auto.login.send.email.in.header
When set as true, the email address of the user is forwarded to the http(s) device
during auto-login. The info is sent in an Additional-Info parameter as email=abc@def.com. The default value is false.
True / false



http.auto.login.send.utc.time.in.header



When set as true, the timestamp of the auto-login is forwarded to the http(s) device during auto-login in UTC format. The info is sent in an Additional-Info parameter as time=1563288010000. The default value is false.
True / false
http.auto.login.user.information.hash.algorithm
The algorithm to hash the email and UTC time information sent in the header, if the related properties are set as true. No hashing is applied if this property is not defined.
SHA256



http.auto.login.user.information.hash.preshared.key

The pre-shared key string to hash the email and
UTC time information is sent in the header, when the related properties are set as
true.
String
nsso.cli.delay.before.enter
To adjust the delay time for the possibility of echo not coming from the device before the ENTER command.
100
nsso.cli.delay.between.enters
Sometimes bulk commands, which are copy/pasted,
aren't executed completely, or some commands can be missed, whenever the response time is more than the expected time. Kron PAM waits 500 milliseconds as default after each time the ENTER command is echoed from the device. The value can change if it is not considered sufficient.
500
shell.terminal.config.fixed_pty_columns
Some devices send ENTER bytes when the command
being typed is longer than the window width. This causes problems with command detection. To avoid this, this property should be set as “0” (or “-1”, according to the device) to force the device to assume an unlimited window width. Additionally, it can also be used to work with a set window width, like 80 columns, even if the user changes the window width of the client application.
80
shell.terminal.config.fixed_pty_lines
Forces the device to assume unlimited window height when this property is set as “0” (or “-1”, according to the device). Additionally, it can also be used to work with a set height, like 24 lines, even if the user changes the window height of the client application.
24
shell.terminal.config.local.echo
This parameter must be set as true if the device-side keys are not echoed.
false
shell.terminal.config.ssh.echo.process

This property value can be set as
with_queue, when a performance increase is desired.
WITHOUT_QUEUE
shell.terminal.config.ssh.enable.bouncycastle
Some devices do not support up-to-date encryption techniques. For those devices, setting the value as false prevents performance loss.
﻿
shell.terminal.config.telnet.auth.failure.pattern
When the defined values in this property are captured after entering the username/password in Telnet connections, the authentication is considered unsuccessful.
(?i).*(error|username[:|>]|user[:|>]|login[:|>]|password[:|>]).*
shell.terminal.config.telnet.logon.template
In Telnet connections, some devices ask for the
username and password at the same time when logging in, in which case this
property must be defined.
lgi:op="${username}",pwd="${password}";

shell.terminal.config.ssh.server.alive.interval
The parameter value is defined in seconds
format. A session is kept alive during the defined value.
30000
tacacs.log.authorization.as.accounting
Allows TACACS authorization requests to be saved as accounting logs.
True / False
device.import.azure.port.number 
Optional.
Devices are imported with the defined port number value. If this value is not set, the default port number is 22 for SSH.
﻿
device.import.aws.port.number 

Optional.
Devices are imported with the defined port number value. If this value is not set, the default port number is 22 for SSH.
﻿
device.import.aws.save.windows.admin.password
While importing Windows devices from Azure, username and password will be retrieved from Azure by using a private key for zero-touch onboarding.
If the parameter is set as true, the credentials are stored in the SAPM AdminCredentials-<$publicIPofdevice>
 Defaults to False if this value is not set
﻿
device.import.azure.reset.windows.admin.password
While importing Windows devices from Azure, username and password will be retrieved from Azure by using a private key for zero-touch onboarding.
 If the parameter is set as true, the credentials are stored in the SAPM AdminCredentials-<$publicIPofdevice>
﻿
﻿

