topic Re: Unable to create a Read-Only policy in ISE 2.4; 'enable' password doesnt work in Network Access Control

Unable to create a Read-Only policy in ISE 2.4; 'enable' password doesnt work

abhijith891 — Wed, 13 Jun 2018 23:55:38 GMT

Hello everyone,

I am trying to create a read-only authorization policy for firewalls for a particular team in ISE 2.4, but I am unable to do it efficiently. I have configured the shell profile for the team to have a default privilege of 1 and max of 7. But for some reason, whenever they log into the ASA, they say their 'login' password works fine, but their 'enable' password isnt working; as a result of which they are unable to get a privilege level of 7. I have tried enabling/disabling the 'enable' password but still its of no avail. So can someone help me out on this?

Regards.

Abhijit

Re: Unable to create a Read-Only policy in ISE 2.4; 'enable' password doesnt work

hslai — Thu, 14 Jun 2018 00:53:16 GMT

ASA has no option for "enable" so its "enable" is actually "enable 15". Thus, please set the default privilege to 7.

Re: Unable to create a Read-Only policy in ISE 2.4; 'enable' password doesnt work

paul — Thu, 14 Jun 2018 11:51:27 GMT

IN my opinion the best way to do any sort of user levels on devices is to do command authorization. The ASA allows you to send users to priv 15 just like any other Cisco product. Send all users to priv 15 and do command authorization to create whatever class of users you want. If they are using ASDM you need to allow “write net” so the config can be sent into ASDM.