ASA 5540 Enable Password Issue
The password you need to use to login / enable entirely depends on the configuration of your ASA... For instance this configuration requires that you enable with the local login password of the user who logged in...
aaa authentication ssh console LOCAL
! enable console LOCAL requires the user's password for enable
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authorization command LOCAL
username mpenning password <some_hashed_password> encrypted privilege 15
If your enable password is not working, I assume someone has configured the system to use the local / Cisco ACS user's password to enable.
Related videos on Youtube
Comments
-
Mike Pennington over 1 year
I have a Cisco ASA 5540 running the following Software/Manager version:
- Cisco Adaptive Security Appliance Software Version 8.2(2)17
- Device Manager Version 6.3(2)
I use ASDM to make changes to the firewall on a constant basis with no issues. Recently, I needed to SSH into the firewall to make some more technical changes and after login with my ACS credentials I go ahead and try to enable (priv mode) and get a Access Denied.
I know the password I am using is correct... but I figure I'll just change it rq. So I decide to login to the ASDM and change the password through the [Configuration > Device Setup > Device Name/Password] section.
I put in the old password followed by the new password and the confirmed NEW password. Apply the configuration and save it to the flash memory (No errors that the old password was wrong). Everything saves fine and the new password has been changed. I can even use ASDM's CLI to issue a
show running-config enable
and see my newly encrypted password. Mind you I have the following in myrunning-config
:enable password xxxx1HNMUkxxxx encrypted passwd xxxxaUTcbVSxxxxx encrypted
So I changed the
enable
password, not the normal passwd. I again SSH into the firewall with my ACS credentials and proceed to issue theenable
command followed by the newly set password. Access Denied!Any insight, suggestions, even jokes... I'm really looking at any feedback at this point.
-
Bad Dos almost 12 yearsIf there are usernames entered in the config or an external auth server, the pix will use their password for the enable secret. They did change something a while back where ssh was concerned requiring a user account. In older ASA/PIX code you could ssh to the device without a user account and use the password and enable secret combo but this is no longer possible with current versions.