cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

249
Views
0
Helpful
2
Replies
abhijith891
Beginner

Unable to create a Read-Only policy in ISE 2.4; 'enable' password doesnt work

Hello everyone,

I am trying to create a read-only authorization policy for firewalls for a particular team in ISE 2.4, but I am unable to do it efficiently. I have configured the shell profile for the team to have a default privilege of 1 and max of 7. But for some reason, whenever they log into the ASA, they say their 'login' password works fine, but their 'enable' password isnt working; as a result of which they are unable to get a privilege level of 7. I have tried enabling/disabling the 'enable' password but still its of no avail. So can someone help me out on this?

Regards.

Abhijit

1 ACCEPTED SOLUTION

Accepted Solutions
hslai
Cisco Employee

ASA has no option for "enable" so its "enable" is actually "enable 15". Thus, please set the default privilege to 7.

View solution in original post

2 REPLIES 2
hslai
Cisco Employee

ASA has no option for "enable" so its "enable" is actually "enable 15". Thus, please set the default privilege to 7.

View solution in original post

paul
Advocate

IN my opinion the best way to do any sort of user levels on devices is to do command authorization.  The ASA allows you to send users to priv 15 just like any other Cisco product. Send all users to priv 15 and do command authorization to create whatever class of users you want.  If they are using ASDM you need to allow “write net” so the config can be sent into ASDM.

Content for Community-Ad