Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1056
Views
0
Helpful
3
Replies

ISE 2.0 TACACS: How to sync login and enable passwords?

Christopher Horton
Level 1
Level 1

‎11-04-2016 09:45 PM - edited ‎03-11-2019 12:12 AM

Hello,

I'm working on setting up some users on the ISE server for authentication purposes.  I was successful in getting authentication/authorization to occur with AD on the bank end.  With that in place I can use my AD account to login to a router/switch/etc and the enable password is the same as my login password.  I'm trying to get this to work when the user account is local to the ISE server user list.  I can get logged in initially, but when I click the button to prompt to change password at next login, it only asks to update the login password and not the enable password and they get out of sync.  How do I get it so that when a user from the ISE user list is prompted to change their login password, it will either sync up the enable password as well or prompt for the enable to change too?

Thanks,

Chris

Labels:
0 Helpful
3 Replies 3

Gagandeep Singh
Cisco Employee
Cisco Employee

‎11-05-2016 10:43 AM

Hi Chris,

ISE only has the capability to change login password as per  Device administration settings.

So if you actually want to make enable password same as login. Recommendation is to manually go and change the enable too at the same time when login pwd gets changed.

Now on ISE 2.0 version functionality changed. Use the same password for login/enable is not an option now. All the admin can do is just to provide separate passwords for login and enable and in change process only login password can be changed.

In legacy ACS 4.x, password was also changed for enable as it is correlated.

Probably it will come in ISE 2.2.

Regards

Gagan

ps : rate if it helps!!!!

0 Helpful

Kashan shahbaz
Level 1
Level 1
In response to Gagandeep Singh

‎08-23-2018 07:37 PM

i have ISE 2.3 i am facing the same, please let me know if there is nay way out.  

0 Helpful

hslai
Cisco Employee
Cisco Employee

‎09-01-2018 07:46 PM

This is by design in ISE.

Since you want users to have the same passwords for login and enable, why not eliminating the use of "enable" as much as possible. For example, for Cisco IOS devices, we may define a default privilege of 15, then the user will login directly to level 15 without needing to use "enable".

0 Helpful
Customers Also Viewed These Support Documents