cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
258
Views
5
Helpful
1
Replies

TACACS enable password authentication behavior - Cisco Identity Services Engine 2.4

realeric
Level 1
Level 1

I am running an eval of ISE 2.4 (patch 6). I used the migration tool to pull in all information from ACS 5.8. ISE is new to me, so I'm just trying to figure it out.

 

The issue I am having right now is with the enable password. It was a simple process in ACS; under user authentication setting, you just made sure the "TACACS Enable Password" option was not checked.

 

I don't see anything similar in ISE. The only way I got this to work was to go into each user account and configure the enable password. I am hoping there is a better way of doing this, as I have many users that require enable mode. They all belong to the same "User Identity Group"

 

My goal would be to for the Login Password to also work as the Enable Password (as it did in ACS). Another option might be for our TACACS network devices to not even prompt for a password when a user enters enable mode (not sure if this is possible).

 

 

1 Reply 1

paul
Level 10
Level 10

Honestly the concept of enabled mode is antiquated.  If you enable command authorization for lvl 15 commands on your network devices you control what the user can do when they get on the device.  Put everyone at priv-15 (the # prompt) as soon as they login and create a Read-Only command set that can only do show commands and a Full-Access command set that can do everything.

 

I haven't used enabled passwords in 5-10 years on any of my installs.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: