Solved: Re: "Enable Password" field for ISE internal users

Ping Zhou · ‎06-02-2017

Hello there,

When I was creating an internal users on ISE, I noticed that there is a new field labeled as "enabled password", as attached screenshot.

I usually just use the "login" field. I'm wondering what the "enable password" field would do to an internal user? What's its purpose?

Thanks

hslai · ‎06-02-2017

It's to use ISE internal users as the identity source for device administration using TACACS+ on Cisco IOS like devices, where differentiating between the login passwords and the enable passwords.

View solution in original post

hslai · ‎06-02-2017

It's to use ISE internal users as the identity source for device administration using TACACS+ on Cisco IOS like devices, where differentiating between the login passwords and the enable passwords.

Ping Zhou · ‎06-02-2017

Make sense...I have 2 follow up questions though:

1. In the tacacs Device Admin case, What if I only set the login password, no enable password, and I use this internal user as AuthZ conditions and give it Privilege 15 and Permit All commands as the AuthZ result, would it work? or for this case, I have to have the enable password?

2. if this enable password is mandatory in my above device Admin TACACS case, i guess they can't be the same password as the login password?

I searched Admin guide, I can't find any explanations about this enable password field. Perhaps the documentation could help add it?

thanks again

Ping Zhou · ‎06-02-2017

Sorry, forgot to ask: I assume this field is only for IOS device?

hslai · ‎06-03-2017

(1) Yes, we use only login passwords if going directly to privilege 15.

(2) We may give the same values for both login and enable passwords.

Sure, we will investigate and update the doc.

Besides Cisco IOS, ASA also uses enable.