Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7047
Views
0
Helpful
8
Replies

Why "enable password" is different when I log onto ASA using telnet ?

Go to solution
eigrpy
Level 4
Level 4

‎08-31-2015 01:44 PM - edited ‎03-11-2019 11:31 PM

Hi

The configuraiton in the ASA is as below:

aaa authentication enable console TACATS LOCAL
aaa authentication telnet console LOCAL 
username cisco password cisco
telnet 0.0.0.0 0.0.0.0 inside

 

Do you think the enable password is different when I use SSH or telnet to log onto the ASA? Both ssh and telnet can log onto the asa, and it can pass  enable password(tacacs server password and username), but enable password fail if i use telnet log onto the ASA

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to eigrpy

‎09-01-2015 02:00 PM

Hi,

Let me try to clarify things here:-

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console LOCAL 
aaa authentication enable console TACACS LOCAL 

These commands are only to instruct the ASA device to tell the ASA where to look for the Username/Password information.

Now , as a test , try this:-

Create same username/Password in TACACS server and on the ASA LOCAL database.

Configure these commands:-

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL 
aaa authentication enable console TACACS LOCAL 

Now , try to check if both of them works or not ?

The problem which you might be seeing was that the TACACS and LOCAL database would be having different Username/Password combinations.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Richard Bradfield
Level 6
Level 6

‎08-31-2015 06:00 PM

Hi,

this is my config, which works ok  I need a local enable password for telnet/ssh

aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL

enable password .qlnV1D9xc02BByd encrypted

HTH

Richard

 

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to Richard Bradfield

‎08-31-2015 06:23 PM

Hi,

With this configuration , the Username/Password to login to the SSH.TElnet will be the TACACS credentials.

Enabled password would be the one that you have configured locally.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Vibhor Amrodia

‎09-01-2015 06:16 AM

After telnet log onto the ASA, it seems telnet requires the enable password which is different with ssh' enable password. Do you agree ? Thanks

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to eigrpy

‎09-01-2015 08:41 AM

Hi,

No , The enable password would be the same for both as that is a global password to move into the Enable mode.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Vibhor Amrodia

‎09-01-2015 12:59 PM

Thanks for your reply. I think you are right. 

Now, It is very strange regarding the command "aaa authentication enable console TACACS LOCAL", When I am using the command, ssh can pass enable password, but telnet cannot pass enable password. Then I remove TACACS from the command, the situation is reverse: telnet canpass enable password, and ssh cannot pass enable password. What is wrong ? 

 

Here is full config:


aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console LOCAL 
aaa authentication enable console TACACS LOCAL 
aaa accounting enable console TACACS
aaa accounting ssh console TACACS

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to eigrpy

‎09-01-2015 01:31 PM

I got it. After I add TACACS to command aaa authentication telnet console LOCAL, it can work. but i do not know the reason.

0 Helpful

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee
In response to eigrpy

‎09-01-2015 02:00 PM

Hi,

Let me try to clarify things here:-

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console LOCAL 
aaa authentication enable console TACACS LOCAL 

These commands are only to instruct the ASA device to tell the ASA where to look for the Username/Password information.

Now , as a test , try this:-

Create same username/Password in TACACS server and on the ASA LOCAL database.

Configure these commands:-

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL 
aaa authentication enable console TACACS LOCAL 

Now , try to check if both of them works or not ?

The problem which you might be seeing was that the TACACS and LOCAL database would be having different Username/Password combinations.

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
eigrpy
Level 4
Level 4
In response to Vibhor Amrodia

‎09-01-2015 02:05 PM

Thank you so much. You might not have seen my updated last post. I got the same as you suggested. 

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL 
aaa authentication enable console TACACS LOCAL 

These can work well. Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card