Hello,

I am running ISE 2.4 and ASA v9.9 in my lab setup.

I have two user on ISE and assign different priv-level to these users:

• on-admin: PRIV15
• on-read: PRIV3

Both user accounts on ISE has username/password as well enable password.

My ASA config: 

on-asa5506# sh run aaa
aaa authentication http console LOCAL
aaa authentication serial console ON-TACACS LOCAL
aaa authentication enable console ON-TACACS LOCAL
aaa authentication ssh console ON-TACACS LOCAL
aaa authorization command ON-TACACS LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
on-asa5506#

When I authn on console with on-read (PRIV3), I can login successfully but cannot get not enable mode with my saved password in ISE.

Username: on-read
Password: **********
User on-read logged in to on-asa5506
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506> en
Password: **************
Password: **************
Password:

ISE Logs shows following error message:

When I SSH with same user, I am directly in enable mode but with priv=3

login as: on-read
on-read@192.168.2.1's password:
User on-read logged in to on-asa5506
Logins over the last 1 days: 3. Last login: 11:07:37 CEDT Aug 16 2019 from 192.168.2.60
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506# sh cur
Username : on-read
Current privilege level : 3
Current Mode/s : P_PRIV
on-asa5506#

Can someone help to understand this behaviour?

Thanks in advance.

Cengiz