12-18-2020 10:39 AM
12-20-2020 07:08 AM
Follow the referenced example, to create a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)
M.
12-21-2020 01:44 PM
I found the issue.
An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE. The configuration was a shell:roles"network-admin" that was on the profile. The debug showed it failing with ACS but ACS just ignored it and authc the user. ISE doesn't ignore it. It gives an authc failure.
After removing the av-pair from the shell profile the user authc successfully.
Thanks for your help.
12-19-2020 12:27 AM
- What is the issue ?
M.
12-19-2020 07:08 AM
Wow! It didn't take my questions.
Basically in ISE the user successfully login the 1st part but when the switch ask for enable password it fails. Authc failure.
FYI when pointing the switch to the ACS it works without issue.
Thanks
12-19-2020 09:20 AM
- What's in the ISE logs when this happens ?
M.
12-19-2020 01:03 PM
The initial log on shows authz successful. the enable login attempt shows authc failure. bad credential.
12-20-2020 12:19 AM
- Verify your ISE policies and setup according to this document :
M.
12-20-2020 05:29 AM
Yes it is with some exceptions.
We check the box for maximum privilege 15. Is there a reason it isn't selected?
12-20-2020 05:39 AM
- You mean you can't check the box ?
M.
12-20-2020 05:43 AM
No. Its checked. We are running ISE 2.7 patch2. I thought that was required for enabled mode.
12-20-2020 06:28 AM
- The original document I referred to also contains :
Note: For TACACS you need to have separate license installed
Check this thread for further info's on that :
https://community.cisco.com/t5/network-access-control/tacacs-licenses-in-ise/m-p/3504911
M.
12-20-2020 06:32 AM
Yes. Licenses are there and consumed.
12-20-2020 07:08 AM
Follow the referenced example, to create a user or user(s) with enable(d) privilege(s) directly. If problems persist on the logging for the failed authentication click on detail. Check which policy rules were matched and or check correctness of the policy (sets)
M.
12-21-2020 01:44 PM
I found the issue.
An ISE configuration that migrated over from 2 previous upgrades using the 1st old ACS to new ACS IOS then from new ACS to ISE. The configuration was a shell:roles"network-admin" that was on the profile. The debug showed it failing with ACS but ACS just ignored it and authc the user. ISE doesn't ignore it. It gives an authc failure.
After removing the av-pair from the shell profile the user authc successfully.
Thanks for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide