Solved: Re: 9300L switch to use configured ENABLE password within ISE per user - Page 2

Ced W · ‎01-16-2025

Hi,
I am migrating from ACS/TACACS+ deployment, to ISE/RADIUS deployment.
I am able to get the switches to roger up with ISE/RADIUS deployment but I am unable to move into Priv EXEC mode unless I am consoled in. When I try to SSH with IP address, I get "% Error in Authentication" or if I configure a secret password, all users would have to use that same secret password.

How do I setup ISE/Radius deployment to use individual user set enable password on the ISE server when logging into the switch ...?

I have looked at other threads but none help my situation and currently looking, Cisco TAC was unable to assist.
But I am about to poor over this guide: https://www.cisco.com/c/en/us/td/docs/security/ise/3-3/admin_guide/b_ise_admin_3_3/b_ISE_admin_33_device_admin.html#concept_9B1DD5A7AD9C445AAC764722E6E7D32A

AAA config below

TestBench#sh run aaa
!
aaa authentication login default group ISE local enable
aaa authorization exec default group ISE if-authenticated
aaa authorization console
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
username actual privilege 15 secret 9
!
radius server ISE01
address ipv4 auth-port 1812 acct-port 1813
key 7
!
radius server ISE02
address ipv4 auth-port 1812 acct-port 1813
key 7
!
aaa group server radius ISE
server name ISE01
server name ISE02
!
aaa new-model
aaa session-id common
!
ip radius source-interface Vlan6192847

Ced W · ‎01-29-2025

@PSM
I removed "privilege level 1" from "line vty 0 1" - had the same result, when I try to enable to exec mode, it only allows me to use the pre-configured enable password on the switch, and not the pre-configured password within ISE set for each individual user.

However, I added the line "privilege level 15" and when i logged, i was automatically taken to exec mode. Which is a win, however because this is a DoD network, I need all priv lvl 15 users to be dropped in user exec mode, then have to elevate to priv exec when needed.

At any rate you put me on the right track-ish and I can start building out my network remotely once all the core infrastructure is racked and stacked.. Thank you.

Ced W · ‎01-31-2025

Solved*
Thank you ALL ...!

after having this config on the switch...

aaa new-model
aaa session-id common
!
aaa authentication login default group ISE local enable
!
aaa authorization exec default group ISE if-authenticated
aaa authorization exec ISE local
aaa authorization console
!
aaa accounting connection default start-stop group ISE
aaa accounting system default start-stop group ISE
!
radius server ISE01
address ipv4 address auth-port 1812 acct-port 1813
key cisco123
!
radius server ISE02
address ipv4 address auth-port 1812 acct-port 1813
key cisco123
!
aaa group server radius ISE
server name ISE01
server name ISE02
!
username cisco privilege 15 secret password

it wasn't until I looked at "line con 0" and "line vty 0 1", using "sh run all" which stated "priviledge level 1", however when i do a "show privilege" is says, "privilege level 15", so I typed "privilege level 15" under both "line con 0" and "line vty 0 1"

I think i am good to go for now but what is confusing is that, on current switch 3850 network setup it has "privilege level 1" on "line con 0" and "line vty 0 1" and I am able to login to exec priv without issue but trying this on switch 9300 I am unable to unless I specify lvl 15 in the vty and console. Maybe a bug ? or the way I have radius setup instead of tacacs+?

so now, I will port over all 3850 switches from ACS to ISE, then once I get a good switch config for the 9300's, deploy 2x firewall 3100's, deploy voice router, deploy CUCM, catalyst center/w2cores, 50 new ap's, 2 new wlc's, 2x cisco proxy servers... then i will start replacing the 3850's with the 9300's and eventually move from radius to tacacs+

thank you all for your help, tshooting was fun and looking forward to ccnp studies.