Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
819
Views
0
Helpful
2
Replies

Enable password for local user/administrator

pnavratil
Level 1
Level 1

‎08-30-2016 01:58 AM - edited ‎03-11-2019 12:02 AM

Hi all,

we are using ISE 2.1 with device admin license (TACACS).

Now we found it is not possible to setup enable password for user, which are setup as local ISE administrators - as I cannot edit user attributes in Identity Management -> Identities -> <User> page and in System -> Admin Access -> Administrators -> Admin Users -> <User> it is not possible to setup enable password.

It looks it is not possible to use local administrator as TACACS user in this way.

Does anybody met the same problem?

Regards

Pavel

Labels:
0 Helpful
2 Replies 2

Rajat Gupta
Level 1
Level 1

‎09-12-2016 11:58 PM

Hello Pavel,

You won't be able to use an ISE Admin user to login to your Network Devices (using TACACS or RADIUS). These users are in a different database.

You will need to create separate users under the Device Administration to use them for NAD device logins. 
Please let me know if you have any other questions/concerns regarding this.

Regards,
Rj

0 Helpful

pnavratil
Level 1
Level 1
In response to Rajat Gupta

‎09-13-2016 02:36 AM

Hello Rajat,

it is IMHO the same database if you create the ISE Admin user from existing Network User (the way Administration -> Admin Access  -> Administrators -> Admin Users -> <Add> -> Select from Network Access Users).

In this way I can still use this user or his local groups in TACACS os RADIUS rules and it works - I can use such user to connect to network devices by for instance SSH authenticated by TACACS, the only thing I cannot use is enable password (needed in case the privilege level is not setup by TACACS profile) - I even try to setup enable password on local user and then create local admin from him - still the enable password is cleared.

If it is feature by design to not allow to use enable password for such ISE admin users - I expect the forms for setting enable password would be greyed out or something like this but it is not. You can setup enable password - save it - the ISE reports to you the save was succesful but when you reopen the user you will find the enable password is not set.

Regards

P

0 Helpful
Customers Also Viewed These Support Documents