Solved: Re: Device should show Privilege mode # after entering login password not user mode >

gurbinder.kabbay · ‎03-14-2020

Hi,

I have created the policy ( for Device Administration) in ISE for Network devices to login into devices. I linked Active Directory with ISE so it will use AD username and password for login.

I want after entering login username and password it will directly go to privilege mode (Router# mode) not in user mode (Router>). Actually i want to bypass enable password.

So please guide me, what changes i should do on ISE or at device level.

Regards,

Garry

Cristian Matei · ‎03-14-2020

Hi,

If you want to get directly privilege level 15, without the enable password, you would need to create a "shell profile" with "privilege-level 15" and use it in your TACACS Authorization policy. Follow this simple guide in here:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

Regards,

Cristian Matei.

View solution in original post

Colby LeMaire · ‎03-14-2020

On the device, you need to have "aaa authorization exec" in addition to the "aaa authentication login" commands. Then in ISE, your shell profile should have privilege 15.

gurbinder.kabbay · ‎03-16-2020

Thanks Colby for your reply.

Cristian Matei · ‎03-14-2020

Hi,

If you want to get directly privilege level 15, without the enable password, you would need to create a "shell profile" with "privilege-level 15" and use it in your TACACS Authorization policy. Follow this simple guide in here:

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

Regards,

Cristian Matei.

gurbinder.kabbay · ‎03-16-2020

Thanks Cristian , its working now.

Device should show Privilege mode # after entering login password not user mode &gt;

Device should show Privilege mode # after entering login password not user mode >