This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.
i am following the below link
I have 2 small problem but I m not able to figure them out becz I'm new to ISE 2.1
I have a privilege level of 2 with a command set of all show commands in which the user is not able to execute the show running-configuration command it gets authorization failed error on the terminal but nothing comes on the tacacs logs of ISE
User which are assigned priv level (15 and 2 etc etc) after login they are directly dropping to privilege mode (#) without using the enable secret configured on the device I want each user forcibly to use enable secret password, on which page of ISE I can find the enable secret used of ise instead of local device enabled secret, ISE is integrated with AD and network operators users authentication ( which will issue only show command) will be authenticated on AD, i have some local users configured on ISE server in their settings i can see the enable secret option but for those who are authentication on the AD for them how we can force to use them enable secret after their password.
is it possible or it is a default behavior that enable secret will be bypass when it is authenticated on the AD. ??
I tried some set of command set to shell privilege level 7 but it doesn't work, it works only with privilege shell level 15, is this the correct behavior of the ISE 2.1
aaa authentication login default group xyz local
aaa authentication login no-auth local
aaa authentication enable default enable
aaa authorization config-commands
aaa authorization exec default group xyz local
aaa authorization commands 2 default group xyz local
aaa authorization commands 15 default group xyz local
aaa authorization network default group xyz local
aaa accounting exec default start-stop group xyz
aaa accounting commands 2 default start-stop group xyz
aaa accounting commands 15 default start-stop group xyz
Solved! Go to Solution.
Ok let's take all your questions.
First of all you can push privileges for a user but these privileges and commands attached to them have to be defined in each switch. If privileges aren't defined then it takes the previous level and it does that until it find a valid privilege.
For example, you didn't configure any privilege command in your switch and you're pushing out privilege 7. Then the user will get the default configured privilege defined with a lower value than 7; it will be privilege 1.
In privilege 1, you can't run show running-config. To be as precise as possible, show run command will show part of config that user had right on.
Here an explanation:
Then, this means you can assign privilege 15 for simplicity and filter commands based on command set.
If you push privilege15, with combination of aaa authorization exec command, the user will be pushed into privileged mode directly.
To avoid that, you can push default privilege x and maximum privilege 15 from ISE. This will force the user to arrive into user mode and issue enable command to get into privileged mode.
Your default authentication is based on tacacs and this means that your enable password will be authenticated through tacacs. Take a look here :
Last question was why commands are running with privilege 15 and not with privilege 7. This is the same explanation as before. If privilege 7 isn't defined or isn't didn't defined with right commands then it's not gonna work. You need to define privilege 7 locally on the switch. This isn't an ISE issue or whatever, this is a switch misconfiguration.
Here documentation on how to configure privilege levels :
Hope I've answered all your questions
Thanks for the reply, U r a VIP Green I don't have much deeper knowledge in ISE but I have noticed the below.
First of all you can push privileges for a user but these privileges and commands attached to them have to be defined in each switch. If privileges aren't defined then it takes the previous level and it does that until it find a valid privilege. For example, you didn't configure any privilege command in your switch and you're pushing out privilege 7. Then the user will get the default configured privilege defined with a lower value than 7; it will be privilege 1. In privilege 1, you can't run show running-config. To be as precise as possible, show run command will show part of config that user had right on.
Please find the attached screenshot I have specified in switch and in ISE the privilege 7 commands still it is not working. The command set work only with shell priv 15 , though the command set are restricted to interface level it is showing me full running-configuration of the switch not the relevant configuration for the commands
if I have to specify in each switch the privilege commands then what is the use of centralized system ISE ??? so this mean ISE will only work in shell profile 15 with command set ??? Please confirm
SW(config)#do sh run | in privilege
privilege interface level 7 shutdown
privilege interface level 7 no shutdown
privilege interface level 7 no
privilege configure level 7 interface
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 reload
If you push privilege15, with combination of aaa authorization exec command, the user will be pushed into privileged mode directly. To avoid that, you can push default privilege x and maximum privilege 15 from ISE. This will force the user to arrive into user mode and issue enable command to get into privileged mode.
please find the attached screenshot it doesn't accepts without a value I have to specify some value.so I have specified default privilege 1 and the max privi 15 so it prompts me the enabled password, it is fine but it is using the locally mentioned enable secret for level 15 by this command (aaa authentication enable default enable) if I changed to (aaa authentication enable default group xyz enable ) then it will check on the ISE first and incase of ise failure it check locally but I don't see any option to specifiy in ISE enable secret ???
Yes privilege has to defined locally and not from ISE. Usually, what we see the most today is giving privilege 15 with command set filtering commands. There's no way to push privilege from ISE I'm aware of.
When you login with privilege 7 are you already in enable mode or user mode?
If user mode, you need to go to enable mode using enable 7.
If you are pushed in privileged mode after ISE authentication, you can have access to commands you configured, you can also verify it by doing show privilege and see in which privilege you are.
For enable, I gave you a link in my previous answer, you have a user like $enab15$ (on the user creation) on ise with the password you want.
Thanks for clarifying but only the below is not clarified
By using this command (aaa authentication enable default enable) it will use locally mentioned enable secret if I changed to (aaa authentication enable default group xyz enable ) then it will check on the ISE for enable secret and incase of ise failure it will check locally but on which page I can configure enable secret in ISE ??? I don't have any user locally on the ISE to use their enable secret,, Please find the attached screenshot.
The link provided below which mentioned as use enable password of the device and not from the ISE.
Ok then if you don't have any local user, your enable password would be your user password. Have you tried it?
Can you share your ISE tacacs live log?
You should get something like that to see that your enable password has been entered and accepted:
the image in your last post didn't show properly,
there is some confusion in my writing I think so, lets keep the local user privileges aside, and lets speak of only enable secret password for user level 15
MY user is in AD and not in the ISE
aaa authentication enable default enable -----what does this mean ?? if I m not wrong use local enable secret
aaa authentication enable default xyz enable---what does this mean??? if I m not wrong use ISE enable secret and if ISE is not accessible then use locally configured enable secret
Yes you're correct.
First one is local enable password and the 2nd line is enable password through ISE and if not available then fallback locally.
if the user is created in the ISE u can specify the enable password for that user no issues with this solution,
If the user is not in the ISE instead he is in the AD then from where he will use the enable password ??
The fallback as you mentioned will be used only when the ISE host itself is down ?? please correct me
When using AD, the enable password would be the same as the user password.
Yes the fallback would be when ISE isn't reachable from the device: could be ISE is down or an acl blocking access to ISE for example.
I got authorization command failure message when I am switching to config mode on the ASA now I m stuck to exit except a hard reload and I was using the same settings of ISE which I was using for switches priv 1 and max 15.
why it happened so ??
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa authorization exec authentication-server
Tacacs works a bit different on ASA.
Take a look on this documentation guide:
Can u highlight what is different may be my eyes are not able to figure it out ,
as it seem to me the same as switches, I have kept shell profile 1 and maximum 15 so that user can use the enable password, in this case the user will use his own login password as a enable password,