Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
628
Views
0
Helpful
1
Replies

TACAS server to authorize a I0S device's enable password with auto expiration in days per user account

Go to solution
Ming Tar David Tai
Cisco Employee
Cisco Employee

‎05-23-2019 08:45 PM

Hi expert,

 

Is it doable with ISE (or ACS) TACAS server to authorize a I0S device's enable password with auto expiration in days per user account?
 
The use case: My customer will create an enable password for their contractor's user account in order to access, config & test a specific IOS device in a maintenance window. They want TACAS server to authorize the enable password to be only valid for the maintenance window.
 
My customer currently uses ACS 5.7 TACAS for device admin. If ACS cannot support the use case, does ISE support the case?

 

Thanks,

David

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
paul
Level 10
Level 10

‎05-24-2019 06:39 AM

Here is how I would approach this with your customer. 

 

First off I would educate them that the concept of the "enable" password is really a legacy concept.  I don't think I have used an enabled password in 5-10 years at any of my customers.  Once you have correctly setup TACACS command authorization there is no need for the enabled password in my opinion.  All users should get sent to the # prompt and you authorize what users can do when they get there.

 

Next I would use the time ranges in ISE to accomplish what you want.   I haven't tested these with TACACS rules but I don't see why thy would work:

 

  1. If contractor and in allowed time range then Priv-15 access plus full commands.
  2. If contractor and outside of allowed time range then No access or Priv-15 access plus read-only commands.

 

View solution in original post

0 Helpful
1 Reply 1

Go to solution
paul
Level 10
Level 10

‎05-24-2019 06:39 AM

Here is how I would approach this with your customer. 

 

First off I would educate them that the concept of the "enable" password is really a legacy concept.  I don't think I have used an enabled password in 5-10 years at any of my customers.  Once you have correctly setup TACACS command authorization there is no need for the enabled password in my opinion.  All users should get sent to the # prompt and you authorize what users can do when they get there.

 

Next I would use the time ranges in ISE to accomplish what you want.   I haven't tested these with TACACS rules but I don't see why thy would work:

 

  1. If contractor and in allowed time range then Priv-15 access plus full commands.
  2. If contractor and outside of allowed time range then No access or Priv-15 access plus read-only commands.

 

0 Helpful
Customers Also Viewed These Support Documents