Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1236
Views
0
Helpful
1
Replies

Enable password remote authentication with ISE

Go to solution
vaibhgupta157
Level 1
Level 1

‎02-13-2018 10:16 PM

Hi All,

I have one requirement to do two level of authentication in NAS device, one for simple login and second one for enable password.

   

      Device--------------------------------------ISE------------------------------------OpenOtp

                            TACACS+                                  RADIUS

In first level, user needs to enter username and password which needs to be authenticated against integrated LDAP/AD or internal user database of ISE. After first level of authentication, user should be put into privilege level 1 in device. User types “enable” command in CLI, which prompts for second level password. This second level enable password should be a token password authenticated with a token server (OpenOtp)


First Level of authentication is working fine. But enable password is not working. I have integrated OpenOtp as RADIUS Token server in ISE. I am referring thread: Cisco ISE Two Factor Authentication / Authorisation with different User Identity Store

Device and ISE configuration and ISE logs are attached. ISE logs shows success for enable authentication but device gives access denied. Device accepts the local enable password. Is there something I am missing in configuration??

Thanks in advance

Regards//

Vaibhav

Preview file
31 KB
Preview file
27 KB
Preview file
25 KB
device.txt.zip
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-20-2018 07:01 PM

I think you would need debugging on the device side and seek support from the device support team. We validate it in the lab on a Cisco switch 3850 or 3650 or CSR 1000v only.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
hslai
Cisco Employee
Cisco Employee

‎02-20-2018 07:01 PM

I think you would need debugging on the device side and seek support from the device support team. We validate it in the lab on a Cisco switch 3850 or 3650 or CSR 1000v only.

0 Helpful
Customers Also Viewed These Support Documents