ISE 2.x Enable password

johnlloyd_13 · ‎11-24-2019

hi,

i setup a simple lab between ISE and CSRv for AAA/RADIUS.

i added the device and user in ISE and it works, but not for the enable password on the router.

it still uses the 'local' configured enable password.

i also couldn't SSH to ASA using the ISE user login. i tried to change PW, created john-ise2, re-created ASA AAA and RADIUS config but no luck.

could someone please advise what i've missed or anything to tweak in ISE?

User Access Verification

Username: john-ise
Password:

CSRv>enable
Password:
% Access denied

CSRv>en
Password: <<< LOCAL ENABLE PW

CSRv#

CSRv#sh run | s radius
aaa authentication login ACCESS-1 group radius local
aaa authorization exec ACCESS-1 group radius local
aaa accounting exec ACCESS-1 start-stop group radius
snmp-server enable traps sbc radius-conn-status
radius server RADIUS-1
address ipv4 192.168.1.120 auth-port 1645 acct-port 1646
key cisco
CSRv#
CSRv#ping 192.168.1.120
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.120, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms

---

login as: john-ise2
End of banner message from server
john-ise2@192.168.1.1's password:
Access denied
john-ise2@192.168.1.1's password:
Access denied
john-ise2@192.168.1.1's password:

LAB-ASA5515x# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console RADIUS-1 LOCAL
aaa accounting ssh console RADIUS-1
aaa authorization exec authentication-server
aaa authentication login-history
LAB-ASA5515x#
LAB-ASA5515x# sh run aaa-server
aaa-server RADIUS-1 protocol radius
aaa-server RADIUS-1 (inside) host 192.168.1.120
key cisco

LAB-ASA5515x# test aaa authentication RADIUS-1 username john-ise2 password Cisco123

IP Address or name: 192.168.1.120
INFO: Attempting Authentication test to IP address (192.168.1.120) (timeout: 12 seconds)
INFO: Authentication Successful

Anurag Sharma · ‎11-24-2019

Hi @johnlloyd_13 ,

Hope you are well!

I see from the screenshot that you are not pushing any privilege. You are just sending sending Access-Accept.

Can you please create an Authorization profile for CSR with privilege 15 and push that?

To add the privilege attribute, just select the 'Web Authentication (Local Web Auth)' attribute?

Also, I am assuming you are using ACCESS-1 method list in the vty lines. Are you?

line vty 0 15

login authentication ACCESS-1

authorization exec ACCESS-1

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.

Mohammad Alhyari · ‎11-24-2019

On the IOS you are missing the "aaa authentication enable " command. you need it. otherwise it will use the default local.

on the ASA what is this command and why it is pointing to a different aaa group?

aaa authorization exec authentication-server

johnlloyd_13 · ‎11-24-2019

hi,

i added the privilege 15 profile and AAA authentication for enable but still the same.

i tried to debug and got a 'password incorrect' even though i used to same PW for login and enable on ISE user 'john-ise'

CSRv#sh run | i aaa
aaa new-model
aaa authentication login ACCESS-1 group radius local
aaa authentication enable default group ACCESS-1 enable
aaa authorization exec ACCESS-1 group radius local
aaa accounting exec ACCESS-1 start-stop group radius
aaa session-id common
snmp-server enable traps aaa_server
CSRv#
CSRv#sh run | s line vty
line vty 0 4
password cisco
authorization exec ACCESS-1
accounting exec ACCESS-1
login authentication ACCESS-1
transport input all

CSRv#debug aaa authentication
AAA Authentication debugging is on
CSRv#
CSRv#ter mon

.Nov 24 12:09:55.489: AAA/BIND(00000FC3): Bind i/f
.Nov 24 12:09:55.489: AAA/AUTHEN/LOGIN (00000FC3): Pick method list 'ACCESS-1'
.Nov 24 12:10:03.028: AAA: parse name=tty3 idb type=-1 tty=-1
.Nov 24 12:10:03.028: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
.Nov 24 12:10:03.028: AAA/MEMORY: create_user (0x7FD2F9B9DDE0) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): using "default" list
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Unknown type for server group "ACCESS-1". Skip it
.Nov 24 12:10:03.029: AAA/AUTHEN (1022751880): status = UNKNOWN
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Method=ENABLE
.Nov 24 12:10:03.030: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.889: AAA/AUTHEN/CONT (1022751880): continue_login (user='(undef)')
.Nov 24 12:10:05.889: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.890: AAA/AUTHEN/CONT (1022751880): Method=ENABLE
.Nov 24 12:10:05.890: AAA/AUTHEN(1022751880): password incorrect
.Nov 24 12:10:05.890: AAA/AUTHEN (1022751880): status = FAIL
.Nov 24 12:10:05.890: AAA/MEMORY: free_user (0x7FD2F9B9DDE0) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE

i can now login to ASA using ISE user account. i just re-created the AAA/RADIUS config. i saw the RADIUS live log there's a wrong password or shared key earlier.

login as: john-ise
Pre-authentication banner message from server:
| ### ASA SENSS LAB ###
End of banner message from server
john-ise@192.168.1.1's password:
User john-ise logged in to LAB-ASA5515x
Logins over the last 35 days: 1.
Failed logins since the last login: 38. Last failed login: 12:21:45 UTC Nov 24 2019 from 192.168.1.100
Type help or '?' for a list of available commands.
LAB-ASA5515x>

Anurag Sharma · ‎11-24-2019

Remove this line from vty:

password cisco

And, if your privilege is 15 and successfully authorized, you wouldn't need this aaa authentication enable default group ACCESS-1 enable

So remove it and test.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.