Hi,

We are migrating from ACS to ISE for our device authentication via SSH. I have noticed when we use the ACS server after the user enters their username we get a "Tacacs+" prompt next to the password promtp, so we know we need to enter Tacacs rather than local, however using ISE we just get "password" with no message before to let us know if its Tacacs or local auth.

Via SSH:

ACS:

login as: JoeBlogs
Using keyboard-interactive authentication.
TACACS+ password:

ISE:

login as: JoeBlogs
Using keyboard-interactive authentication.
password:

Any ideas please,

aaa authentication username-prompt "Local Username: "
aaa authentication login default group tacacs+ local
aaa authentication login group group tacacs+ local
aaa authentication login no-login none
aaa authentication login privilege-mode group tacacs+
aaa authentication enable default group tacacs+ enable
aaa authentication dot1x default group ISE
aaa authorization config-commands
aaa authorization exec default group tacacs+ local if-authenticated
aaa authorization exec CONSOLE if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization network default group ISE
aaa accounting update newinfo
aaa accounting dot1x default start-stop group ISE
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+