Cisco Community
English
Register
ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

566
Views
0
Helpful
1
Replies
Highlighted
vaibhgupta157
Beginner
Beginner
‎02-13-2018 10:16 PM
‎02-13-2018 10:16 PM

Enable password remote authentication with ISE

Hi All,

I have one requirement to do two level of authentication in NAS device, one for simple login and second one for enable password.

   

      Device--------------------------------------ISE------------------------------------OpenOtp

                            TACACS+                                  RADIUS

In first level, user needs to enter username and password which needs to be authenticated against integrated LDAP/AD or internal user database of ISE. After first level of authentication, user should be put into privilege level 1 in device. User types “enable” command in CLI, which prompts for second level password. This second level enable password should be a token password authenticated with a token server (OpenOtp)


First Level of authentication is working fine. But enable password is not working. I have integrated OpenOtp as RADIUS Token server in ISE. I am referring thread: Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

Device and ISE configuration and ISE logs are attached. ISE logs shows success for enable authentication but device gives access denied. Device accepts the local enable password. Is there something I am missing in configuration??

Thanks in advance

Regards//

Vaibhav

Everyone's tags (2)
device.txt.zip
0 Helpful
Reply
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
hslai
Cisco Employee
Cisco Employee
‎02-20-2018 07:01 PM
‎02-20-2018 07:01 PM

Re: Enable password remote authentication with ISE

I think you would need debugging on the device side and seek support from the device support team. We validate it in the lab on a Cisco switch 3850 or 3650 or CSR 1000v only.

View solution in original post

0 Helpful
Reply
1 REPLY 1
Highlighted
hslai
Cisco Employee
Cisco Employee
‎02-20-2018 07:01 PM
‎02-20-2018 07:01 PM

Re: Enable password remote authentication with ISE

I think you would need debugging on the device side and seek support from the device support team. We validate it in the lab on a Cisco switch 3850 or 3650 or CSR 1000v only.

View solution in original post

0 Helpful
Reply
Latest Contents
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 08-13-2020 05:56 AM
1
25
1
25
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Manage the ASA from anyconnect
Created by kahina.akkouche on 08-12-2020 01:16 AM
6
0
6
0
Bonjour,Je cherche à acceder l'interface de management de l'ASA, depuis l'Anyconnect.Malegré que j'ai ajouté les ACLs necessaires, mais l'acces management ASA en SSH depuis le vpn nomade ne passse.Je me demande si on peut manager l'ASA en ssh ou autres pr... view more
Problems Authenticating and Authorizing Users on new wlan us...
Created by stevemegyery on 08-11-2020 11:26 AM
1
0
1
0
I am involved in rolling out about 40 wifi networks using cisco 3602/2802 aps and cisco 5508 ISE. Our network offers a 2 step authentication with user and machine certificates as well as users needing to be in correct AD groups. The problem we have i... view more
NGFW VPN PAGE
Created by Fnu Kanwaljeet Singh on 08-11-2020 07:44 AM
0
0
0
0
August 13, 2020Custom Conflict Detected Polling IntervalCustom FTD Templates July 30, 2020Object OverridesImproved Network Group WizardJuly 9, 2020Customize the RA VPN and Events ViewsJuly 2, 2020SecureXCisco Security Analytics and Logging Event Downloads... view more
Cisco ISE MS Intune remote WIPE/LOCK ISE Feature
Created by Rkle on 08-11-2020 04:28 AM
0
0
0
0
Dear Community,  So, according to the Cisco ISE Release 2.7 Administrator Guide, it should be possible to use a remote lock/wipe on MDM-devices that connect through ISE on the network( see the screenshot in the attachment).The problem is that th... view more
Content for Community-Ad

Cisco Community May 2020 Spotlight Award Winners

Follow our Social Media Channels