cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3684
Views
0
Helpful
5
Replies

unable to go to enable mode of ASA via console

mahesh18
Level 6
Level 6

Hi everyone,

I can login to ASA fine via ssh.

When i console in it straight away gives me prompt

asa>

now when i press en

it ask for username and password but does not take it what i type.

Need to confirm        

aaa authentication enable console DCNetwork LOCAL************************************is this enablle password config of ASA?

aaa authentication serial console LOCAL****************************console connection authen of asa?

i try to change the enable password via command

enable password but still no luck

Regards

MAhesh

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Mahesh

Can you tell us what is the reference to DCNetwork in the aaa authentication command? It looks like it might be a reference to some authentication server (Radius or something). In that case it will attempt to authenticate enable access using that authentication server - which would be consistent with getting a prompt for username and password when you enter the enable command.

My guess is that when you use the command to change the enable password that you are indeed changing the configured password on the ASA but that it is using the authentication server to authenticate enable access.

HTH

Rick

HTH

Rick

View solution in original post

Mahesh,

Rick seems to have hit the nail on the head. The aaa authentication that you're using is trying to authenticate against the backend radius server for you to be able to use the enable prompt.

Personally, if you want to just use the local enable password, you can remove the aaa authentication enable line altogether and use the local enable password on the appliance. Make sure that you have one "enable password " before removing your aaa authentication. If you don't have any reference to "aaa authentication enable", all logins - telnet, ssh, serial - will use the local enable password.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

View solution in original post

5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

Mahesh

Can you tell us what is the reference to DCNetwork in the aaa authentication command? It looks like it might be a reference to some authentication server (Radius or something). In that case it will attempt to authenticate enable access using that authentication server - which would be consistent with getting a prompt for username and password when you enter the enable command.

My guess is that when you use the command to change the enable password that you are indeed changing the configured password on the ASA but that it is using the authentication server to authenticate enable access.

HTH

Rick

HTH

Rick

Hi Rick,

DCNetwork in the aaa authentication command refer to the authen server radius.

When i remove the command --aaa authentication serial console LOCAL

then when i console in it take me straight to hostname and propmt and when i enter en then it ask me for username and

password and thats the radius authen that it uses.

So you are right in this case enable access uses the radius auth server.

so my question remains if i config the command

aaa authentication serial console LOCAL

then if i console in and want to use the enable password i need to change

aaa authentication enable console DCNetwork LOCAL  to

aaa authentication enable console  LOCAL ???????

This change will not impact ssh access for enable pasword right?

Regards

MAhesh

Mahesh,

Rick seems to have hit the nail on the head. The aaa authentication that you're using is trying to authenticate against the backend radius server for you to be able to use the enable prompt.

Personally, if you want to just use the local enable password, you can remove the aaa authentication enable line altogether and use the local enable password on the appliance. Make sure that you have one "enable password " before removing your aaa authentication. If you don't have any reference to "aaa authentication enable", all logins - telnet, ssh, serial - will use the local enable password.

HTH,
John

*** Please rate all useful posts ***

HTH, John *** Please rate all useful posts ***

Hi Rick & John,

I got it now.Took little longer to understand but ok now.

Best regards

Mahesh

prakashpunio
Level 1
Level 1

Can you provied me your total sh run file so may i can helo you that where is problem

you need to remove AAA or acl base AAA from console as well form vty mode

Review Cisco Networking for a $25 gift card