Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
1
Replies

Can ISE 2.2 Sync Login Password with Enable Pwd if no Enable Pwd is provided?

ericstern58
Level 1
Level 1

‎06-06-2017 10:27 AM - edited ‎03-11-2019 12:46 AM

I am currently using ISE 2.0 with TACACS to manage Network Resources. 

On these Network Resources, upon login, users are taken automatically into enable mode once Authenticated and Authorized by ISE.

This eliminated having to create enable passwords for all of our users , and the problems that come with ISE enable passwords(enable passwords can't be remotely reset by user on first use)

This creates a small problem for devices that don't support auto-enable(namely ASA 8.4 or below). Users login to exec, but because they have no ISE Enable Password set, they cannot access enable when they request it on the network device.

Does ISE 2.2 support synchronizing the login password to be the same as the enable password if the enable password is not provided? I originally thought this was the behavior of ISE authentication, but it is not, at least in 2.0

Labels:
0 Helpful
1 Reply 1

agapitca19
Level 1
Level 1

‎06-06-2017 02:50 PM

Hi,

Joining ISE to Active Directory domain and using Active Directory users for login will allow this to happen. Create AD security group that contains the users who need network device access. Create a separate AD user/service account to be used for joining ISE to AD. Don't put this account to the same AD security group that your users belong so it won't be used to log in to network devices.

Integrate your ISE with Active Directory(AD): Administration-External Identity Sources-Active Directory-Add

After the AD integration: Administration-External Identity Sources-Groups, add the AD security group.

Use the AD domain that ISE is integrated with when you create Authentication Policy in Device Admin Policy Sets. Also, create the appropriate Shell Profiles for Authorization Policy that have different privilege level requirement if necessary.

You may want to create a local account in ISE to serve as a backup account to log in to your network devices, just in case something goes wrong with the AD server. With this, you have to create an Identity Store sequence for the AD domain and local account, which you will use in your Authentication Policy.

HTH.

***Please rate and mark the comment correct if you found it helpful***

 

0 Helpful
Customers Also Viewed These Support Documents