username and password

Posted on 2008-10-02
Last Modified: 2012-05-05
Hi Experts,

By default, cisco ASA 5505 has blank username and password when you connect to it either by console or through IE https.

Is a good idea to place a username and password in global mode level, enable level and in e0/0 (outside interface). What is the best practice to put the username and password and how you will go about put one in (eg CLI command).

Appreciate any help
Question by:mcse2007
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 24

Assisted Solution

DMTechGrooup earned 50 total points
ID: 22631119
enable password myEnableSecret encrypted

 Set the enable password (displays encrypted). Displays in encrypted form, with the word "encrypted" at the end. Note that when entering the command leave off  "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.  

passwd myLoginSecret encrypted

 Set the user mode password, the first password challenge when using Telnet.  Note that when executing the command leave off the "encrypted" keyword or the PIX will assume that the string you are putting in is the encryption of the actual password.
LVL 12

Accepted Solution

Pugglewuggle earned 250 total points
ID: 22631340
Hi mcse2007 - good to see you again!
The standard for securing Cisco devices with username and password info is to use AAA - Authentication, Authorization, and Accounting.
While it is still advisable to leave the password and enable password commands in the config in case something comes up, the proper way to do it is to use AAA. Cisco will tell you the same thing.
Here are the commands you need to activate AAA as well as the password and enable password:
! This sets up AAA to use the local AAA database to authenticate all connection methods
aaa authentication enable console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec authentication-server
! This sets up the non-AAA management passwords. You MUST remember the enable
! password to use the enable command with
enable password  <Your Enable Here>
passwd <Your Regular Password Here>
! This sets up a username to manage the device
username <Your Username Here> password <Your Password Here> privilege 15
! This sets up a username to connect via VPN or something else
username <Your Username Here> password <Your Password Here> privilege  0
Replace everything in brackets with your values.
Please note that you MUST remember the enable password to make changes to your device. If you already have one you don't need to run this command.
Also, you don't need to make the privilege 0 user - I was just using that as an example - however, you MUST have at least one privilege 15 user to manage the device.
From now on, when connecting to the console or command line, use the username and password combo to login and then use the enable password to enable.
When connecting via ASDM, just use the username/password combo.
Do note that you create VPN users with the database command as well - just with privilege 0.
Cheers! I hope that helps!
LVL 12

Expert Comment

ID: 22631347
Forgot to mention - one other feature is that in a big company that has centralized password management - AAA is used to connect to an AAA server - that way every device in the organization can be managed with a username and password that is only set once on the AAA server! Very cool.
AAA servers include RADIUS servers and TACACS+ servers. However, for a small setup, using one of these servers is uncessary and a pain to manage. It's best to use the LOCAL database as the commands I sent you do.
Cheers again!
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Author Closing Comment

ID: 31502658
Again, appreciated your input. BTW, Pugglewuggle how many cisco asa do you manage @ work?
LVL 12

Expert Comment

ID: 22639930
Hi mcse2007 - actually manage 3 ASA 5505s, 1 ASA 5520 and 1 ASA 5510 at work. On the side I run my own networking design and consulting company. At client sites I've installed over 20 ASAs. Pretty shoddy I only make $10 an hour at my real job though... I guess it's because I'm only 20. It does seem like I can roll with the pros on here with no problem though... I just don't know how to get paid more! :-P

Author Comment

ID: 22642781
Good for you Pugglewuggle.

Here in Sydney, Australia, Cisco engineers are in hot demand perhaps you should consider moving  for better pay :-)

BTW, does Cisco offers certification in PIX firewall?
LVL 12

Expert Comment

ID: 22642923
Cisco does offer a professional level security cert called a CCSP and of course there's the Security CCIE.
I actually have always wanted to visit AU... what is the salary there? I'm in Texas in the United States and TX currently has the hottest economy in the country.
Just curious!

Author Comment

ID: 22643171
It varies depending particularly on the company (e.g private, publicly listed etc) but usually, the following are close indication of what the market offers in AUD currency.
CCNA =<65K
CCNP =>75K
CCIE =>110K
LVL 12

Expert Comment

ID: 22643218
That's about what they are here (except CCIE is more like $100,000+ USD). I just need to figure out how to get in on it.
Thanks and cheers!

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
cisco switch 3750E port channel down 13 42
Cisco 2960 unable to add SFP modules to device 9 106
ISP has issued 5 static IP addresses 4 40
Layer 3 Switch Configuration 12 45
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question