Solved: Unable to create a Read-Only policy in ISE 2.4; 'enable' password doesnt work

abhijith891 · ‎06-13-2018

Hello everyone,

I am trying to create a read-only authorization policy for firewalls for a particular team in ISE 2.4, but I am unable to do it efficiently. I have configured the shell profile for the team to have a default privilege of 1 and max of 7. But for some reason, whenever they log into the ASA, they say their 'login' password works fine, but their 'enable' password isnt working; as a result of which they are unable to get a privilege level of 7. I have tried enabling/disabling the 'enable' password but still its of no avail. So can someone help me out on this?

Regards.

Abhijit

hslai · ‎06-13-2018

ASA has no option for "enable" so its "enable" is actually "enable 15". Thus, please set the default privilege to 7.

View solution in original post

hslai · ‎06-13-2018

ASA has no option for "enable" so its "enable" is actually "enable 15". Thus, please set the default privilege to 7.

paul · ‎06-14-2018

IN my opinion the best way to do any sort of user levels on devices is to do command authorization. The ASA allows you to send users to priv 15 just like any other Cisco product. Send all users to priv 15 and do command authorization to create whatever class of users you want. If they are using ASDM you need to allow “write net” so the config can be sent into ASDM.