01-16-2011 10:17 AM - edited 03-11-2019 12:35 PM
Hello,
I have created user on ASA with privilege 15 after entering username and password still he is asked to put enable secret why?????
Thanks
Solved! Go to Solution.
01-16-2011 10:26 AM
That is by nature. You cannot skip the enable in the PIX/ASA/FWSM platform like you can with the IOS.
You can configure aaa so, you can use the same user ID password or enable as well.
aaa authen ssh console LOCAL
aaa authen enable console LOCAL
userid cisco password cisco123 priv 15
This way you can user cisco and password cisco123 for both the first login and the enable.
-KS
01-17-2011 11:08 AM
Estela,
userid cisco password cisco123 priv 15 ---> this line as you is to create a user ID with priv 15 in the LOCAL database.
aaa authen ssh console LOCAL ---> this line is to use the LOCAL database (cisco id) to login when connecting via ssh
aaa authen enable console LOCAL ---> this line is to use the same LOCAL database (cisco id's password) to use even for enable mode and not the enable password set on the box. This way if you 10 user IDs you don't have to share the enable password with anyone. They can use their own ID's password to even get into enable mode.
I hope it is clear now.
-KS
01-18-2011 10:22 AM
Etela,
Why don't you try it?
create a user id "userid test password test" and then login with that user ID and issue "sh curpriv" (current priv) and see what it says.
There is another command to learn .
Well, actually it drops the def. priv to 2.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1627520
so you can't even issue "sh curpriv" which requires 15.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1402255
-KS
01-16-2011 10:26 AM
That is by nature. You cannot skip the enable in the PIX/ASA/FWSM platform like you can with the IOS.
You can configure aaa so, you can use the same user ID password or enable as well.
aaa authen ssh console LOCAL
aaa authen enable console LOCAL
userid cisco password cisco123 priv 15
This way you can user cisco and password cisco123 for both the first login and the enable.
-KS
01-17-2011 05:24 AM
Hello Sankar,
I have created a username cisco password cisco,when i do ssh to ASA after applying username and password it ask me for enable password,when i put enable password it does'nt accepts why????????
Thanks
01-17-2011 06:02 AM
aaa authen enable console LOCAL
That is because of the above line. You can type cisco for enable password also.
If you want to use the enable password then remove the above line.
-KS
01-17-2011 10:20 AM
Hello Sankar,
I didn't understood what u r trying to explain. Please can you be more specific.
Thanks.
01-17-2011 11:08 AM
Estela,
userid cisco password cisco123 priv 15 ---> this line as you is to create a user ID with priv 15 in the LOCAL database.
aaa authen ssh console LOCAL ---> this line is to use the LOCAL database (cisco id) to login when connecting via ssh
aaa authen enable console LOCAL ---> this line is to use the same LOCAL database (cisco id's password) to use even for enable mode and not the enable password set on the box. This way if you 10 user IDs you don't have to share the enable password with anyone. They can use their own ID's password to even get into enable mode.
I hope it is clear now.
-KS
01-18-2011 10:16 AM
Hello Sankar,
Very good Explanation,
I just tried on 1 of the firewall,and my doubt is clear.
Question1:
when we create a username cisco password cisco bydefault user is placed in which level?????
Thanks
01-18-2011 10:22 AM
Etela,
Why don't you try it?
create a user id "userid test password test" and then login with that user ID and issue "sh curpriv" (current priv) and see what it says.
There is another command to learn .
Well, actually it drops the def. priv to 2.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/uz.html#wp1627520
so you can't even issue "sh curpriv" which requires 15.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s2.html#wp1402255
-KS
01-18-2011 10:42 AM
Thanks,
I would have went through all the stuff u provided me in previous mail but i m stuck with other problem very badly so i apologize for silly question,
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide