cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4463
Views
5
Helpful
4
Replies

"Enable Password" field for ISE internal users

Ping Zhou
Level 8
Level 8

Hello there,

When I was creating an internal users on ISE, I noticed that there is a new field labeled as "enabled password", as attached screenshot.

I usually just use the "login" field. I'm wondering what the "enable password" field would do to an internal user? What's its purpose?

enable_password.PNGThanks

1 Accepted Solution

Accepted Solutions

hslai
Cisco Employee
Cisco Employee

It's to use ISE internal users as the identity source for device administration using TACACS+ on Cisco IOS like devices, where differentiating between the login passwords and the enable passwords.

View solution in original post

4 Replies 4

hslai
Cisco Employee
Cisco Employee

It's to use ISE internal users as the identity source for device administration using TACACS+ on Cisco IOS like devices, where differentiating between the login passwords and the enable passwords.

Make sense...I have 2 follow up questions though: 

1. In the tacacs Device Admin case, What if I only set the login password, no enable password, and I use this internal user as AuthZ conditions and give it Privilege 15 and Permit All commands as the AuthZ result, would it work? or for this case, I have to have the enable password?

2. if this enable password is mandatory in my above device Admin TACACS case, i guess they can't be the same password as the login password?

I searched Admin guide, I can't find any explanations  about this enable password field. Perhaps the documentation could help add it?

thanks again

Sorry, forgot to ask: I assume this field is only for IOS device?

hslai
Cisco Employee
Cisco Employee

(1) Yes, we use only login passwords if going directly to privilege 15.

(2) We may give the same values for both login and enable passwords.

Sure, we will investigate and update the doc.

Besides Cisco IOS, ASA also uses enable.