Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4051
Views
0
Helpful
6
Replies

Username on an ASA question

Go to solution
WStoffel1
Level 1
Level 1

‎05-20-2013 10:55 AM - edited ‎03-11-2019 06:46 PM

Just ran into this.  Customers ASA 5510 and they are using the default "pix" login.  I can log into the command line with pix just fine.  I created a user account, call it:

username jsmith password Passw0rd priv 15

I'm unable to log into the command line with jsmith.  I can get into ASDM with it.

Sorry about being unable to post this config but I was hoping this might jog some memories and people could point me at things to look for.

Thank you very much.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to WStoffel1

‎05-20-2013 11:36 AM

Hi,

Tried it on my ASA also and it does seem that the ASA accepts the LOCAL username/password even without the related "aaa authentication" configuration for "http"

I wonder if it would be possible to create the "pix" username and password to the LOCAL database and this way seemingly avoid the situation where the default "pix" username wouldnt work?

- Jouni

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎05-20-2013 11:00 AM

Hi,

You probably need to change some "aaa" related configuration on the ASA

Here are some examples to change the different management connections to use AAA information either locally on the ASA or on an external AAA server

aaa authentication http console LOCAL

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL


So juding by what you say, Telnet and/or SSH does not have any of the above configuerations but HTTP is set to use LOCAL authentication.

You can use "show run aaa" command to view the output/settings

- Jouni

0 Helpful

Go to solution
WStoffel1
Level 1
Level 1
In response to Jouni Forss

‎05-20-2013 11:31 AM

That's what I thought.  So..

# sh run http

http server enable

http 7.x.x.0 255.255.252.0 outside

http 7.x.x.21 255.255.255.255 outside

# sh run aaa

aaa local authentication attempts max-fail 5

I would expect to see something along the lines of aaa authentication http console LOCAL
since ASDM works with a local username...?

But I just did a quick test and setup aaa authentication, and it broke the pix user account...does that make sense?  Like using local authentication disables the default pix account?

Which I can't do, so it may all be a waste of time anyway...

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to WStoffel1

‎05-20-2013 11:36 AM

Hi,

Tried it on my ASA also and it does seem that the ASA accepts the LOCAL username/password even without the related "aaa authentication" configuration for "http"

I wonder if it would be possible to create the "pix" username and password to the LOCAL database and this way seemingly avoid the situation where the default "pix" username wouldnt work?

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-20-2013 11:38 AM

Doesnt seem that the ASA has nothing against using "pix" as a username on the LOCAL database.

This would essentially enable you to configure the "pix" username on the LOCAL database of the ASA with the password that the customer is using, effectively making it so that the customer doesnt see any change while logging to the device.

- Jouni

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎05-20-2013 11:42 AM

Hi,

Found the answer to the username/password behaviour with ASDM

By default, you can log into ASDM with a blank username and the enable password (see Device Name/Password, page 10-12).
  However, if you enter a username and password at the login screen  (instead of leaving the username blank), ASDM checks the local database  for a match.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa80/asdm60/user/guide/aaasetup.html#wp1284438

- Jouni

0 Helpful

Go to solution
WStoffel1
Level 1
Level 1
In response to Jouni Forss

‎05-20-2013 12:13 PM

OK so i'm not too crazy, ASDM just sort of works

I'm going out on a limb here but I think this one was upgraded from a Pix firewall long ago...

Thanks for the insights though, much appreciated.

Just an update for reference, added in this morning:

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

and my LOCAL logins work as expected for any of the methods, but the Pix username is no longer valid.

Not much out there on the default username of Pix but as far as i can tell it's a default login that's NOT stored in LOCAL and is somehow disabled when AAA is setup.  http://www.techexams.net/forums/ccnp/70330-disable-ssh-pix-username-cisco-password.html

Anyway, shouldn't be an issue anyplace with a reasonable security policy

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card