asa password

I want to change the enable password on an ASA, but I realized there is no option for "enable secret"

ASA-Floor4(config)# enable secret ?
ERROR: % Unrecognized command


I see in the config that the enable password has:

enable password PasSwordHere encrypted
passwd PasSwordHere encrypted


I want only to change the enable password and keep it secret\encrypted like it is now but there is no enable secret command. There is a local username 15 and
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console LOCAL

can someone explain and help me change the password. Thanks.
LVL 7
tolinromeAsked:
Who is Participating?
 
smckeown777Connect With a Mentor Commented:
From my understanding this is by design...

Do this as a test please...connect a console cable to the ASA and connect to the console...I would guess that the NEW enable password will work now

2nd test - when SSH'd in and you enter enable mode - enter the current ssh password and does it take?

The line

aaa authentication enable console LOCAL

means 'you switch to enable mode using the USERS password'...which is why I said remove that line to confirm/test this...
0
 
smckeown777Commented:
The command you need is

enable password <your password> encrypted
0
 
tolinromeAuthor Commented:
when I tried that it says it says it is too short (paraprashing), but when I look at another firewall setup exactly as this one, it uses the same password and didn't give that error.
Both firewalls have the same setup and the hashing characters in the passwords are exactly the same, but the two passwords are actually different.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
smckeown777Commented:
Half asleep here...sorry

Leave out the 'encrypted' bit I mentioned above...by default all enable passwords on the ASA are encrypted by default

Try it again and see...

enable password <your password>
0
 
tolinromeAuthor Commented:
it wont take the new password, it still retains the old one. It looks like it takes it, but when I log out and back in, it's still old password. Could this have anything to do with the local aaa authentication?

cisco(config)#enable password <my password>
cisco(config)#
0
 
smckeown777Commented:
When you say 'log out and back in' what do you mean? From console or telnet? How are you logging in exactly?
0
 
tolinromeAuthor Commented:
ssh
0
 
smckeown777Commented:
Right, well ssh and enable are 2 different passwords...so want to be sure there is no confusion here

To set password for ssh you use

passwd <your password>

That sets the ssh password...is that what you are getting confused on?
0
 
tolinromeAuthor Commented:
no, I can login fine using ssh, that's no problem. The only problem is that when I change the enable password, it doesn't take it, I still have to use the old enable password. But whats confusing is that when I type the new enable password it acts like it's taking it. For example:

1. I login using ssh
2. I change the enable password
    cisco(config)#enable password <my password>
    cisco(config)#
3. I exit the device without saving (wr mem)
4. I login back in using ssh
5. I go into enable mode and its the old password again, not the new one I just created.

Thanks for helping.
0
 
smckeown777Commented:
Ok, well either its a bug(what version IOS are you on?) or this line is possibly causing your issue

aaa authentication enable console LOCAL

Remove that and test again...

no aaa authentication enable console LOCAL

I think that means 'each user has a seperate enable password different from the global one'...

To confirm - does your new enable password work? Even though the older one does as well?
0
 
tolinromeAuthor Commented:
I know its not a bug since others on same version are fine. So it probably has something to do with the local authentication but I want to fully understand first before cancelling out that line.
0
 
tolinromeAuthor Commented:
Anyone?
0
 
tolinromeAuthor Commented:
anyone?
0
 
tolinromeAuthor Commented:
problem is the asa is in a remote site and cant console in.
0
 
serialbandCommented:
Get yourself a remote console, such as a Lantronix Spider, Duo, or SLC, depending on how many console connections you need.  You can set up your firewall to only allow connections from your location and you can have remote console access to all your systems.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.