ASA 5540 Enable Password Issue

networking cisco cisco-asa ios
6,747

The password you need to use to login / enable entirely depends on the configuration of your ASA... For instance this configuration requires that you enable with the local login password of the user who logged in...

aaa authentication ssh console LOCAL
! enable console LOCAL requires the user's password for enable
aaa authentication enable console LOCAL 
aaa authentication http console LOCAL 
aaa authorization command LOCAL
username mpenning password <some_hashed_password> encrypted privilege 15

If your enable password is not working, I assume someone has configured the system to use the local / Cisco ACS user's password to enable.

Share:
6,747

Related videos on Youtube

Mike Pennington
Author by

Mike Pennington

--&gt;

Updated on September 18, 2022

Comments

  • Mike Pennington
    Mike Pennington over 1 year

    I have a Cisco ASA 5540 running the following Software/Manager version:

    • Cisco Adaptive Security Appliance Software Version 8.2(2)17
    • Device Manager Version 6.3(2)

    I use ASDM to make changes to the firewall on a constant basis with no issues. Recently, I needed to SSH into the firewall to make some more technical changes and after login with my ACS credentials I go ahead and try to enable (priv mode) and get a Access Denied.

    I know the password I am using is correct... but I figure I'll just change it rq. So I decide to login to the ASDM and change the password through the [Configuration > Device Setup > Device Name/Password] section.

    I put in the old password followed by the new password and the confirmed NEW password. Apply the configuration and save it to the flash memory (No errors that the old password was wrong). Everything saves fine and the new password has been changed. I can even use ASDM's CLI to issue a show running-config enable and see my newly encrypted password. Mind you I have the following in my running-config:

    enable password xxxx1HNMUkxxxx encrypted
passwd xxxxaUTcbVSxxxxx encrypted

    So I changed the enable password, not the normal passwd. I again SSH into the firewall with my ACS credentials and proceed to issue the enable command followed by the newly set password. Access Denied!

    Any insight, suggestions, even jokes... I'm really looking at any feedback at this point.

  • Bad Dos
    Bad Dos almost 12 years
    If there are usernames entered in the config or an external auth server, the pix will use their password for the enable secret. They did change something a while back where ssh was concerned requiring a user account. In older ASA/PIX code you could ssh to the device without a user account and use the password and enable secret combo but this is no longer possible with current versions.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Cisco ASA: Multiple static IPs on a single interface
Cisco ASA: How to free memory without reboot?
Cisco: show run vlan # vs show run int vlan #
How can I configure my network to allow bi-directional traffic between two lans?
Force failover a Cisco ASA
Cisco ASA - difference between inside_access_in and inside_access_out?
How do I find out what the WIC Model is from CISCO IOS?
Cisco ASA 5505 Config -> Text File
Cisco ASA5505 won't sync with NTP
Cisco ASA rewriting SMTP traffic to prevent mail sending