Property Name	Description	Sample Values
aaa.auth.username.case.sensitive	If the device type is expected to recognize a case-sensitive username, the property must be set as true.	false
cli.clean.line.bytes	This property is used to define the method of how to clean the line on the prompt if the command is not permitted on the target device. The property can have the values of ENQ_NAK_CR, ETX, and ENQ_CAN_CR. ENQ_NAK_CR: Some switches/routers might require this method to clean the prompt line when the command is detected as a black key command. (MikroTik, etc.) ETX: When a command is run, if it is detected as a black key command, the “ctrl+c” command is not run. ENQ_CAN_CR: Some switches/routers might require this method to clean the prompt line when the command is detected as a black key command. ( HP, etc.) The proper method should be defined according to the specifications of the device.	ETX
cli.login.password.prompt.pattern	Telnet connections behave differently during the authentication process based on the device, such as only the password or only the username being asked for authentication. Set this parameter if only the password is required for authentication.	(?i).password[:\|>].
cli.login.username.and. password.prompt.pattern	Telnet connections behave differently during the authentication process based on the device, such as only the password or only the username being asked for authentication. Set this parameter, if only the username is required for authentication.	(?i).username.password.*
cli.login.username.prompt.pattern	Telnet connections behave differently during the authentication process based on the device, such as only the password or only the username being asked for authentication. Set this parameter, if only the username is required for authentication.	(?i).(username\|user\|login)[:\|>].
discovery.commands.hostname	Command to get the hostname during device discovery.	hostname
discovery.commands.hostname.pattern	Regex pattern to get the hostname from the output of the hostname command during device discovery.	Hoctamectl
discovery.commands.version.command	Command to get the version of the operating system during discovery.	cat /etc/os-release
discovery.model.match.regex	Match the word or regex for output of version command during device discovery.	Linux
discovery.name.server.lookup.hostname	If this value is set as true, devices will be discovered with their name by executing the nslookup command during auto-device discovery.	true
enforcer.terminal.behaviour.context	This property can keep the actual context in the device and the context in XML policies synchronized. ALCATEL and CISCO can locate deeper contexts when a user enters them sequentially in one command line whereas HUAWEI cannot. When a command does not exist in the current context, HUAWEI and ALCATEL look for it in the root context whereas CISCO does not.	ALCATEL
enforcer.terminal.behaviour.ctrl_c	This property can keep the actual context in the device and context in the XML policies synchronized. Devices have different behaviors when the user presses CTRL+C. DO_NOTHING: Does not change the context. ABORT: Ignores what the user wrote, does not change the context. ABORT_AND_GO_TO_ROOT: Changes the context to root. ABORT_AND_GO_TO_ROOT_WHEN_NO_COMMAND: Changes the context to root only when the user did not write anything.	ABORT
enforcer.terminal.behaviour.ctrl_c	This property can keep the actual context in the device and context in the XML policies synchronized. Devices have different behaviors when the user presses CTRL+Z. DO_NOTHING: Does not change the context. ABORT_AND_GO_TO_ROOT: Does not execute the command if the user wrote something, then changes the context to root. EXECUTE_AND_GO_TO_ROOT: Executes the command if the user wrote something, then changes the context to root.	ABORT_AND_GO_TO_ROOT
enforcer.terminal.behaviour.error_message_pattern	This property is used to see whether the command has executed successfully or not in the command log entries. The expected failure message returned by the command needs to be defined in this property.	(command not found)\|(Error:)
enforcer.terminal.behaviour.exc_last_line_patterns	Skips command detection, policy enforcement and command logging when the last line matches one of these patterns.	.(?i)password[:\|>]. ^\s-+\s(?i)more\s-+.
enforcer.terminal.behaviour.has_prompt	If the device type has no prompt, such as #,$, set the value as false.	true
enforcer.terminal.behaviour.prompt_pattern	When the user presses ENTER, the system tries to find this pattern in the last line. If found, the system considers the rest of the characters as a command.	.*?(>\|#\|]\|$)
