12-08-2017 12:00 AM
My customer is doing configuration migration from ACS 5.x to ISE 2.2 , Most config are TACACS/Radius based device admin .
We found different behavior between ACS 5.4 and ISE 2.2 doing Tacacs enable authentication , Testing NAD is ASA and don’t enable exec auto-enable. Authorization will grant privilege 15 for internal user.
The following is the log of failure in ISE:
301029021/50,CPMSessionID=375737936010.124.112.22831277Authentication3757379360,user=00test002,Neither EnablePassword nor UserPassword returned by IDStore for 00test002,EnableAuthenticator.cpp:150
It seems ISE cannot use the login password as default enable password , you have to configure enable password when using enable authentication.
Is it expected behavior is ISE 2.x ? if so how to fix it on ISE side during migration from ACS , there are hundreds of internal user for my customer.
Solved! Go to Solution.
12-08-2017 09:20 AM
Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.
12-08-2017 01:07 AM
This work fine on ISE 2.2 with tacacs configuration.And the passwords that i show are same for login and enable.
I can show you simply tacacs configuration on ise side.Here you are.
Network team are internal members assined to this group.
Next step Policy Elements for tacacs ,Add new Tacacs command set and tick Permit any command that is not listed bellow.
Next step is tacacs profile ,add new profile and give priv
As i told before this is the simply method.
12-08-2017 07:31 AM
My Question is :
If I don't configure enable password for user, can ISE support enable authentication using login password ? this is working in ACS 5.X. not working in ISE 2.X in my testing.
is it expected behavior on ISE ?
12-08-2017 07:50 AM
No i think answer is No. And what is the problem if passwords are same?
12-08-2017 09:20 AM
Yes, that is the expected in ISE. ISE explicitly separates enable passwords from the login ones.
12-11-2017 02:55 AM
thanks, hslai.
1. Password policies (lifetime) can be different for normal user group and admin group, but it is same policy for login password and enable password for a particular user. right ?
2. My customer has hundreds of internal user migrated from ACS 5.X. these internal user don't have enable password . They may have issue when accessing old ASA after migration to ISE , What's best approach for this issue other than adding enable password manually on ISE ?
12-11-2017 04:50 AM
1. Yes.
2. Any reason not using the auto-enable option for EXEC authorization, which added in ASA 9.2(1)? Otherwise, we need an enhancement open for such migration. It should also be possible to export the internal users in CSV, duplicate the data in password column to those in the enable password column and then import the updated CSV file back to ISE.
12-13-2017 06:51 AM
Thanks Hslai
12-19-2017 09:49 PM
Hi hslai
Yes, This is subsequent question to add enable password.
After exporting existing users to CSV file. we want to copy the login password to enable password, but login password is encryped text . but enable password has to be a cleartext when importing updated excel back to ISE.
is it possible to decrypt login password or enable password can be encrypted when importing.
thanks
Qingguo
12-20-2017 01:19 AM
Please ignore the question. testing result is OK.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide