06-02-2017 06:59 PM
Hello there,
When I was creating an internal users on ISE, I noticed that there is a new field labeled as "enabled password", as attached screenshot.
I usually just use the "login" field. I'm wondering what the "enable password" field would do to an internal user? What's its purpose?
Thanks
Solved! Go to Solution.
06-02-2017 07:04 PM
It's to use ISE internal users as the identity source for device administration using TACACS+ on Cisco IOS like devices, where differentiating between the login passwords and the enable passwords.
06-02-2017 07:04 PM
It's to use ISE internal users as the identity source for device administration using TACACS+ on Cisco IOS like devices, where differentiating between the login passwords and the enable passwords.
06-02-2017 08:42 PM
Make sense...I have 2 follow up questions though:
1. In the tacacs Device Admin case, What if I only set the login password, no enable password, and I use this internal user as AuthZ conditions and give it Privilege 15 and Permit All commands as the AuthZ result, would it work? or for this case, I have to have the enable password?
2. if this enable password is mandatory in my above device Admin TACACS case, i guess they can't be the same password as the login password?
I searched Admin guide, I can't find any explanations about this enable password field. Perhaps the documentation could help add it?
thanks again
06-02-2017 08:52 PM
Sorry, forgot to ask: I assume this field is only for IOS device?
06-03-2017 07:06 AM
(1) Yes, we use only login passwords if going directly to privilege 15.
(2) We may give the same values for both login and enable passwords.
Sure, we will investigate and update the doc.
Besides Cisco IOS, ASA also uses enable.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide