Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

asa password

Posted on 2013-12-18
16
688 Views
Last Modified: 2014-01-06
I want to change the enable password on an ASA, but I realized there is no option for "enable secret"

ASA-Floor4(config)# enable secret ?
ERROR: % Unrecognized command


I see in the config that the enable password has:

enable password PasSwordHere encrypted
passwd PasSwordHere encrypted


I want only to change the enable password and keep it secret\encrypted like it is now but there is no enable secret command. There is a local username 15 and
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL

can someone explain and help me change the password. Thanks.
0
Comment
Question by:tolinrome
  • 8
  • 6
16 Comments
 
LVL 24

Expert Comment

by:smckeown777
ID: 39727877
The command you need is

enable password <your password> encrypted
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39727962
when I tried that it says it says it is too short (paraprashing), but when I look at another firewall setup exactly as this one, it uses the same password and didn't give that error.
Both firewalls have the same setup and the hashing characters in the passwords are exactly the same, but the two passwords are actually different.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39728004
Half asleep here...sorry

Leave out the 'encrypted' bit I mentioned above...by default all enable passwords on the ASA are encrypted by default

Try it again and see...

enable password <your password>
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 7

Author Comment

by:tolinrome
ID: 39729110
it wont take the new password, it still retains the old one. It looks like it takes it, but when I log out and back in, it's still old password. Could this have anything to do with the local aaa authentication?

cisco(config)#enable password <my password>
cisco(config)#
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39729114
When you say 'log out and back in' what do you mean? From console or telnet? How are you logging in exactly?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39729305
ssh
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39729322
Right, well ssh and enable are 2 different passwords...so want to be sure there is no confusion here

To set password for ssh you use

passwd <your password>

That sets the ssh password...is that what you are getting confused on?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39729389
no, I can login fine using ssh, that's no problem. The only problem is that when I change the enable password, it doesn't take it, I still have to use the old enable password. But whats confusing is that when I type the new enable password it acts like it's taking it. For example:

1. I login using ssh
2. I change the enable password
    cisco(config)#enable password <my password>
    cisco(config)#
3. I exit the device without saving (wr mem)
4. I login back in using ssh
5. I go into enable mode and its the old password again, not the new one I just created.

Thanks for helping.
0
 
LVL 24

Expert Comment

by:smckeown777
ID: 39729511
Ok, well either its a bug(what version IOS are you on?) or this line is possibly causing your issue

aaa authentication enable console LOCAL

Remove that and test again...

no aaa authentication enable console LOCAL

I think that means 'each user has a seperate enable password different from the global one'...

To confirm - does your new enable password work? Even though the older one does as well?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39729573
I know its not a bug since others on same version are fine. So it probably has something to do with the local authentication but I want to fully understand first before cancelling out that line.
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39732912
Anyone?
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39740258
anyone?
0
 
LVL 24

Accepted Solution

by:
smckeown777 earned 500 total points
ID: 39743548
From my understanding this is by design...

Do this as a test please...connect a console cable to the ASA and connect to the console...I would guess that the NEW enable password will work now

2nd test - when SSH'd in and you enter enable mode - enter the current ssh password and does it take?

The line

aaa authentication enable console LOCAL

means 'you switch to enable mode using the USERS password'...which is why I said remove that line to confirm/test this...
0
 
LVL 7

Author Comment

by:tolinrome
ID: 39749947
problem is the asa is in a remote site and cant console in.
0
 
LVL 29

Expert Comment

by:serialband
ID: 39751748
Get yourself a remote console, such as a Lantronix Spider, Duo, or SLC, depending on how many console connections you need.  You can set up your firewall to only allow connections from your location and you can have remote console access to all your systems.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question