ASA 1100: enable password change not executing.

jmaxwellUSAF · ‎12-28-2022

Hello.

Unlike on my company's ASA5525 (and other cisco hardware), the simple resetting of the "enable password" is not taking effect, despite no symptoms from the CLI execution. I have tried this many times. Example:

#enable password PIZZA

#

-- When I log out and back in, the old enable password remains. IOS version details are below.

Assistance please? Thank you!

_____

Cisco Adaptive Security Appliance Software Version 9.17(1)
SSP Operating System Version 2.11(1.154)
Device Manager Version 7.17(1)

Hardware: FPR-1120, 14336 MB RAM, CPU Atom C3000 series 2000 MHz, 1 CPU (12 cores)

Rob Ingram · ‎12-28-2022

@jmaxwellUSAF you are in "conf t" when you set the password right? Does the output confirm an error when the password was set?

jmaxwellUSAF · ‎12-28-2022

correct.

There is no error symptom when setting the password. It simply doesn't register when logging in again. The old password still persists.

jmaxwellUSAF · ‎12-28-2022

If this helps-- recently I cleared out many users. One of the users was "all". (or maybe I saw something say password "all". It did look strange.I should have paid more attention.) Maybe that "all" account or word had significance? (maybe not.)

Rob Ingram · ‎12-28-2022

@jmaxwellUSAF is this a new (fresh) appliance? Is aaa already configured?

How are you connecting, via console?

jmaxwellUSAF · ‎12-28-2022

this is an old appliance.

AAA is...

aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
aaa authentication login-history

I am connecting via putty and also Cisco CLI tool. SSH port 22

I have tried resetting the "enable" password about 10 times. always same symptom. It only accepts the old password.

jmaxwellUSAF · ‎12-28-2022

I ran the "Cisco CLI analyzer" system diagnostic. The only possible relevant hit was below. I think this is irrelevant.

"This device is susceptible to CSCwb88651: Cisco ASA and FTD Software RSA Private Key Leak Vulnerability"

MHM Cisco World · ‎12-28-2022

I have one idea but I need to check it first, I dont link recommend anything about admin the ASA if I am not 100% sure it work or not.

Rob Ingram · ‎12-28-2022

@jmaxwellUSAF this command "aaa authentication enable console LOCAL" and "aaa authentication ssh console LOCAL" would use the local user account database and prompt for a username/password, not the enable password.

Providing a screenshot might be useful.

jmaxwellUSAF · ‎12-28-2022

screenshot

jmaxwellUSAF · ‎12-28-2022

- (user password)

>(new enable password)

>(old enable password)

#conf t

#enable password (new enable password)

#

---I log off then in-- The symptom persists.

Maybe the symptom is cause by privilege level? My privilege level has been explicitly set at 15.

MHM Cisco World · ‎12-28-2022

aaa authentication enable default console LOCAL <<- this what I want to try.
please remember all enable password before do any change for admin the ASA
write it in your note book.

jmaxwellUSAF · ‎12-28-2022

(config)# aaa authentication enable default console LOCAL
^
ERROR: % Invalid input detected at '^' marker.

jmaxwellUSAF · ‎12-28-2022

screenshot

MHM Cisco World · ‎12-29-2022

NOTE:- please make check and check before apply any change, we talk here about admin the asa.

Case1
the config without enable password and aaa authen enable console LOCAL
you can see that both user even with different privilege can access ASA enable mode with any password, just press enter.

Case2
the config enable password and aaa authen enable console LOCAL
you can see that user with Privilege 15 can access ASA enable mode with enter password we config before.

you can see that user with privilege 1 can not access ASA enbale mode even if enter the enable password ~