cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

628
Views
10
Helpful
4
Replies
Highlighted
Engager

ISE 2.x Enable password

hi,

i setup a simple lab between ISE and CSRv for AAA/RADIUS.

i added the device and user in ISE and it works, but not for the enable password on the router.

it still uses the 'local' configured enable password.

 

i also couldn't SSH to ASA using the ISE user login. i tried to change PW, created john-ise2, re-created ASA AAA and RADIUS config but no luck.

 

could someone please advise what i've missed or anything to tweak in ISE?

 

User Access Verification

Username: john-ise
Password:

CSRv>enable
Password:
% Access denied

CSRv>en
Password:    <<< LOCAL ENABLE PW

CSRv#

CSRv#sh run | s radius
aaa authentication login ACCESS-1 group radius local
aaa authorization exec ACCESS-1 group radius local
aaa accounting exec ACCESS-1 start-stop group radius
snmp-server enable traps sbc radius-conn-status
radius server RADIUS-1
address ipv4 192.168.1.120 auth-port 1645 acct-port 1646
key cisco
CSRv#
CSRv#ping 192.168.1.120
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.120, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms

 

---

 


login as: john-ise2
End of banner message from server
john-ise2@192.168.1.1's password:
Access denied
john-ise2@192.168.1.1's password:
Access denied
john-ise2@192.168.1.1's password:

 

LAB-ASA5515x# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console RADIUS-1 LOCAL
aaa accounting ssh console RADIUS-1
aaa authorization exec authentication-server
aaa authentication login-history
LAB-ASA5515x#
LAB-ASA5515x# sh run aaa-server
aaa-server RADIUS-1 protocol radius
aaa-server RADIUS-1 (inside) host 192.168.1.120
key cisco

 

LAB-ASA5515x# test aaa authentication RADIUS-1 username john-ise2 password Cisco123

IP Address or name: 192.168.1.120
INFO: Attempting Authentication test to IP address (192.168.1.120) (timeout: 12 seconds)
INFO: Authentication Successful

4 REPLIES 4
Highlighted
Cisco Employee

Hi @johnlloyd_13 ,

 

Hope you are well!

 

I see from the screenshot that you are not pushing any privilege. You are just sending sending Access-Accept.

Can you please create an Authorization profile for CSR with privilege 15 and push that?

To add the privilege attribute, just select the 'Web Authentication (Local Web Auth)' attribute? 

AuthZ profile.png

 

Also, I am assuming you are using ACCESS-1 method list in the vty lines. Are you?

line vty 0 15

login authentication ACCESS-1

authorization exec ACCESS-1

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
Highlighted
Cisco Employee

On the IOS you are missing the "aaa authentication enable " command. you need it. otherwise it will use the default local.

 

on the ASA what is this command and why it is pointing to a different aaa group?

aaa authorization exec authentication-server

Highlighted

hi,

i added the privilege 15 profile and AAA authentication for enable but still the same.

i tried to debug and got a 'password incorrect' even though i used to same PW for login and enable on ISE user 'john-ise'

 

CSRv#sh run | i aaa
aaa new-model
aaa authentication login ACCESS-1 group radius local
aaa authentication enable default group ACCESS-1 enable
aaa authorization exec ACCESS-1 group radius local
aaa accounting exec ACCESS-1 start-stop group radius
aaa session-id common
snmp-server enable traps aaa_server
CSRv#
CSRv#sh run | s line vty
line vty 0 4
password cisco
authorization exec ACCESS-1
accounting exec ACCESS-1
login authentication ACCESS-1
transport input all


CSRv#debug aaa authentication
AAA Authentication debugging is on
CSRv#
CSRv#ter mon

.Nov 24 12:09:55.489: AAA/BIND(00000FC3): Bind i/f
.Nov 24 12:09:55.489: AAA/AUTHEN/LOGIN (00000FC3): Pick method list 'ACCESS-1'
.Nov 24 12:10:03.028: AAA: parse name=tty3 idb type=-1 tty=-1
.Nov 24 12:10:03.028: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
.Nov 24 12:10:03.028: AAA/MEMORY: create_user (0x7FD2F9B9DDE0) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): using "default" list
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Unknown type for server group "ACCESS-1". Skip it
.Nov 24 12:10:03.029: AAA/AUTHEN (1022751880): status = UNKNOWN
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Method=ENABLE
.Nov 24 12:10:03.030: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.889: AAA/AUTHEN/CONT (1022751880): continue_login (user='(undef)')
.Nov 24 12:10:05.889: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.890: AAA/AUTHEN/CONT (1022751880): Method=ENABLE
.Nov 24 12:10:05.890: AAA/AUTHEN(1022751880): password incorrect
.Nov 24 12:10:05.890: AAA/AUTHEN (1022751880): status = FAIL
.Nov 24 12:10:05.890: AAA/MEMORY: free_user (0x7FD2F9B9DDE0) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE

 

i can now login to ASA using ISE user account. i just re-created the AAA/RADIUS config. i saw the RADIUS live log there's a wrong password or shared key earlier.

 

login as: john-ise
Pre-authentication banner message from server:
| ### ASA SENSS LAB ###
End of banner message from server
john-ise@192.168.1.1's password:
User john-ise logged in to LAB-ASA5515x
Logins over the last 35 days: 1.
Failed logins since the last login: 38. Last failed login: 12:21:45 UTC Nov 24 2019 from 192.168.1.100
Type help or '?' for a list of available commands.
LAB-ASA5515x>

 

Highlighted

Remove this line from vty:

 

password cisco

 

And, if your privilege is 15 and successfully authorized, you wouldn't need  this aaa authentication enable default group ACCESS-1 enable 

 

So remove it and test.

Hope that helps!
Please 'RATE' and 'MARK ACCEPTED', if applicable.
Content for Community-Ad