Dear Francesco,

Thanks for the reply, U r a VIP Green I don't have much deeper knowledge in ISE but I have noticed the below.

First of all you can push privileges for a user but these privileges and commands attached to them have to be defined in each switch. If privileges  aren't defined then it takes the previous level and it does that until it find a valid privilege.

For example, you didn't configure any privilege command in your switch and you're pushing out privilege 7. Then the user will get the default configured privilege defined with a lower value than 7; it will be privilege 1.

In privilege 1, you can't run show running-config. To be as precise as possible, show run command will show part of config that user had right on. 

Please find the attached screenshot I have specified in switch and in ISE the privilege 7 commands still it is not working. The command set work only with shell priv 15 , though the command set are restricted to interface level it is showing me full running-configuration of the switch not the relevant configuration for the commands

if I have to specify in each switch the privilege commands then what is the use of centralized system ISE ??? so this mean ISE will only work in shell profile 15 with command set ??? Please confirm

SW(config)#do sh run | in privilege
privilege interface level 7 shutdown
privilege interface level 7 no shutdown
privilege interface level 7 no
privilege configure level 7 interface
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 reload

If you push privilege15, with combination of aaa authorization exec command, the user will be pushed into privileged mode directly.

To avoid that, you can push default privilege x and maximum privilege 15 from ISE. This will force the user to arrive into user mode and issue enable command to get into privileged mode.

please find the attached screenshot it doesn't accepts without a value I have to specify some value.so I have specified default privilege 1 and the max privi 15 so it prompts me the enabled password, it is fine but it is using the locally mentioned  enable secret for level 15 by this command  (aaa authentication enable default enable) if I changed to (aaa authentication enable default group xyz enable ) then it will check on the ISE first and incase of ise failure it check locally but I don't see any option to specifiy in ISE enable secret ??? 

Regards

Adam

Yes privilege has to defined locally and not from ISE. Usually, what we see the most today is giving privilege 15 with command set filtering commands. There's no way to push privilege from ISE I'm aware of.

When you login with privilege 7 are you already in enable mode or user mode?
If user mode, you need to go to enable mode using enable 7.
If you are pushed in privileged mode after ISE authentication, you can have access to commands you configured, you can also verify it by doing show privilege and see in which privilege you are.

For enable, I gave you a link in my previous answer, you have a user like $enab15$ (on the user creation) on ise with the password you want.

Thanks for clarifying but only the below is not clarified

 By using this command  (aaa authentication enable default enable) it will use locally mentioned  enable secret if I changed to (aaa authentication enable default group xyz enable ) then it will check on the ISE for enable secret and incase of ise failure it will check locally but on which page I can configure enable secret in ISE ???  I don't have any user locally on the ISE to use their enable secret,, Please find the attached screenshot.

The link provided below which mentioned as use enable password of the device and not from the ISE.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/fsecur_r/srfathen.html#wp1055538

Ok then if you don't have any local user, your enable password would be your user password. Have you tried it?

Can you share your ISE tacacs live log?

You should get something like that to see that your enable password has been entered and accepted:

Dear Francesco,

the image in your last post didn't show properly,

there is some confusion in my writing I think so, lets keep the local user privileges aside, and lets speak of only enable secret password for user level 15

MY user is in AD and not in the ISE

aaa authentication enable default enable  -----what does this mean ?? if I m not wrong use local enable secret

aaa authentication enable default xyz enable---what does this mean??? if I m not wrong use ISE enable secret and if ISE is not accessible then use locally configured enable secret

Thanks 

Yes you're correct.

First one is local enable password and the 2nd line is enable password through ISE and if not available then fallback locally.

that's great,

if the user is created in the ISE u can specify the enable password for that user no issues with this solution,

If the user is not in the ISE instead he is in the AD then from where he will use the enable password ??

The fallback as you mentioned will be used only when the ISE host itself is down ?? please correct me

thanks

When using AD, the enable password would be the same as the user password.

Yes the fallback would be when ISE isn't reachable from the device: could be ISE is down or an acl blocking access to ISE for example.

Thanks Francesco,

 I got authorization command failure message when I am switching to config mode on the ASA now I m stuck to exit except a hard reload and I was using the same settings of ISE which I was using for switches priv 1 and max 15.

why it happened so ??

aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa authorization exec authentication-server

Tacacs works a bit different on ASA.

Take a look on this documentation guide:

https://communities.cisco.com/servlet/JiveServlet/previewBody/68193-102-2-125120/How-To_TACACS_for_ASA.pdf

Dear Francesco,

Can u highlight what is different may be my eyes are not able to figure it out ,

as it seem to me the same as switches, I have kept shell profile 1 and maximum 15 so that user can use the enable password,  in this case the user will use his own login password as a enable password,