This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
My customer is doing configuration migration from ACS 5.x to ISE 2.2 , Most config are TACACS/Radius based device admin .
We found different behavior between ACS 5.4 and ISE 2.2 doing Tacacs enable authentication , Testing NAD is ASA and don’t enable exec auto-enable. Authorization will grant privilege 15 for internal user.
The following is the log of failure in ISE:
301029021/50,CPMSessionID=375737936010.124.112.22831277Authentication3757379360,user=00test002,Neither EnablePassword nor UserPassword returned by IDStore for 00test002,EnableAuthenticator.cpp:150
It seems ISE cannot use the login password as default enable password , you have to configure enable password when using enable authentication.
Is it expected behavior is ISE 2.x ? if so how to fix it on ISE side during migration from ACS , there are hundreds of internal user for my customer.
Solved! Go to Solution.
This work fine on ISE 2.2 with tacacs configuration.And the passwords that i show are same for login and enable.
I can show you simply tacacs configuration on ise side.Here you are.
Network team are internal members assined to this group.
Next step Policy Elements for tacacs ,Add new Tacacs command set and tick Permit any command that is not listed bellow.
Next step is tacacs profile ,add new profile and give priv
As i told before this is the simply method.
My Question is :
If I don't configure enable password for user, can ISE support enable authentication using login password ? this is working in ACS 5.X. not working in ISE 2.X in my testing.
is it expected behavior on ISE ?
1. Password policies (lifetime) can be different for normal user group and admin group, but it is same policy for login password and enable password for a particular user. right ?
2. My customer has hundreds of internal user migrated from ACS 5.X. these internal user don't have enable password . They may have issue when accessing old ASA after migration to ISE , What's best approach for this issue other than adding enable password manually on ISE ?
2. Any reason not using the auto-enable option for EXEC authorization, which added in ASA 9.2(1)? Otherwise, we need an enhancement open for such migration. It should also be possible to export the internal users in CSV, duplicate the data in password column to those in the enable password column and then import the updated CSV file back to ISE.
Yes, This is subsequent question to add enable password.
After exporting existing users to CSV file. we want to copy the login password to enable password, but login password is encryped text . but enable password has to be a cleartext when importing updated excel back to ISE.
is it possible to decrypt login password or enable password can be encrypted when importing.