TACACS enable password authentication behavior - Cisco Identity Services Engine 2.4

realeric — Tue, 12 Mar 2019 17:44:21 GMT

I am running an eval of ISE 2.4 (patch 6). I used the migration tool to pull in all information from ACS 5.8. ISE is new to me, so I'm just trying to figure it out.

The issue I am having right now is with the enable password. It was a simple process in ACS; under user authentication setting, you just made sure the "TACACS Enable Password" option was not checked.

I don't see anything similar in ISE. The only way I got this to work was to go into each user account and configure the enable password. I am hoping there is a better way of doing this, as I have many users that require enable mode. They all belong to the same "User Identity Group"

My goal would be to for the Login Password to also work as the Enable Password (as it did in ACS). Another option might be for our TACACS network devices to not even prompt for a password when a user enters enable mode (not sure if this is possible).

Re: TACACS enable password authentication behavior - Cisco Identity Services Engine 2.4

paul — Tue, 12 Mar 2019 18:32:40 GMT

Honestly the concept of enabled mode is antiquated. If you enable command authorization for lvl 15 commands on your network devices you control what the user can do when they get on the device. Put everyone at priv-15 (the # prompt) as soon as they login and create a Read-Only command set that can only do show commands and a Full-Access command set that can do everything.

I haven't used enabled passwords in 5-10 years on any of my installs.

topic Re: TACACS enable password authentication behavior - Cisco Identity Services Engine 2.4 in Network Access Control

TACACS enable password authentication behavior - Cisco Identity Services Engine 2.4

Re: TACACS enable password authentication behavior - Cisco Identity Services Engine 2.4