Cisco ASA 5506X Enable password not working

antonyxvr88 · ‎12-12-2020

Hi There,

I am changing enable password for ASA 5506X so that if AAA TACACS+ (ACS 5.8) is unreachable I should be able to login through my local ID database, I am able to login via SSH successfully to USER MODE of the ASA via local ID database, however unable to pass through Enable mode.

Please note: I am able to pass through enable mode using USER MODE password, not with ENABLE password 12345.

Local ID Database:

Username XXXXX Password YYYYY

Enable password 12345

After passing through USER MODE, unable to authenticate using enable password 12345. But able to pass through enable mode using user mode password YYYYY.

ASA configuration:

===============

AAA:

=====

AAA-server Group name protocol TACACS+
AAA-server Group name (inside) host 1.1.1.1
AAA-server Group name protocol radius
AAA-server Group name (inside) host 2.2.2.2
AAA-server Group name (inside) host 3.3.3.3
AAA authentication enable console Group name LOCAL
AAA authentication SSH console Group name LOCAL
AAA authentication http console Group name LOCAL
AAA authorization command Group name LOCAL
AAA authorization http console Group name
AAA authentication login-history

Username and password:

===================

Username XXXXX Password YYYYY== pbkdf2 privilege 15

enable password 12345== pbkdf2

Thanks & Regards,

Francesco Molino · ‎12-12-2020

Hi

I'm not sure i understand your issue.

You login in your asa using your tacacs account and then you try to go into enable but that doesn't work?

What's not working? Typing enable and not getting the enable prompt or enable password not working?

Have you checked your tacacs logs to see what's coming in and if anything is in error?

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

antonyxvr88 · ‎12-13-2020

Hi Francesco,

Thanks for your reply,

The problem here is Fallback option, when my TACACS+ server is unreachable, it should fallback to local database credentials, after entering USER MODE credentials (from local database), ENABLE password prompt appears after entering the correct ENABLE password it does not pass through. It does not show any error message but again will prompt for ENABLE password.

In short I have configured enable password in the Cisco ASA 5506x devices but it is not taking affect while logging with local database credentials.

But If I enter USER MODE password details in the ENABLE password prompt it works.

Logs:

======

Cisco ASA 5506x Login with local database.

USER MODE Credential:

###################

login as: XXXXXX

Password : YYYYYY

Prompt for Enable password:

========================

CiscoASA5506x > Enable

Password: 12345 (Not working, again it will prompt for enable password)

Password:

But If I enter USER mode password in the Enable password it works:

CiscoASA5506x > Enable

Password: YYYYYY (It works fine)

CiscoASA5506x #

Please let me know if you need any further clarification on this.

Regards,

Antony

balaji.bandi · ‎12-13-2020

its only Fall back if TACACS not available to LOCAL - if TACACS available always use the authentication mechanism against TACACS

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

antonyxvr88 · ‎12-13-2020

Hi Balaji,

Thank you for your response.

The problem here is Fallback local database credentials when TACACS+ server is unavailable it should fallback to the local database. I am able pass through USER mode credentials but not with ENABLE password. please find the below logs for your reference and let me know if you need any further details.

Logs:

======

Device configurations:

=================

Username XXXXX Password YYYYY== pbkdf2 privilege 15

enable password 12345== pbkdf2

Cisco ASA 5506x Login with local database credentials when TACACS+ server is unavailable.

USER MODE Credential:

###################

login as: XXXXXX

Password : YYYYYY

Prompt for Enable password:

========================

CiscoASA5506x > Enable

Password: 12345 (Not working, again it will prompt for enable password)

Password:

But If I enter USER mode password in the Enable password it works:

CiscoASA5506x > Enable

Password: YYYYYY (It works fine)

CiscoASA5506x #

Please let me know if you need any further clarification on this.

Regards,

Antony

Milos_Jovanovic · ‎08-15-2021

Hi @antonyxvr88,

Your aaa configuration looks ok, and it should prompt you for local enable password, once TACACS+ servers are unavailable.

What is your reactivation mode for aaa-servers? It could happen that as soon as your aaa-server gets declared as FAIL, due to reactivation mode, it automatically goes back to ACTIVE, thus you never get to the local DB.

Try with 'show run all aaa-server' to see what is configured. You could also try to play around with it a bit, to see what option suits you best.

BR,

Milos

johnlloyd_13 · ‎08-16-2021

hi,

do you login via SSH or from console?

if via console, try adding:

aaa authentication serial console <GROUP NAME> LOCAL

WillDudeGuy · ‎08-15-2021

Hey Mate,

I believe the reason this is happening is because of your aaa statement.

With respect to your command "AAA authentication enable console Group name LOCAL"

this means when you type enable it will look at your aaa server, if that's unreachable it will look at the local DB.

The enable password command is only used when aaa is not going to be used for authentication into Privilege Exec mode.

Hope this helps.

Will

shiran.wang · ‎09-23-2021

Hi All,

I think this command affect your enable password,

AAA authentication enable console Group name LOCAL

let me explain why, when you enable password is "12345"

and your login user name is "admin" password is "Cisco123"

you can login to your device user admin/cisco123

and the enable password is "Cisco123"

if you delete "AAA authentication enable console Group name LOCAL"

your enable password become "12345"