cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2658
Views
0
Helpful
9
Replies
Highlighted
Cisco Employee

ISE 2.x enable password authentication behavior

My customer is doing configuration migration from ACS 5.x to ISE 2.2  ,    Most config are  TACACS/Radius based device admin .

We found different behavior between ACS 5.4 and ISE  2.2 doing Tacacs enable authentication  ,  Testing NAD is  ASA  and don’t enable exec auto-enable. Authorization will grant privilege 15 for internal user.

  1. In ACS 5.x,   After user pass login user/pass authentication,   it can pass enable with same password of login . we don’t configure enable password and leave it as default In user identity database,  .
  2. In ISE 2.2 ,  It cannot pass enable authentication with same password of login.    It can pass authentication only after we add enable password in user database.

The following is the log of failure in ISE:

301029021/50,CPMSessionID=375737936010.124.112.22831277Authentication3757379360,user=00test002,Neither EnablePassword nor UserPassword returned by IDStore for 00test002,EnableAuthenticator.cpp:150

It seems ISE cannot use the login password as default enable password ,   you have to configure enable password when using enable authentication.

Is it expected behavior is ISE 2.x   ?  if so how to fix it on ISE side during migration from ACS ,   there are hundreds of internal user for my customer.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.

View solution in original post

9 REPLIES 9
Highlighted
Contributor

Re: ISE 2.x enable password authentication behavior

This work fine on ISE 2.2 with tacacs configuration.And the passwords that i show are same for login and enable.

I can show you simply tacacs configuration  on  ise side.Here you are.

Network team are internal members assined to this group.

Next step Policy Elements for tacacs ,Add new Tacacs command set and tick Permit any command that is not listed bellow.

Next step is tacacs profile ,add new profile and give priv

As i told before this is the simply method.

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

My Question is :

If I don't configure enable password for user,   can ISE support enable authentication using login password ?  this is working in ACS 5.X.  not working in ISE 2.X in my testing.

is it expected behavior on ISE  ?

Highlighted
Contributor

Re: ISE 2.x enable password authentication behavior

No i think answer is No. And what is the problem if passwords are same?

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.

View solution in original post

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

thanks,  hslai.

1.  Password policies (lifetime)   can be different for normal user group and admin group,  but it  is same policy for login password and enable password for a particular user.  right ?

2. My customer has hundreds of internal user migrated from ACS 5.X.  these internal user don't have enable password .  They may have issue when accessing old ASA after migration to ISE ,   What's best approach for this issue  other than adding enable password manually on ISE ?

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

1. Yes.

2. Any reason not using the auto-enable option for EXEC authorization, which added in ASA 9.2(1)? Otherwise, we need an enhancement open for such migration. It should also be possible to export the internal users in CSV, duplicate the data in password column to those in the enable password column and then import the updated CSV file back to ISE.

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

Thanks Hslai

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

Hi hslai

Yes, This is subsequent question to add enable password.  


After exporting existing users to CSV file.  we want to copy the login password to enable password,  but login password is encryped text . but enable password has to be a cleartext  when importing updated excel back to ISE.

is it possible to decrypt login password or enable password can be encrypted when importing.

thanks

Qingguo

Highlighted
Cisco Employee

Re: ISE 2.x enable password authentication behavior

Please ignore the question.  testing result is OK.