enforcer.terminal.behaviour.second_attempt_for_prompt	This property applies to when the user presses ENTER but the command could not be detected because no prompt was found in the last line. The command may not be detected because sometimes, while the user is typing a command, the device may suddenly send messages to the user, causing the characters of the command to mix with the characters of the message when the user presses ENTER. DONT_TRY_AND_CLEAN_LINE: Sends a specific byte series to the device in order to clean the line (guaranteed to cancel possible command). DONT_TRY_AND_SEND_ENTER: Sends ENTER to the device (may cause it to execute a possible command without policy enforcement and logging). TRY_AND_CLEAN_LINE: Sends TAB to the device and waits for a short while. If still no prompt is found in the last line, sends a specific byte series to the device to clean the line (guaranteed to cancel possible command). TRY_AND_SEND_ENTER: Sends TAB to the device and waits for a short while. If still no prompt is found in the last line, sends ENTER to the device (may cause it to execute the possible command without policy enforcement and logging).	TRY_AND_CLEAN_LINE
http.auto.login.send.email.in.header	When set as true, the email address of the user is forwarded to the http(s) device during auto-login. The info is sent in an Additional-Info parameter as email=abc@def.com. The default value is false.	True / false
http.auto.login.send.utc.time.in.header	When set as true, the timestamp of the auto-login is forwarded to the http(s) device during auto-login in UTC format. The info is sent in an Additional-Info parameter as time=1563288010000. The default value is false.	True / false
http.auto.login.user.information.hash.algorithm	The algorithm to hash the email and UTC time information sent in the header, if the related properties are set as true. No hashing is applied if this property is not defined.	SHA256
http.auto.login.user.information.hash.preshared.key	The pre-shared key string to hash the email and UTC time information is sent in the header, when the related properties are set as true.	String
nsso.cli.delay.before.enter	To adjust the delay time for the possibility of echo not coming from the device before the ENTER command.	100
nsso.cli.delay.between.enters	Sometimes bulk commands, which are copy/pasted, aren't executed completely, or some commands can be missed, whenever the response time is more than the expected time. Kron PAM waits 500 milliseconds as default after each time the ENTER command is echoed from the device. The value can change if it is not considered sufficient.	500
shell.terminal.config.fixed_pty_columns	Some devices send ENTER bytes when the command being typed is longer than the window width. This causes problems with command detection. To avoid this, this property should be set as “0” (or “-1”, according to the device) to force the device to assume an unlimited window width. Additionally, it can also be used to work with a set window width, like 80 columns, even if the user changes the window width of the client application.	80
shell.terminal.config.fixed_pty_lines	Forces the device to assume unlimited window height when this property is set as “0” (or “-1”, according to the device). Additionally, it can also be used to work with a set height, like 24 lines, even if the user changes the window height of the client application.	24
shell.terminal.config.local.echo	This parameter must be set as true if the device-side keys are not echoed.	false
shell.terminal.config.ssh.echo.process	This property value can be set as with_queue, when a performance increase is desired.	WITHOUT_QUEUE
shell.terminal.config.ssh.enable.bouncycastle	Some devices do not support up-to-date encryption techniques. For those devices, setting the value as false prevents performance loss.
shell.terminal.config.telnet.auth.failure.pattern	When the defined values in this property are captured after entering the username/password in Telnet connections, the authentication is considered unsuccessful.	(?i).(error\|username[:\|>]\|user[:\|>]\|login[:\|>]\|password[:\|>]).
shell.terminal.config.telnet.logon.template	In Telnet connections, some devices ask for the username and password at the same time when logging in, in which case this property must be defined.	lgi:op="${username}",pwd="${password}";
shell.terminal.config.ssh.server.alive.interval	The parameter value is defined in seconds format. A session is kept alive during the defined value.	30000
tacacs.log.authorization.as.accounting	Allows TACACS authorization requests to be saved as accounting logs.	True / False
device.import.azure.port.number	Optional. Devices are imported with the defined port number value. If this value is not set, the default port number is 22 for SSH.
device.import.aws.port.number	Optional. Devices are imported with the defined port number value. If this value is not set, the default port number is 22 for SSH.
device.import.aws.save.windows.admin.password	While importing Windows devices from Azure, username and password will be retrieved from Azure by using a private key for zero-touch onboarding. If the parameter is set as true, the credentials are stored in the SAPM AdminCredentials-<$publicIPofdevice> Defaults to False if this value is not set
device.import.azure.reset.windows.admin.password	While importing Windows devices from Azure, username and password will be retrieved from Azure by using a private key for zero-touch onboarding. If the parameter is set as true, the credentials are stored in the SAPM AdminCredentials-<$publicIPofdevice>

Device Management

Device Groups