11-26-2013 03:11 PM - edited 03-11-2019 08:09 PM
Hi,
I have an ASA 5505 that was previously using an AAA server for authentication/authorization. This AAA Server is gone. Now, I'd like to log in locally. However, I do not know any local passwords. I used the Cisco guide to reset the password (confreg 0x40) and I am able to boot into privileged mode as directed. However, when I try to copy the start config to the running config I get:
Fallback authorization. username 'enable_15' not in LOCAL database
Command authorization failed
It seems the enable_15 local user is missing.
Any idea how I can reset the password now?
Thanks.
11-26-2013 08:57 PM
you need to create local user privilege 15 first and then copy the configuration over.
Value our effort and rate the assistance!
11-27-2013 10:51 AM
Hello,
You can just create the user:
username admin password password privilege 15
If you are no longer using the AAA server, I would suggest removing those commands.
Regards,
Felipe.
Remember to rate useful posts.
11-27-2013 12:04 PM
Create local user in the ASA with priv 15 , login with that user and remove the AAA configs and try to save config
try this command also : aaa authentication ssh console LOCAL
11-27-2013 02:01 PM
Thank you all for the replies. My problem is that the ACS server that the ASA was using is no longer available to me (I cut ties with the company that was providing the ACS service).
Therefore, I cannot log in to the ASA with any account that has enough privileges to create a local user as you are all mentioning as a solution.
11-27-2013 02:29 PM
You can try to remove the aaa authorization commands but if it does let you, another way will be to backup the configuration, remove the commands from the back and add the user, then copied back to the ASA.
Regards,
Felipe.
Remember to rate useful posts.
11-28-2013 11:16 AM
If you are unable to access the ASA it is very likely that either the enabl 15 user is missing or that the AAA config is not configured to use the local user account as a fall back. Have a look at this link to perform a password recovery on the ASA5505.
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/trouble.html#wp1049302
--
Please rate all helpful posts and select a correct answer
03-04-2016 09:44 AM
So almost everybody hear gave stupid answer..remove aaa or add enable privilege level 15.
None of those will work since you can't login because of authorization failed. Some suggested do it before you copy config..beautiful..but when you do that you modify running-config which is empty/clean anyways..once you copy startup to runn all those changes will be overwritten and you end up in same place you were.
Anyone has a good idea?
Seems like copying config to tftp server and modifying it there is an option..or copy the config to tftp..on asa do write mem with clean config (to clear the config ) and than paste what ever you need from tftp copy..
It seems stupid Cisco didn't compensate for option when someone will forget add authorization console LOCAL....
03-06-2016 02:18 AM
Hi,
When you copy a configuration from startup to running, it doesn't throw you out of the console. You would still be having a access. so after startup to running, you can make changes.
Regards,
Akshay Rastogi
03-07-2016 05:53 AM
Nobody said here it will throw you out from console.All I was saying you can't modify it since authorization doesn't allow you to get to startup config!modifying run as people suggested and than copy startup will overwrite run..so it won't work
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide