08-04-2014 06:05 AM - edited 03-11-2019 09:34 PM
How do I locate the preshared key on an ASA firewall. Specifically, how do I find out what ***** is in the below configuration within my config file on my ASA firewall running 8.4(4)1?
aaa-server xxxxxxx (MGMT) host xxx.xxx.xxx.xxx
timeout 30
key *****
Solved! Go to Solution.
08-06-2014 05:29 AM
You most likely have the following command enabled:
key config-key password-encryption
you can remove it by using the no version of the command but you will need the "master passphrase" password that was used to create the encryption to be able to decrypt it.
ciscoasa(config)# more system:running-config | in key
key CISCO
ciscoasa(config)# key config-key password-encryption
New key: ********
Confirm key: ********
ciscoasa(config)#
ciscoasa(config)# more system:running-config | in key
key 8 J3z3YkeRt3Ciw/ZIpRu93MGHEMM2
There is no easy way to remove it if you do not have the master key...If you MUST have the aaa key you will need to backup your configuration, issue a write erase, and reload. Then load your configuration again.
--
Please remember to select a correct answer and rate helpful post
08-04-2014 06:23 AM
Hi Michael,
You could use the 'more system:running-config' command.
Please find useful link:
http://ccnpsecuritywannabe.blogspot.com/2014/03/backup-asa-configuration.html?m=0
08-04-2014 12:31 PM
The "more system: running-config command" only gives me the "Failover Key". The key that I referenced above has something to do with the AAA server group. How do I find this other pre shared key associated with the AAA server group?
08-04-2014 12:39 PM
I just checked and on mine it gave me the key.
more system:run
no spaces
Mike
08-05-2014 02:03 AM
Hi Michael,
for me more system:running-config gives the key in clear text associated with aaa server group.
ciscoasa# more system:running-config | in key
key unique
ciscoasa# sh runn | in key
key *****
ciscoasa#
You can try one more option... this will give you the desired result.
write net <tftp server>
You need to set the tctp server to do this which will give you all passowrds in clear text.
Regards
Karthik
08-06-2014 05:29 AM
You most likely have the following command enabled:
key config-key password-encryption
you can remove it by using the no version of the command but you will need the "master passphrase" password that was used to create the encryption to be able to decrypt it.
ciscoasa(config)# more system:running-config | in key
key CISCO
ciscoasa(config)# key config-key password-encryption
New key: ********
Confirm key: ********
ciscoasa(config)#
ciscoasa(config)# more system:running-config | in key
key 8 J3z3YkeRt3Ciw/ZIpRu93MGHEMM2
There is no easy way to remove it if you do not have the master key...If you MUST have the aaa key you will need to backup your configuration, issue a write erase, and reload. Then load your configuration again.
--
Please remember to select a correct answer and rate helpful post
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide