Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1682
Views
6
Helpful
18
Replies

cannot get to privileged enable mode via console

kewwa
Level 1
Level 1

ā€Ž04-24-2024 03:09 PM

After searching through other posts, my config seems OK but still strange behaviour
asa 9.20 running on FPWR chasis

I cannot get in enabled mode when connecting to ASA via console.
It used to work but stopped after I played (disable and restore) with aaa authentication LOCAL vs remote setting.

Tests done: tried console and telnet for comparison; telne - no problem, console: get stuck with the >

1. local password test

with these settings
/admin# sh run aaa
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication telnet console LOCAL
aaa local authentication attempts max-fail 3
no aaa authentication login-history


and locally configured user
telnet: OK, enable - OK
console: NOK
%Login failed
and the low privilege prompt from the firewall (ASA)
ciscoasa>

I tried one after another 
>en 
> login
> exit and again login
all failures. For the login I mange to loging as far as the initial prompt

2. Remote authentication does not work either
I tested with aaa authentication and authorisation debug on and the radius debug
Only radius debug output but not when trying to en on the console:

with these settings

admin# sh run aaa
aaa authentication http console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication serial console RADIUS LOCAL
aaa local authentication attempts max-fail 3
no aaa authentication login-history

prompt on console
hostname>
---no radius debug
exit (logoff) and prompt to login
Username (radius user)
<<<<<<<there is a radius debug output; user priv15
>en
radius password - Invalid password
enable local - Invalid password
<<<<<<<there is NO radius debug output

telnet:
prompt: OK
en: OK
in both cases radius debug output

There is no authorisation setting

 

the closest issue was described here
https://community.cisco.com/t5/network-security/unable-to-go-to-enable-mode-of-asa-via-console/td-p/2469186
but did not help
I tried the 
aaa authorization exec authentication-server auto-enable described here 
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-cli-reference/A-H/asa-command-ref-A-H/aa-ac-commands.html#wp6184732320:~:text=the%20AAA%20configuration.-,aaa%20authentication%20console,-To%20authenticate%20users

But it did not bring any effect - even for the ssh, which I had always authed by RADIUS

I have not configured any other authorization as I did not want to log myself out and reload in nor manual reload would not be handy as it is cluster so there would be need to do it simmultaneously
Looking at the snippets here:
https://community.cisco.com/t5/network-security/aaa-for-serial-login-in-asa/td-p/4057264
I guess I miss the 
aaa authori command RADIUS LOCAL,
However I do not really think I need any authorization for my setup to work.
The reason I touched it was to make the login go directly to priviledged mode. Which did not happen

Any hint will be appreciated

 

0 Helpful
18 Replies 18

kewwa
Level 1
Level 1
In response to MHM Cisco World

ā€Ž04-26-2024 06:02 AM - edited ā€Ž04-26-2024 06:03 AM

I cannot share that information however, as mentioned in the initial description - I did the aaa debugs:
for the console connection:
- there is output when I login 
- there is no output when I am loggin to the priviledged mode

for the ssh connection:
- there is output when I login 
- there is output when I am loggin to the priviledged mode

My comment was jsut proving that the console enabled mode doe snot use remote authentication

In any case: the issue is solved

tvotna
Spotlight
Spotlight
In response to kewwa

ā€Ž04-26-2024 08:30 AM

Good. Please mark the issue as solved then.

Also, I still recommend enabling authorization with "aaa authorization exec authentication-server auto-enable" provided that you configured RADIUS correctly to send Service-Type attribute.

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to kewwa

ā€Ž04-26-2024 08:41 AM

I dont need to share anything here sensitive, 
I already do that, in night I will share where you can located important value to solve this issue
until that time 

MHM

0 Helpful

Aref Alsouqi
VIP
VIP
In response to kewwa

ā€Ž04-26-2024 06:08 AM

Glad you came to the bottom of this and that the issue is now solved which is matching what was pointed out by @tvotna.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card