cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5292
Views
0
Helpful
9
Replies

ISE 2.x enable password authentication behavior

Qingguo Zhang
Cisco Employee
Cisco Employee

My customer is doing configuration migration from ACS 5.x to ISE 2.2  ,    Most config are  TACACS/Radius based device admin .

We found different behavior between ACS 5.4 and ISE  2.2 doing Tacacs enable authentication  ,  Testing NAD is  ASA  and don’t enable exec auto-enable. Authorization will grant privilege 15 for internal user.

  1. In ACS 5.x,   After user pass login user/pass authentication,   it can pass enable with same password of login . we don’t configure enable password and leave it as default In user identity database,  .
  2. In ISE 2.2 ,  It cannot pass enable authentication with same password of login.    It can pass authentication only after we add enable password in user database.

The following is the log of failure in ISE:

301029021/50,CPMSessionID=375737936010.124.112.22831277Authentication3757379360,user=00test002,Neither EnablePassword nor UserPassword returned by IDStore for 00test002,EnableAuthenticator.cpp:150

It seems ISE cannot use the login password as default enable password ,   you have to configure enable password when using enable authentication.

Is it expected behavior is ISE 2.x   ?  if so how to fix it on ISE side during migration from ACS ,   there are hundreds of internal user for my customer.

1 Accepted Solution

Accepted Solutions

Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.

View solution in original post

9 Replies 9

ognyan.totev
Level 5
Level 5

This work fine on ISE 2.2 with tacacs configuration.And the passwords that i show are same for login and enable.

I can show you simply tacacs configuration  on  ise side.Here you are.

Network team are internal members assined to this group.

Next step Policy Elements for tacacs ,Add new Tacacs command set and tick Permit any command that is not listed bellow.

Next step is tacacs profile ,add new profile and give priv

As i told before this is the simply method.

My Question is :

If I don't configure enable password for user,   can ISE support enable authentication using login password ?  this is working in ACS 5.X.  not working in ISE 2.X in my testing.

is it expected behavior on ISE  ?

No i think answer is No. And what is the problem if passwords are same?

Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.

thanks,  hslai.

1.  Password policies (lifetime)   can be different for normal user group and admin group,  but it  is same policy for login password and enable password for a particular user.  right ?

2. My customer has hundreds of internal user migrated from ACS 5.X.  these internal user don't have enable password .  They may have issue when accessing old ASA after migration to ISE ,   What's best approach for this issue  other than adding enable password manually on ISE ?

1. Yes.

2. Any reason not using the auto-enable option for EXEC authorization, which added in ASA 9.2(1)? Otherwise, we need an enhancement open for such migration. It should also be possible to export the internal users in CSV, duplicate the data in password column to those in the enable password column and then import the updated CSV file back to ISE.

Thanks Hslai

Hi hslai

Yes, This is subsequent question to add enable password.  


After exporting existing users to CSV file.  we want to copy the login password to enable password,  but login password is encryped text . but enable password has to be a cleartext  when importing updated excel back to ISE.

is it possible to decrypt login password or enable password can be encrypted when importing.

thanks

Qingguo

Please ignore the question.  testing result is OK.