Hello,
I am running ISE 2.4 and ASA v9.9 in my lab setup.
I have two user on ISE and assign different priv-level to these users:
- on-admin: PRIV15
- on-read: PRIV3
Both user accounts on ISE has username/password as well enable password.
My ASA config:
on-asa5506# sh run aaa
aaa authentication http console LOCAL
aaa authentication serial console ON-TACACS LOCAL
aaa authentication enable console ON-TACACS LOCAL
aaa authentication ssh console ON-TACACS LOCAL
aaa authorization command ON-TACACS LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
on-asa5506#
When I authn on console with on-read (PRIV3), I can login successfully but cannot get not enable mode with my saved password in ISE.
Username: on-read
Password: **********
User on-read logged in to on-asa5506
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506> en
Password: **************
Password: **************
Password:
ISE Logs shows following error message:
When I SSH with same user, I am directly in enable mode but with priv=3
login as: on-read
on-read@192.168.2.1's password:
User on-read logged in to on-asa5506
Logins over the last 1 days: 3. Last login: 11:07:37 CEDT Aug 16 2019 from 192.168.2.60
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506# sh cur
Username : on-read
Current privilege level : 3
Current Mode/s : P_PRIV
on-asa5506#
Can someone help to understand this behaviour?
Thanks in advance.
Cengiz