topic Username on an ASA question in Network Security

Username on an ASA question

WStoffel1 — Tue, 12 Mar 2019 01:46:22 GMT

Just ran into this. Customers ASA 5510 and they are using the default "pix" login. I can log into the command line with pix just fine. I created a user account, call it:

username jsmith password Passw0rd priv 15

I'm unable to log into the command line with jsmith. I can get into ASDM with it.

Sorry about being unable to post this config but I was hoping this might jog some memories and people could point me at things to look for.

Thank you very much.

Re: Username on an ASA question

Jouni Forss — Mon, 20 May 2013 18:00:36 GMT

Hi,

You probably need to change some "aaa" related configuration on the ASA

Here are some examples to change the different management connections to use AAA information either locally on the ASA or on an external AAA server

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

So juding by what you say, Telnet and/or SSH does not have any of the above configuerations but HTTP is set to use LOCAL authentication.

You can use "show run aaa" command to view the output/settings

- Jouni

Username on an ASA question

WStoffel1 — Mon, 20 May 2013 18:31:06 GMT

That's what I thought. So..

# sh run http

http server enable

http 7.x.x.0 255.255.252.0 outside

http 7.x.x.21 255.255.255.255 outside

# sh run aaa

aaa local authentication attempts max-fail 5

I would expect to see something along the lines of aaa authentication http console LOCAL
since ASDM works with a local username...?

But I just did a quick test and setup aaa authentication, and it broke the pix user account...does that make sense? Like using local authentication disables the default pix account?

Which I can't do, so it may all be a waste of time anyway...

Username on an ASA question

Jouni Forss — Mon, 20 May 2013 18:36:55 GMT

Hi,

Tried it on my ASA also and it does seem that the ASA accepts the LOCAL username/password even without the related "aaa authentication" configuration for "http"

I wonder if it would be possible to create the "pix" username and password to the LOCAL database and this way seemingly avoid the situation where the default "pix" username wouldnt work?

- Jouni

Re: Username on an ASA question

Jouni Forss — Mon, 20 May 2013 18:38:07 GMT

Doesnt seem that the ASA has nothing against using "pix" as a username on the LOCAL database.

This would essentially enable you to configure the "pix" username on the LOCAL database of the ASA with the password that the customer is using, effectively making it so that the customer doesnt see any change while logging to the device.

- Jouni

Username on an ASA question

Jouni Forss — Mon, 20 May 2013 18:42:03 GMT

Hi,

Found the answer to the username/password behaviour with ASDM

By default, you can log into ASDM with a blank username and the enable password (see Device Name/Password, page 10-12).

However, if you enter a username and password at the login screen (instead of leaving the username blank), ASDM checks the local database for a match.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/aaasetup.html#wp1284438

- Jouni

Re: Username on an ASA question

WStoffel1 — Mon, 20 May 2013 19:13:21 GMT

OK so i'm not too crazy, ASDM just sort of works

I'm going out on a limb here but I think this one was upgraded from a Pix firewall long ago...

Thanks for the insights though, much appreciated.

Just an update for reference, added in this morning:

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

and my LOCAL logins work as expected for any of the methods, but the Pix username is no longer valid.

Not much out there on the default username of Pix but as far as i can tell it's a default login that's NOT stored in LOCAL and is somehow disabled when AAA is setup. http://www.techexams.net/forums/ccnp/70330-disable-ssh-pix-username-cisco-password.html

Anyway, shouldn't be an issue anyplace with a reasonable security policy