Solved

how to delete enable_15 on cisco ASA

Posted on 2010-11-17
10
8,239 Views
Last Modified: 2012-05-10
I have been audited for PCI and the auditor wants me to delete the enable_15 user on our ASAs. I have added other privilege level 15 accounts and when I login as the new user to the asdm,  I do not have the option of removing that username. How can I delete it?
0
Comment
Question by:jbla9028
  • 5
  • 4
10 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157665
Have you tried it through the CLI?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34157720
what commands do I have to run to delete the username?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157811
-log in to the asa
-type: enable
-give password
-type: conf t
-type: wr t

It will now show your configuration, fine the line with the user enable_15
Copy this line and paste it back putting: no in front of it.

Like no user enable_15 blahblah

-commit to memory: wr mem

That should do it
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 1

Author Comment

by:jbla9028
ID: 34157835
doesn't seem to "know" there's a username in the CLI. I type

config t
no user enable_15

I get this output

ERROR: username <enable_15> does not exist

it does not show up in the running config as a user?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 34157888
So do you have a user which looks like that (for example ena_15)? or do you just see the users you created?
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34157915
I just see the users I've created but in the ASDM I see this enable_15 user and the auditor wants me to remove it.
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
ID: 34158200
username enable_15 defaulty showing ASDM, but not real username!
0
 
LVL 1

Author Comment

by:jbla9028
ID: 34158207
so is it a bug?
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 34158291
Ah got it.
This is a (implicit) default account which cannot be removed. It's used to give you complete access to the firewall when you issue hte 'enable' command. i.e. user gone: access gone: can't configure the firewall anymore.

There are ways to make sure users don't need to use this enable password, have a look at this:
http://cisconews.co.uk/2008/01/11/asa-7x-local-users/

Quote:

'The recommended method is to configure authentication for the enable command as follows:

Firewall(config)# aaa authentication enable console LOCAL

This forces users into their assigned privileged level by requiring their own password instead of the enable one. For example, typing the enable command from user EXEC mode now requires the user’s password, not the enable password. There is no indication of this to the user as the prompt is the same. Used in conjunction with local command authorization, this provides a basic level of security to the administration of your ASA.'
0
 
LVL 1

Author Closing Comment

by:jbla9028
ID: 34159676
thanks
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Setup NAT/PAT question 3 48
Cisco IP NAT Translation not working 9 33
How to list which IP address is the managed switch in my company ? 13 132
cisco 2800 cannot ping lan 4 20
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question