cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
 
ISE 2.3 Patch 7 has been posted. This will be the last patch for the ISE 2.3 release!
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

70
Views
0
Helpful
1
Replies
Beginner

ISE TACACS - ASA AAA console

Hello,

I am running ISE 2.4 and ASA v9.9 in my lab setup.

I have two user on ISE and assign different priv-level to these users:

  • on-admin: PRIV15
  • on-read: PRIV3

Both user accounts on ISE has username/password as well enable password.

 

My ASA config: 

 

on-asa5506# sh run aaa
aaa authentication http console LOCAL
aaa authentication serial console ON-TACACS LOCAL
aaa authentication enable console ON-TACACS LOCAL
aaa authentication ssh console ON-TACACS LOCAL
aaa authorization command ON-TACACS LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
on-asa5506#

 

When I authn on console with on-read (PRIV3), I can login successfully but cannot get not enable mode with my saved password in ISE.

Username: on-read
Password: **********
User on-read logged in to on-asa5506
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506> en
Password: **************
Password: **************
Password:

 

ISE Logs shows following error message:

 

When I SSH with same user, I am directly in enable mode but with priv=3

login as: on-read
on-read@192.168.2.1's password:
User on-read logged in to on-asa5506
Logins over the last 1 days: 3. Last login: 11:07:37 CEDT Aug 16 2019 from 192.168.2.60
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506# sh cur
Username : on-read
Current privilege level : 3
Current Mode/s : P_PRIV
on-asa5506#

 

Can someone help to understand this behaviour?

 

Thanks in advance.

 

Cengiz

1 REPLY 1
Beginner

Re: ISE TACACS - ASA AAA console

I have just recognised that my screenshot is corrupted. Here is the ISE log message:
Message Text Failed-Attempt: Authentication failed
Failure Reason 13029 Requested privilege level too high