Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
164
Views
0
Helpful
3
Replies

Authentication of cisco switch tacacs with ISE

CCC3
Level 1
Level 1

‎02-14-2025 12:34 AM

We're currently testing tacacs

from ise to tacacs profile
Set Default Privilege to 1
Maximum Privilege set to 15.

My personal opinion is
If you set it as above, the switch will successfully log in to the tacacs account and if enabled in the > state, you will receive Maximum Privilege and enter #.

However, if you enable it in >, you can't enter # mode with the message %Error in authentication if you ask for password and enter password.

Am I thinking wrong by any chance?

0 Helpful
3 Replies 3

trondaker
Level 3
Level 3

‎02-14-2025 03:14 AM

Not sure what you are actually doing here, but why would you want users that auth as priv level 15 to log in to Disable-mode? If they are priv-users, just let them auth directly into Enable-mode?

0 Helpful

CCC3
Level 1
Level 1
In response to trondaker

‎02-14-2025 09:51 PM

As I wrote in the post
We are testing it in various scenarios.

1) Set Default Privilege to 1
Maximum Privilege set to 1.

2) Set Default Privilege to 1
Maximum Privilege set to 15.

3) Set Default Privilege to 15
Maximum Privilege set to 15.

In case of number 1, it was impossible to enter the #mode with enable
For 3 times, as soon as I logged in, I entered #mode.

This scenario is the same as I thought

In case 2, I wrote a post because it was different from what I thought.

0 Helpful

asaditian
Level 1
Level 1

‎02-18-2025 11:02 AM

If I understand your question correctly. . .
 
you set ISE Profile as
Set Default Privilege to 1
Maximum Privilege set to 15.

you are landing at the user promt > then you have to type enable and you will be placed in # mode ( this is expected behavior ) 

Now if you want your switch to ask for enable password, you have two options either configure your NAD/SWITCH to use local enable secret (configured on the same switch) or you can also confiure your NAD to verify enable password from ISE.

-Which enable secret switch will accept depends upon the configuration you did on the switch 
- bydefault the switch will accept the locally configured enable secret 
- but you can configure switch to use enable password from the ISE with the following cammand 

aaa authentication enable default tacacs+ enable



0 Helpful
Customers Also Viewed These Support Documents