Solved

how to delete enable_15 on cisco ASA

Posted on 2010-11-17
10
8,109 Views
Last Modified: 2012-05-10
I have been audited for PCI and the auditor wants me to delete the enable_15 user on our ASAs. I have added other privilege level 15 accounts and when I login as the new user to the asdm,  I do not have the option of removing that username. How can I delete it?
0
Comment
Question by:jbla9028
  • 5
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157665
Have you tried it through the CLI?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34157720
what commands do I have to run to delete the username?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157811
-log in to the asa
-type: enable
-give password
-type: conf t
-type: wr t

It will now show your configuration, fine the line with the user enable_15
Copy this line and paste it back putting: no in front of it.

Like no user enable_15 blahblah

-commit to memory: wr mem

That should do it
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34157835
doesn't seem to "know" there's a username in the CLI. I type

config t
no user enable_15

I get this output

ERROR: username <enable_15> does not exist

it does not show up in the running config as a user?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157888
So do you have a user which looks like that (for example ena_15)? or do you just see the users you created?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:jbla9028
ID: 34157915
I just see the users I've created but in the ASDM I see this enable_15 user and the auditor wants me to remove it.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34158200
username enable_15 defaulty showing ASDM, but not real username!
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34158207
so is it a bug?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34158291
Ah got it.
This is a (implicit) default account which cannot be removed. It's used to give you complete access to the firewall when you issue hte 'enable' command. i.e. user gone: access gone: can't configure the firewall anymore.

There are ways to make sure users don't need to use this enable password, have a look at this:
http://cisconews.co.uk/2008/01/11/asa-7x-local-users/

Quote:

'The recommended method is to configure authentication for the enable command as follows:

Firewall(config)# aaa authentication enable console LOCAL

This forces users into their assigned privileged level by requiring their own password instead of the enable one. For example, typing the enable command from user EXEC mode now requires the user’s password, not the enable password. There is no indication of this to the user as the prompt is the same. Used in conjunction with local command authorization, this provides a basic level of security to the administration of your ASA.'
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 34159676
thanks
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 2960 port led all amber 5 72
Clearing router cache 12 41
access vs trunk with voice vlan 2 20
Cisco 1811W VLAN configuration problem 3 11
How to configure Site to Site VPN on a Cisco ASA.     (version: 1.1 - updated August 6, 2009) Index          [Preface]   1.    [Introduction]   2.    [The situation]   3.    [Getting started]   4.    [Interesting traffic]   5.    [NAT0]   6.…
I recently updated from an old PIX platform to the new ASA platform.  While upgrading, I was tremendously confused about how the VPN and AnyConnect licensing works.  It turns out that the ASA has 3 different VPN licensing schemes. "site-to-site" …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now