cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
543
Views
0
Helpful
1
Replies

TACAS server to authorize a I0S device's enable password with auto expiration in days per user account

Ming Tar David Tai
Cisco Employee
Cisco Employee

Hi expert,

 

Is it doable with ISE (or ACS) TACAS server to authorize a I0S device's enable password with auto expiration in days per user account?
 
The use case: My customer will create an enable password for their contractor's user account in order to access, config & test a specific IOS device in a maintenance window. They want TACAS server to authorize the enable password to be only valid for the maintenance window.
 
My customer currently uses ACS 5.7 TACAS for device admin. If ACS cannot support the use case, does ISE support the case?

 

Thanks,

David

1 Accepted Solution

Accepted Solutions

paul
Level 10
Level 10

Here is how I would approach this with your customer. 

 

First off I would educate them that the concept of the "enable" password is really a legacy concept.  I don't think I have used an enabled password in 5-10 years at any of my customers.  Once you have correctly setup TACACS command authorization there is no need for the enabled password in my opinion.  All users should get sent to the # prompt and you authorize what users can do when they get there.

 

Next I would use the time ranges in ISE to accomplish what you want.   I haven't tested these with TACACS rules but I don't see why thy would work:

 

  1. If contractor and in allowed time range then Priv-15 access plus full commands.
  2. If contractor and outside of allowed time range then No access or Priv-15 access plus read-only commands.

 

View solution in original post

1 Reply 1

paul
Level 10
Level 10

Here is how I would approach this with your customer. 

 

First off I would educate them that the concept of the "enable" password is really a legacy concept.  I don't think I have used an enabled password in 5-10 years at any of my customers.  Once you have correctly setup TACACS command authorization there is no need for the enabled password in my opinion.  All users should get sent to the # prompt and you authorize what users can do when they get there.

 

Next I would use the time ranges in ISE to accomplish what you want.   I haven't tested these with TACACS rules but I don't see why thy would work:

 

  1. If contractor and in allowed time range then Priv-15 access plus full commands.
  2. If contractor and outside of allowed time range then No access or Priv-15 access plus read-only commands.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: