https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5262119#M595054 <P>If I understand your question correctly. . .<BR />&nbsp;<BR /><SPAN>you set ISE Profile as<BR /></SPAN><SPAN>Set Default Privilege to 1</SPAN><BR /><SPAN>Maximum Privilege set to 15.</SPAN><BR /><BR />you are landing at the user promt &gt; then you have to type enable and you will be placed in # mode ( this is expected behavior )&nbsp;<BR /><BR />Now if you want your switch to ask for enable password, you have two options either configure your NAD/SWITCH to use local enable secret (configured on the same switch) or you can also confiure your NAD to verify enable password from ISE.<BR /><BR />-Which enable secret switch will accept depends upon the configuration you did on the switch&nbsp;<BR />- bydefault the switch will accept the locally configured enable secret&nbsp;<BR />- but you can configure switch to use enable password from the ISE with the following cammand&nbsp;<BR /><BR /></P><PRE>aaa authentication enable default tacacs+ enable</PRE><P><BR /><BR /></P> Tue, 18 Feb 2025 19:02:27 GMT asaditian 2025-02-18T19:02:27Z https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5260467#M594986 <P>We're currently testing tacacs</P> <P>from ise to tacacs profile<BR />Set Default Privilege to 1<BR />Maximum Privilege set to 15.</P> <P>My personal opinion is<BR />If you set it as above, the switch will successfully log in to the tacacs account and if enabled in the &gt; state, you will receive Maximum Privilege and enter #.</P> <P>However, if you enable it in &gt;, you can't enter # mode with the message %Error in authentication if you ask for password and enter password.</P> <P>Am I thinking wrong by any chance?</P> Fri, 14 Feb 2025 08:34:35 GMT https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5260467#M594986 CCC3 2025-02-14T08:34:35Z https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5260544#M594993 <P>Not sure what you are actually doing here, but why would you want users that auth as priv level 15 to log in to Disable-mode? If they are priv-users, just let them auth directly into Enable-mode?</P> Fri, 14 Feb 2025 11:14:08 GMT https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5260544#M594993 trondaker 2025-02-14T11:14:08Z https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5260786#M595008 <P>As I wrote in the post<BR />We are testing it in various scenarios.</P> <P>1) Set Default Privilege to 1<BR />Maximum Privilege set to 1.</P> <P>2) Set Default Privilege to 1<BR />Maximum Privilege set to 15.</P> <P>3) Set Default Privilege to 15<BR />Maximum Privilege set to 15.</P> <P>In case of number 1, it was impossible to enter the #mode with enable<BR />For 3 times, as soon as I logged in, I entered #mode.</P> <P>This scenario is the same as I thought</P> <P>In case 2, I wrote a post because it was different from what I thought.</P> Sat, 15 Feb 2025 05:51:16 GMT https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5260786#M595008 CCC3 2025-02-15T05:51:16Z https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5262119#M595054 <P>If I understand your question correctly. . .<BR />&nbsp;<BR /><SPAN>you set ISE Profile as<BR /></SPAN><SPAN>Set Default Privilege to 1</SPAN><BR /><SPAN>Maximum Privilege set to 15.</SPAN><BR /><BR />you are landing at the user promt &gt; then you have to type enable and you will be placed in # mode ( this is expected behavior )&nbsp;<BR /><BR />Now if you want your switch to ask for enable password, you have two options either configure your NAD/SWITCH to use local enable secret (configured on the same switch) or you can also confiure your NAD to verify enable password from ISE.<BR /><BR />-Which enable secret switch will accept depends upon the configuration you did on the switch&nbsp;<BR />- bydefault the switch will accept the locally configured enable secret&nbsp;<BR />- but you can configure switch to use enable password from the ISE with the following cammand&nbsp;<BR /><BR /></P><PRE>aaa authentication enable default tacacs+ enable</PRE><P><BR /><BR /></P> Tue, 18 Feb 2025 19:02:27 GMT https://community.cisco.com/t5/network-access-control/authentication-of-cisco-switch-tacacs-with-ise/m-p/5262119#M595054 asaditian 2025-02-18T19:02:27Z