Showing results for 
Search instead for 
Did you mean: 
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.


TACACS enable password is not working after completing ACS & MS AD integration

Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result

1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.

2. Enable password is not working (using the same user password configured in MS AD.

3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.

Switch Tacacs Configuration

aaa new-model
aaa authentication login default none
aaa authentication login ACS group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec ACS group tacacs+ local 
aaa authorization commands 15 ACS group tacacs+ local 
aaa accounting exec ACS start-stop group tacacs+
aaa accounting commands 15 ACS start-stop group tacacs+
aaa authorization console
aaa session-id common
tacacs-server host 10.X.Y.11
tacacs-server timeout 20
tacacs-server directed-request
tacacs-server key gacakey


line vty 0 4
 session-timeout 5 
 access-class 5 in
 exec-timeout 5 0
 login authentication ACS
 authorization commands 15 ACS
 authorization exec ACS
 accounting commands 15 ACS
 accounting exec ACS
 logging synchronous


This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.