Cisco Community
English
Register
Would you like to learn more about how to determine if you need an RMA? - REGISTER TODAY!
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

659
Views
0
Helpful
1
Replies
vaibhgupta157
Beginner
Beginner
‎02-13-2018 10:16 PM
‎02-13-2018 10:16 PM

Enable password remote authentication with ISE

Hi All,

I have one requirement to do two level of authentication in NAS device, one for simple login and second one for enable password.

   

      Device--------------------------------------ISE------------------------------------OpenOtp

                            TACACS+                                  RADIUS

In first level, user needs to enter username and password which needs to be authenticated against integrated LDAP/AD or internal user database of ISE. After first level of authentication, user should be put into privilege level 1 in device. User types “enable” command in CLI, which prompts for second level password. This second level enable password should be a token password authenticated with a token server (OpenOtp)


First Level of authentication is working fine. But enable password is not working. I have integrated OpenOtp as RADIUS Token server in ISE. I am referring thread: Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

Device and ISE configuration and ISE logs are attached. ISE logs shows success for enable authentication but device gives access denied. Device accepts the local enable password. Is there something I am missing in configuration??

Thanks in advance

Regards//

Vaibhav

Preview file
31 KB
Preview file
27 KB
Preview file
25 KB
device.txt.zip
0 Helpful
1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee
Cisco Employee
‎02-20-2018 07:01 PM
‎02-20-2018 07:01 PM

I think you would need debugging on the device side and seek support from the device support team. We validate it in the lab on a Cisco switch 3850 or 3650 or CSR 1000v only.

View solution in original post

0 Helpful
1 REPLY 1
hslai
Cisco Employee
Cisco Employee
‎02-20-2018 07:01 PM
‎02-20-2018 07:01 PM

I think you would need debugging on the device side and seek support from the device support team. We validate it in the lab on a Cisco switch 3850 or 3650 or CSR 1000v only.

View solution in original post

0 Helpful
Latest Contents
Azure AD SSO with multiple ISE Portals
Created by Greg Gibbs on 05-11-2021 04:11 PM
0
5
0
5
Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to leverage Microsoft Single Sign-On for multiple ISE Portals (for example Sponsor and Guest/BYOD Portals). At the time of this writing, ISE cann... view more
ISE BYOD Flow Using Azure AD
Created by Greg Gibbs on 05-10-2021 10:02 PM
0
10
0
10
IntroductionPrerequisitesConfiguration Introduction With the enhancements in ISE 3.0 for integrating with Azure AD via SAML IdP, it is now possible to create a BYOD Flow to provide Wireless network access using an employee’s Azure AD credentials. The use... view more
Cisco + Splunk Integrations Add-on List
Created by Sar on 05-07-2021 12:27 AM
0
5
0
5
The table below shows the whole Cisco Security solutions + Splunk integrations add-ons. Kindly let me know if I have missed some add-ons or if there are any new updates. Thank you!   Hope this will be helpful for everyone who is looking for Splunk in... view more
FMC API | ACP - Delete disabled rules and generate report.
Created by Anupam Pavithran on 05-06-2021 06:48 AM
0
5
0
5
A python based script to generate report if there are disabled rules under an Access Control Policy and an option to delete those rules in bulk.   Preparation Step 1 Download the script on PCStep 2 Make sure python3 is installed on PC and have reach... view more
FMC API | ACP Double logging detection and mitigation script
Created by Anupam Pavithran on 05-06-2021 06:09 AM
0
5
0
5
A python based script to generate report if there are double logging on FMC ACP (logging at beginning and end), having rule action "Allow" or "Trust". (Option1 ) Also, the logging at the begging will be disabled if logging is detected for both beginning ... view more
Content for Community-Ad