Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11658
Views
10
Helpful
8
Replies

Privilege 15 User on ASA

Go to solution
estelamathew
Level 2
Level 2

‎01-16-2011 10:17 AM - edited ‎03-11-2019 12:35 PM

Hello,

I have created user on ASA with privilege 15 after entering username and password still he is asked to put enable secret why?????

Thanks

Labels:
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-16-2011 10:26 AM

That is by nature. You cannot skip the enable in the PIX/ASA/FWSM platform like you can with the IOS.

You can configure aaa so, you can use the same user ID password or enable as well.

aaa authen ssh console LOCAL

aaa authen enable console LOCAL

userid cisco password cisco123 priv 15

This way you can user cisco and password cisco123 for both the first login and the enable.

-KS

View solution in original post

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-17-2011 11:08 AM

Estela,

userid cisco password cisco123 priv 15 ---> this line as you is to create a user ID with priv 15 in the LOCAL database.

aaa authen ssh console LOCAL  ---> this line is to use the LOCAL database (cisco id) to login when connecting via ssh

aaa authen enable console LOCAL  ---> this line is to use the same LOCAL database (cisco id's password) to use even for enable mode and not the enable password set on the box. This way if you 10 user IDs you don't have to share the enable password with anyone. They can use their own ID's password to even get into enable mode.

I hope it is clear now.

-KS

View solution in original post

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-18-2011 10:22 AM

Etela,

Why don't you try it?

create a user id "userid test password test" and then login with that user ID and issue "sh curpriv" (current priv) and see what it says.

There is another command to learn .

Well, actually it drops the def. priv to 2.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1627520

so you can't even issue "sh curpriv" which requires 15.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1402255

-KS

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee

‎01-16-2011 10:26 AM

That is by nature. You cannot skip the enable in the PIX/ASA/FWSM platform like you can with the IOS.

You can configure aaa so, you can use the same user ID password or enable as well.

aaa authen ssh console LOCAL

aaa authen enable console LOCAL

userid cisco password cisco123 priv 15

This way you can user cisco and password cisco123 for both the first login and the enable.

-KS

Go to solution
estelamathew
Level 2
Level 2
In response to Kureli Sankar

‎01-17-2011 05:24 AM

Hello Sankar,

I have created a username cisco password cisco,when i do ssh to ASA after applying username and password it ask me for enable password,when i put enable password it does'nt accepts why????????

Thanks

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-17-2011 06:02 AM

aaa authen enable console LOCAL

That is because of the above line.  You can type cisco for enable password also.

If you want to use the enable password then remove the above line.

-KS

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Kureli Sankar

‎01-17-2011 10:20 AM

Hello Sankar,

I didn't understood what u r trying to explain. Please can you be more specific.

Thanks.

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-17-2011 11:08 AM

Estela,

userid cisco password cisco123 priv 15 ---> this line as you is to create a user ID with priv 15 in the LOCAL database.

aaa authen ssh console LOCAL  ---> this line is to use the LOCAL database (cisco id) to login when connecting via ssh

aaa authen enable console LOCAL  ---> this line is to use the same LOCAL database (cisco id's password) to use even for enable mode and not the enable password set on the box. This way if you 10 user IDs you don't have to share the enable password with anyone. They can use their own ID's password to even get into enable mode.

I hope it is clear now.

-KS

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Kureli Sankar

‎01-18-2011 10:16 AM

Hello Sankar,

Very good Explanation,

I just tried on 1 of the firewall,and my doubt is clear.

Question1:

when we create a username cisco password cisco bydefault user is placed in which level?????

Thanks

0 Helpful

Go to solution
Kureli Sankar
Cisco Employee
Cisco Employee
In response to estelamathew

‎01-18-2011 10:22 AM

Etela,

Why don't you try it?

create a user id "userid test password test" and then login with that user ID and issue "sh curpriv" (current priv) and see what it says.

There is another command to learn .

Well, actually it drops the def. priv to 2.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1627520

so you can't even issue "sh curpriv" which requires 15.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1402255

-KS

0 Helpful

Go to solution
estelamathew
Level 2
Level 2
In response to Kureli Sankar

‎01-18-2011 10:42 AM

Thanks,

I would have went through all the stuff u provided me in previous mail  but i m stuck with other problem very badly so i apologize for silly question,

Thanks

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card