Cisco ASA 5506X Enable password not working
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2020 12:56 PM
Hi There,
I am changing enable password for ASA 5506X so that if AAA TACACS+ (ACS 5.8) is unreachable I should be able to login through my local ID database, I am able to login via SSH successfully to USER MODE of the ASA via local ID database, however unable to pass through Enable mode.
Please note: I am able to pass through enable mode using USER MODE password, not with ENABLE password 12345.
Local ID Database:
Username XXXXX Password YYYYY
Enable password 12345
After passing through USER MODE, unable to authenticate using enable password 12345. But able to pass through enable mode using user mode password YYYYY.
ASA configuration:
===============
AAA:
=====
AAA-server Group name protocol TACACS+
AAA-server Group name (inside) host 1.1.1.1
AAA-server Group name protocol radius
AAA-server Group name (inside) host 2.2.2.2
AAA-server Group name (inside) host 3.3.3.3
AAA authentication enable console Group name LOCAL
AAA authentication SSH console Group name LOCAL
AAA authentication http console Group name LOCAL
AAA authorization command Group name LOCAL
AAA authorization http console Group name
AAA authentication login-history
Username and password:
===================
Username XXXXX Password YYYYY== pbkdf2 privilege 15
enable password 12345== pbkdf2
Thanks & Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-12-2020 08:39 PM
Hi
I'm not sure i understand your issue.
You login in your asa using your tacacs account and then you try to go into enable but that doesn't work?
What's not working? Typing enable and not getting the enable prompt or enable password not working?
Have you checked your tacacs logs to see what's coming in and if anything is in error?
Thanks
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2020 07:02 PM
Hi Francesco,
Thanks for your reply,
The problem here is Fallback option, when my TACACS+ server is unreachable, it should fallback to local database credentials, after entering USER MODE credentials (from local database), ENABLE password prompt appears after entering the correct ENABLE password it does not pass through. It does not show any error message but again will prompt for ENABLE password.
In short I have configured enable password in the Cisco ASA 5506x devices but it is not taking affect while logging with local database credentials.
But If I enter USER MODE password details in the ENABLE password prompt it works.
Logs:
======
Cisco ASA 5506x Login with local database.
USER MODE Credential:
###################
login as: XXXXXX
Password : YYYYYY
Prompt for Enable password:
========================
CiscoASA5506x > Enable
Password: 12345 (Not working, again it will prompt for enable password)
Password:
But If I enter USER mode password in the Enable password it works:
CiscoASA5506x > Enable
Password: YYYYYY (It works fine)
CiscoASA5506x #
CiscoASA5506x #
Please let me know if you need any further clarification on this.
Regards,
Antony
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2020 12:35 AM
its only Fall back if TACACS not available to LOCAL - if TACACS available always use the authentication mechanism against TACACS
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2020 07:08 PM
Hi Balaji,
Thank you for your response.
The problem here is Fallback local database credentials when TACACS+ server is unavailable it should fallback to the local database. I am able pass through USER mode credentials but not with ENABLE password. please find the below logs for your reference and let me know if you need any further details.
Logs:
======
Device configurations:
=================
Username XXXXX Password YYYYY== pbkdf2 privilege 15
enable password 12345== pbkdf2
Cisco ASA 5506x Login with local database credentials when TACACS+ server is unavailable.
USER MODE Credential:
###################
login as: XXXXXX
Password : YYYYYY
Prompt for Enable password:
========================
CiscoASA5506x > Enable
Password: 12345 (Not working, again it will prompt for enable password)
Password:
But If I enter USER mode password in the Enable password it works:
CiscoASA5506x > Enable
Password: YYYYYY (It works fine)
CiscoASA5506x #
CiscoASA5506x #
Please let me know if you need any further clarification on this.
Regards,
Antony
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2021 11:50 PM
Hi @antonyxvr88,
Your aaa configuration looks ok, and it should prompt you for local enable password, once TACACS+ servers are unavailable.
What is your reactivation mode for aaa-servers? It could happen that as soon as your aaa-server gets declared as FAIL, due to reactivation mode, it automatically goes back to ACTIVE, thus you never get to the local DB.
Try with 'show run all aaa-server' to see what is configured. You could also try to play around with it a bit, to see what option suits you best.
BR,
Milos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-16-2021 12:45 AM
hi,
do you login via SSH or from console?
if via console, try adding:
aaa authentication serial console <GROUP NAME> LOCAL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-15-2021 06:47 PM
Hey Mate,
I believe the reason this is happening is because of your aaa statement.
With respect to your command "AAA authentication enable console Group name LOCAL"
this means when you type enable it will look at your aaa server, if that's unreachable it will look at the local DB.
The enable password command is only used when aaa is not going to be used for authentication into Privilege Exec mode.
Hope this helps.
Will

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-23-2021 12:55 AM
Hi All,
I think this command affect your enable password,
AAA authentication enable console Group name LOCAL
let me explain why, when you enable password is "12345"
and your login user name is "admin" password is "Cisco123"
you can login to your device user admin/cisco123
and the enable password is "Cisco123"
if you delete "AAA authentication enable console Group name LOCAL"
your enable password become "12345"
