topic Re: 9300L switch to use configured ENABLE password within ISE per user in Network Access Control

9300L switch to use configured ENABLE password within ISE per user

Ced W — Thu, 16 Jan 2025 20:53:53 GMT

Hi,
I am migrating from ACS/TACACS+ deployment, to ISE/RADIUS deployment.
I am able to get the switches to roger up with ISE/RADIUS deployment but I am unable to move into Priv EXEC mode unless I am consoled in. When I try to SSH with IP address, I get "% Error in Authentication" or if I configure a secret password, all users would have to use that same secret password.

How do I setup ISE/Radius deployment to use individual user set enable password on the ISE server when logging into the switch ...?

I have looked at other threads but none help my situation and currently looking, Cisco TAC was unable to assist.
But I am about to poor over this guide: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_device_admin.html#concept_9B1DD5A7AD9C445AAC764722E6E7D32A

AAA config below

TestBench#sh run aaa
!
aaa authentication login default group ISE local enable
aaa authorization exec default group ISE if-authenticated
aaa authorization console
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
username actual privilege 15 secret 9
!
radius server ISE01
address ipv4 auth-port 1812 acct-port 1813
key 7
!
radius server ISE02
address ipv4 auth-port 1812 acct-port 1813
key 7
!
aaa group server radius ISE
server name ISE01
server name ISE02
!
aaa new-model
aaa session-id common
!
ip radius source-interface Vlan6192847

Re: 9300L switch to use configured ENABLE password within ISE per user

ccieexpert — Thu, 16 Jan 2025 21:37:53 GMT

you need something like this:

aaa authentication enable default group ISE local

Re: 9300L switch to use configured ENABLE password within ISE per user

Flavio Miranda — Thu, 16 Jan 2025 21:44:48 GMT

@Ced W

You line vty is configured?

line vty 0 4 transport input ssh login local line vty 5 15 transport input ssh login local

You should have this lines

Re: 9300L switch to use configured ENABLE password within ISE per user

MHM Cisco World — Fri, 17 Jan 2025 00:30:43 GMT

I will send you PM tomorrow

MHM

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Tue, 21 Jan 2025 19:45:17 GMT

@Flavio Miranda
I have tried "login local" but that option is not available for this 9300L 48 PoE+ 4x10G switch
I did try the following variations, "login authentication ISE", in which i got this error, "AAA: Warning authentication list "ISE" is not defined for LOGIN." and doing research on this.

I also tried "login authentication default", to no avail.

Thank you.

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Tue, 21 Jan 2025 19:48:52 GMT

@ccieexpert,

That specific line of code is not available on this 9300L 48 PoE+ 4x10G switch, but I did try a variation, "aaa authentication login default group ISE local enable", but this did not help either. I am afraid to take remove the "enable secret password" line and try for fear of getting locked out and having to backdoor the switch again.
Thank you.

Re: 9300L switch to use configured ENABLE password within ISE per user

ccieexpert — Tue, 21 Jan 2025 20:24:18 GMT

that wont help with enable.

https://community.cisco.com/t5/security-knowledge-base/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

aaa authentication enable default group ISE enable  ... please paste your current config..

Re: 9300L switch to use configured ENABLE password within ISE per user

Flavio Miranda — Tue, 21 Jan 2025 20:31:19 GMT

@Ced W

You should have "login local" under line vty

do you have "aaa new-model" command?

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Thu, 23 Jan 2025 20:12:57 GMT

@ccieexpert

here are the configs, not sure which config you are asking for....
I am looking through the guide, thank you.

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Thu, 23 Jan 2025 20:16:22 GMT

@Flavio Miranda
I have "authorization exec default", I will try "login local"
Yes, I do have "aaa new-model" command.

***EDIT
"login local" is not an available command.

TestBench(config-line)#login ?
authentication Authentication parameters.

TestBench(config-line)#login auth
TestBench(config-line)#login authentication ?
WORD Use an authentication list with this name.
default Use the default authentication list.

