10-16-2018 06:07 AM - edited 02-21-2020 08:21 AM
So I configured Active-Active failover on my 5545 ASA's, and everything looks great other than 1 small thing - users cannot save passwords on their clients anymore. I "ticked" that in ASDM before, which is an equivalent to setting "password-storage enable" in the group policy attribues, but now the command is gone via SSH, and in ASDM it is greyed out wherever I can find it.
Any ideas how I can "resurrect" the feature ?
Thank you in advance !
10-16-2018 09:44 PM
10-17-2018 02:34 AM - edited 10-17-2018 02:36 AM
This setting is usually in group policy, but I still created a new profile, which generated a new group policy, and the store password option is not there.
I also did some investigations in the CLI, and the command is not available, and is not present in the DfltGrpPolicy
FW/admin# sh run all group-policy DfltGrpPolicy group-policy DfltGrpPolicy internal group-policy DfltGrpPolicy attributes banner none wins-server none dns-server none dhcp-network-scope none vpn-access-hours none vpn-simultaneous-logins 3 vpn-idle-timeout 30 vpn-idle-timeout alert-interval 1 vpn-session-timeout none vpn-session-timeout alert-interval 1 vpn-filter none vpn-tunnel-protocol ikev1 ikev2 ip-comp disable group-lock none pfs disable split-tunnel-policy tunnelall ipv6-split-tunnel-policy tunnelall split-tunnel-network-list none default-domain none split-dns none split-tunnel-all-dns disable client-bypass-protocol disable gateway-fqdn none msie-proxy server none msie-proxy method no-modify msie-proxy except-list none msie-proxy local-bypass disable msie-proxy pac-url none msie-proxy lockdown enable vlan none address-pools none ipv6-address-pools none smartcard-removal-disconnect enable security-group-tag none periodic-authentication certificate none webvpn homepage none anyconnect ssl dtls enable anyconnect mtu 1406 anyconnect firewall-rule client-interface private none anyconnect firewall-rule client-interface public none anyconnect keep-installer installed anyconnect ssl keepalive 20 anyconnect ssl rekey time none anyconnect ssl rekey method none anyconnect dpd-interval client 30 anyconnect dpd-interval gateway 30 anyconnect ssl compression none anyconnect dtls compression none anyconnect modules none anyconnect profiles none anyconnect ssl df-bit-ignore disable anyconnect routing-filtering-ignore disable
FW/admin(config-group-policy)# password-storage enable ^ ERROR: % Invalid input detected at '^' marker. FW/admin(config-group-policy)# FW/admin(config-group-policy)# password-storage ? ERROR: % Unrecognized command
So it seems like this command is not available at all ?
Here is version info, which would be helpful I guess
FW/admin# sh version Cisco Adaptive Security Appliance Software Version 9.9(2) <context> Firepower Extensible Operating System Version 2.3(1.84) Device Manager Version 7.9(2) Compiled on Sun 25-Mar-18 17:39 PDT by builders FW up 12 hours 10 mins failover cluster up 4 days 17 hours Hardware: ASA5545, 12288 MB RAM, CPU Lynnfield 2659 MHz, 1 CPU (8 cores) ASA: 6455 MB RAM, 1 CPU (1 core) BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1) Boot microcode : CNPx-MC-BOOT-2.00 SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005 IPSec microcode : CNPx-MC-IPSEC-MAIN-0026 Number of accelerators: 1 Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
10-18-2018 06:18 AM
After switching back to single context the "password-storage enable" command is back in the group-policy and works as expected. Maybe I am missing something, but this setup is ok for me, so I will stick to single context and Active/Standby HA setup.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide