topic Re: Issue with enable command using ISE in Network Access Control

Issue with enable command using ISE

GabsC2 — Wed, 31 Aug 2022 15:20:37 GMT

Good day,

I'm having an issue when I use the enable command having and ISE as AAA. If I enable the external auth for the enable I receive the following log:

13029 Requested privilege level too high

I'm configuring the aaa authentication enable like this

aaa authentication enable default group ISE

If I leave it with none or enable (local) I can connect without any issues and see all the logs in the ISE as I should but I cant seem to find why I receive that issue when using the ISE for the enable authentication. The command set has full access, it has the Permit any command that is not listed below activated and no command added, the profile has default and maximum privilege 15 and still I receive the same log.

I'm using ISE 2.7 and a CISCO7613 for the testing.

Re: Issue with enable command using ISE

balaji.bandi — Wed, 31 Aug 2022 16:08:06 GMT

follow below thread :

https://community.cisco.com/t5/network-access-control/13029-requested-privilege-level-too-high/td-p/4101530

Re: Issue with enable command using ISE

GabsC2 — Wed, 31 Aug 2022 17:04:17 GMT

Good day Balaji,

I read that thread before writing this one and it doesn't apply to my scenario because I don't have different privileges, the user only has default and maximum privilege 15. I don't know why it doesn't accept the enable authentication.

Re: Issue with enable command using ISE

balaji.bandi — Thu, 01 Sep 2022 16:49:21 GMT

can you post full AAA config also VTY line config

Re: Issue with enable command using ISE

GabsC2 — Mon, 05 Sep 2022 15:49:28 GMT

Good day,

Dear Balandi, here's the information requested

aaa authentication login default local
aaa authentication login consola local enable
aaa authentication login acsmpls group ISE local enable
aaa authentication enable default none -> This is none at this point because I used the configuration stated in my first post, didn't worked and changed to none while I can solve the issue
aaa authorization exec default local
aaa authorization exec consola local
aaa authorization exec acsmpls group ISE local
aaa authorization commands 15 default local
aaa authorization commands 15 acsmpls group ISE local
aaa authorization network acsmpls group ISE local
aaa accounting exec acsmpls
action-type start-stop
group tacacs+
!
aaa accounting commands 15 acsmpls
action-type stop-only
group tacacs+
!
aaa accounting network acsmpls
action-type start-stop
group tacacs+

line vty 0 15

exec-timeout 5 0
password 7
authorization commands 15 acsmpls
authorization exec acsmpls
accounting commands 15 acsmpls
accounting exec acsmpls
transport input ssh