TestBench(config-line)#login authentication d
TestBench(config-line)#login authentication default ?
<cr> <cr>

TestBench(config-line)#login authentication default

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Thu, 23 Jan 2025 20:22:10 GMT

@Flavio Miranda
I added the suggested line and now I get

aaa authentication enable default group ISE  enable

instead of "wrong/bad password"
Glad I didn't "wr" or else I would have to back door the switch to recover password

Re: 9300L switch to use configured ENABLE password within ISE per user

PSM — Fri, 24 Jan 2025 15:12:54 GMT

@Ced W just wondering why you want to use Radius instead of Tacacs for device authentications ? Tacacs is much better for this use instead of Radius.

Anyhow can you try config like this. Don't define anything under line VTY, and it should pick default method.

aaa authentication login default group ISE local
aaa authorization exec default group ISE local

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Tue, 28 Jan 2025 20:49:59 GMT

@PSM
I tried TACACS+ but could not figure it out, it was much easier for me to get up and running on RADIUS. But if you can help me setup TACACS+ properly, I would love to do that instead.

This is what I have on my vty line 0 1, should i remove the bold and underlined items ...? Thank you

TestBench#sh run all | b line vty 0 1
line vty 0 1
session-timeout 2
access-class MANAGEMENT_NET in
motd-banner
exec-banner
exec-timeout 10 0
timeout login response 30
privilege level 1
authorization exec default
accounting exec default
logging synchronous
login authentication default
data-character-bits 8
exec-character-bits 7
special-character-bits 7
domain-lookup
exec
length 24
width 80
history size 10
history
editing
monitor
transport input ssh
escape-character soft DEFAULT
escape-character DEFAULT
start-character 17
stop-character 19

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Tue, 28 Jan 2025 20:56:44 GMT

@PSM
I have tried the lines you recommended, it still only allows me to login with the configured enable password on the switch and not the pre-configured enable password in ISE, see photo...

Re: 9300L switch to use configured ENABLE password within ISE per user

PSM — Wed, 29 Jan 2025 12:57:57 GMT

@Ced W please remove "privilege level 1" from line vty and then test.

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Wed, 29 Jan 2025 15:17:59 GMT

@PSM
I removed "privilege level 1" from "line vty 0 1" - had the same result, when I try to enable to exec mode, it only allows me to use the pre-configured enable password on the switch, and not the pre-configured password within ISE set for each individual user.

However, I added the line "privilege level 15" and when i logged, i was automatically taken to exec mode. Which is a win, however because this is a DoD network, I need all priv lvl 15 users to be dropped in user exec mode, then have to elevate to priv exec when needed.

At any rate you put me on the right track-ish and I can start building out my network remotely once all the core infrastructure is racked and stacked.. Thank you.

Re: 9300L switch to use configured ENABLE password within ISE per user

Ced W — Fri, 31 Jan 2025 21:01:40 GMT

Solved*
Thank you ALL ...!

after having this config on the switch...

aaa new-model
aaa session-id common
!
aaa authentication login default group ISE local enable
!
aaa authorization exec default group ISE if-authenticated
aaa authorization exec ISE local
aaa authorization console
!
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
!
radius server ISE01
address ipv4 address auth-port 1812 acct-port 1813
key cisco123
!
radius server ISE02
address ipv4 address auth-port 1812 acct-port 1813
key cisco123
!
aaa group server radius ISE
server name ISE01
server name ISE02
!
username cisco privilege 15 secret password

it wasn't until I looked at "line con 0" and "line vty 0 1", using "sh run all" which stated "priviledge level 1", however when i do a "show privilege" is says, "privilege level 15", so I typed "privilege level 15" under both "line con 0" and "line vty 0 1"

I think i am good to go for now but what is confusing is that, on current switch 3850 network setup it has "privilege level 1" on "line con 0" and "line vty 0 1" and I am able to login to exec priv without issue but trying this on switch 9300 I am unable to unless I specify lvl 15 in the vty and console. Maybe a bug ? or the way I have radius setup instead of tacacs+?

so now, I will port over all 3850 switches from ACS to ISE, then once I get a good switch config for the 9300's, deploy 2x firewall 3100's, deploy voice router, deploy CUCM, catalyst center/w2cores, 50 new ap's, 2 new wlc's, 2x cisco proxy servers... then i will start replacing the 3850's with the 9300's and eventually move from radius to tacacs+

thank you all for your help, tshooting was fun and looking forward to ccnp studies.