Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1381
Views
1
Helpful
2
Replies

ASA 9.19 Forced Password Changes

Go to solution
dhau
Level 1
Level 1

‎05-11-2023 11:13 AM

We have upgraded some firewalls to ASA 9.19.1. I noticed that if I change the hash of some other user's password on the firewall, that when that other user logs in, they are forced to change their password. The idea is that the admin who put in the hash won't ultimately know what the user's password will be when they change it.

Is there a way to remove this flag or feature? The "show aaa local user" commands provides columns on Lock-time, Failed-attempts, Locked, Expired, New-User for listed users on the firewall. Is there a way to make it so the New-User column doesn't trigger password changes?

1 person had this problem
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mmohammed
Level 1
Level 1

‎05-11-2023 12:08 PM

Good wishes Dhau,

The behavior you are observing is a feature of the Cisco ASA firewall's password management system. When an administrator changes a user's password hash, the user is forced to change their password upon their next login. This is a security measure designed to ensure that users have control over their own passwords and that passwords are not shared or compromised.

Unfortunately, there is no way to disable this feature within the Cisco ASA firewall's password management system. The "New-User" flag is used to indicate that a user's password needs to be changed and cannot be disabled or removed.

If you do not want users to be prompted to change their passwords when you change their password hash, you could consider implementing a different password management system that does not have this behavior.

Please rate all helpful comments accordingly.

View solution in original post

2 Replies 2

Go to solution
mmohammed
Level 1
Level 1

‎05-11-2023 12:08 PM

Good wishes Dhau,

The behavior you are observing is a feature of the Cisco ASA firewall's password management system. When an administrator changes a user's password hash, the user is forced to change their password upon their next login. This is a security measure designed to ensure that users have control over their own passwords and that passwords are not shared or compromised.

Unfortunately, there is no way to disable this feature within the Cisco ASA firewall's password management system. The "New-User" flag is used to indicate that a user's password needs to be changed and cannot be disabled or removed.

If you do not want users to be prompted to change their passwords when you change their password hash, you could consider implementing a different password management system that does not have this behavior.

Please rate all helpful comments accordingly.

Go to solution
dhau
Level 1
Level 1

‎05-11-2023 12:27 PM

I see. Thanks for the quick reply. We are moving towards ISE to do device administration so this won't cause issues in the long-term.

Thanks again.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card