Solved: Re: ISE 2.x enable password authentication behavior

Qingguo Zhang · ‎12-08-2017

My customer is doing configuration migration from ACS 5.x to ISE 2.2 , Most config are TACACS/Radius based device admin .

We found different behavior between ACS 5.4 and ISE 2.2 doing Tacacs enable authentication , Testing NAD is ASA and don’t enable exec auto-enable. Authorization will grant privilege 15 for internal user.

In ACS 5.x, After user pass login user/pass authentication, it can pass enable with same password of login . we don’t configure enable password and leave it as default In user identity database, .
In ISE 2.2 , It cannot pass enable authentication with same password of login. It can pass authentication only after we add enable password in user database.

The following is the log of failure in ISE:

301029021/50,CPMSessionID=375737936010.124.112.22831277Authentication3757379360,user=00test002,Neither EnablePassword nor UserPassword returned by IDStore for 00test002,EnableAuthenticator.cpp:150

It seems ISE cannot use the login password as default enable password , you have to configure enable password when using enable authentication.

Is it expected behavior is ISE 2.x ? if so how to fix it on ISE side during migration from ACS , there are hundreds of internal user for my customer.

hslai · ‎12-08-2017

Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.

View solution in original post

ognyan.totev · ‎12-08-2017

This work fine on ISE 2.2 with tacacs configuration.And the passwords that i show are same for login and enable.

I can show you simply tacacs configuration on ise side.Here you are.

Network team are internal members assined to this group.

Next step Policy Elements for tacacs ,Add new Tacacs command set and tick Permit any command that is not listed bellow.

Next step is tacacs profile ,add new profile and give priv

As i told before this is the simply method.

Qingguo Zhang · ‎12-08-2017

My Question is :

If I don't configure enable password for user, can ISE support enable authentication using login password ? this is working in ACS 5.X. not working in ISE 2.X in my testing.

is it expected behavior on ISE ?

ognyan.totev · ‎12-08-2017

No i think answer is No. And what is the problem if passwords are same?

hslai · ‎12-08-2017

Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.

Qingguo Zhang · ‎12-11-2017

thanks, hslai.

1. Password policies (lifetime) can be different for normal user group and admin group, but it is same policy for login password and enable password for a particular user. right ?

2. My customer has hundreds of internal user migrated from ACS 5.X. these internal user don't have enable password . They may have issue when accessing old ASA after migration to ISE , What's best approach for this issue other than adding enable password manually on ISE ?

hslai · ‎12-11-2017

1. Yes.

2. Any reason not using the auto-enable option for EXEC authorization, which added in ASA 9.2(1)? Otherwise, we need an enhancement open for such migration. It should also be possible to export the internal users in CSV, duplicate the data in password column to those in the enable password column and then import the updated CSV file back to ISE.

Qingguo Zhang · ‎12-13-2017

Thanks Hslai

Qingguo Zhang · ‎12-19-2017

Hi hslai

Yes, This is subsequent question to add enable password.

After exporting existing users to CSV file. we want to copy the login password to enable password, but login password is encryped text . but enable password has to be a cleartext when importing updated excel back to ISE.

is it possible to decrypt login password or enable password can be encrypted when importing.

thanks

Qingguo

Qingguo Zhang · ‎12-20-2017

Please ignore the question. testing result is OK.