Solved: Using AD for device administration with a different enable password

barweiss45 · ‎02-19-2019

Hello, we are in the process of setting up ISE 2.4 for a demo in our lab. I am trying to replicate our rules for network device access (device administration) that we use on ACS on our ISE demo. The organization I work for requires that we use a different enable password than our login password. We are required to use AD for our device login. On ACS we achieve this by creating our AD user and updating ACS with our enable login and then tell it to check all identity stores. However I am having difficulty configuring this on ISE. It seems when I create a user on ISE and set it to use an external source for authentication it grays out the enable password box. On ACS we are able to enter in an enable password. On the network devices we purposefully removed any if-authenticated commands so you must use an seperate enable password. Everything works great with an internal user but this doesn't fit our security requirements. I have spent some time reviewing the guides and I came across this line in the Administrator guide:

The device sends a special enable authentication type when the device administrator attempts to enter the privileged mode. Cisco ISE supports a separate enable password to validate this special enable authentication type. The separate enable password is used when the device administrator is authenticated with internal identity stores. For authentication with external identity stores, the same password is used as for regular login.

https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/b_ise_admin_guide_24/b_ise_admin_guide_24_new_chapter_01000.html#reference_8CEA7B84A7654F66B1591ED7459AAB6E

By reading that paragraph it sounds as though using a separate enable password and an external identity for authentication is possible. It sounds like it only supports internal users. I'm sure I'm missing something. Any help is truly appreciated. Thanks!

Francesco Molino · ‎02-20-2019

With ISE when authenticating against external identities, you won't have the possibility to do so.

Honestly, never got such request from my customers because for most of them, I often install a MFA system in addition to ISE and they end using tacacs to filter precise command profiles and push a privilege 15.

I can do some tests and come back to you but quite sure it's not going with that way.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

barweiss45 · ‎03-13-2019

A contractor on our team figured it out, this is how it is done:

To get ISE to authenticate username/password against AD but use the local ISE user for the Enable password, I had to create two Authentication rules. The rule that authenticates the user against AD has the condition of ’TACACS Service Type EQUALS login”. The other rule which utilizes the local user identity store for the Enable password has the condition of “TACACS Service Type EQUALS enable”. The only catch is, and I think it’s the same when use ACS, is the username in ISE has to match the username in AD

View solution in original post

Francesco Molino · ‎02-19-2019

Hi

You want to have an enable password common for all users and stored in ise or a specific enable password for each AD users?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

barweiss45 · ‎02-20-2019

Yes we would like a different enable password for each user. The workflow right now requires us to go into ACS and update our enable password. Each engineer updates their own enable password, so each each engineer has an unique device login (via AD) and a unique enable login via ACS. I hope that clears it up a little bit. Thanks!

Francesco Molino · ‎02-20-2019

With ISE when authenticating against external identities, you won't have the possibility to do so.

Honestly, never got such request from my customers because for most of them, I often install a MFA system in addition to ISE and they end using tacacs to filter precise command profiles and push a privilege 15.

I can do some tests and come back to you but quite sure it's not going with that way.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

barweiss45 · ‎02-21-2019

Thank you Francesco. I appreciate the input. I had a meeting today with our Cisco Sales team and their architect pretty much said the same thing. I may still trying opening a TAC case just to absolutely verify, but from the sounds of it I may have to go with MFA. Thank you!

Francesco Molino · ‎02-22-2019

Yeah and you can have some free out there (Google Authenticator on Linux machine) or Duo Security which isn’t too expensive and this is an amazing product.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

barweiss45 · ‎03-13-2019

A contractor on our team figured it out, this is how it is done:

To get ISE to authenticate username/password against AD but use the local ISE user for the Enable password, I had to create two Authentication rules. The rule that authenticates the user against AD has the condition of ’TACACS Service Type EQUALS login”. The other rule which utilizes the local user identity store for the Enable password has the condition of “TACACS Service Type EQUALS enable”. The only catch is, and I think it’s the same when use ACS, is the username in ISE has to match the username in AD