cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1081
Views
0
Helpful
2
Replies

Cisco ISE and enable secret password on ios and ASA devices

BVC
Level 1
Level 1

I'm currently new to ISE and I've been trying to setup my ISE server as the radius server for a few switches and ASAs. I can correctly configure up AAA authentication on the devices using ISE so that's fine, but I'm struggling with the enable password for the devices.

I understand you can set a privilege level to the accounts when they auth so they can skip the enable password prompt but I'm hoping to authentication off an enable password on the ISE for both the ASAs and ios switches. I can get the enable password to work when I configure up a username called '$enab15$' but is this the only way to auth the enable password prompt?

Under the normal admin account on ISE I use to log into the ASA and switches via AAA authentication there is an 'Enable Password' text box, I thought this defined the enable password that can be used for the account that was just used to login into user mode but it seems not, what is the purpose of it?

BVC_1-1661860457531.png

 

 

 

 

2 Replies 2

That field is if you want the enable password to be different than the user login (this also depends on your device AAA configuration and exactly how you have your policy sets structured).  Curious why you are using RADIUS for this though?  TACACS+ is much better suited for Device Admin than RADIUS.

I'm using radius just due to other equipment only supporting radius. I've set the enable field to many different passwords (including the same as the username password) and I still can't login with whatever I've defined in that field, I can only login into enable mode using the password that is defined under the radius account I've created on ISE called '$enab15$'.