Resetting the EXEC passwords on an ASA

Unanswered Question
Aug 21st, 2009


Has anyone got a working procedure for changing the EXEC & privilege EXEC passwords on an ASA?

I was thinking of logging on (using the old account), deleting the current details, applying the new account details - then, open a second ssh session to this device to test the new account.

This way I safeguard my access to the device should the new account not be configured correctly, as my first session is still up.

Will this work:

no enable password XXXX encrypted

no passwd XXXX encrypted


passwd ABCD

enable password EFGH

Thanks for helping!!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.7 (3 ratings)
jimmyc_2 Thu, 09/10/2009 - 06:06

Hi Michael,

On my ASA 5520, when I type in "no enable password ?" I get a prompt asking me to choose level 0-15. Of course it won't accept level 15, only 0-14 !! Anyways, I'm trying to give another engineer level 15 privileges without giving him our enable password. I enter the command "username Doe password John priv 15", but when I "ssh -l Doe" I do not get the enable prompt, only user prompt. Thoughts? Jimmyc

robertson.michael Thu, 09/10/2009 - 09:18

Hi Jimmy,

Depending on your AAA config, you can make this happen without changing/revealing your enable password. For example, with SSH you can configure:

ASA(config)# username Doe password John priv 15

ASA(config)# aaa authentication ssh console LOCAL

Then, when you SSH to the device, you'll get a prompt to provide a username and password. Once the user logs in successfully, they can use the 'enable' command to enter privileged exec mode with their own password ('John' in this case) and it will give them a # prompt at the privilege level associated with their user (i.e. 15).

Hope that helps.


jimmyc_2 Fri, 09/11/2009 - 05:15

Hi Mike,

That is what I have, and it doesn't work. Just for grins, I even created a new user via cut and paste of your reply (Doe was changed to Doee, because the username must be at least four charachters). It still failed. I log into the ASA via "ssh -l Doee" and it puts me at the user prompt. "John" will not work as the password to go to enable, it still needs the private one. Sounds like a Cisco bug to me.

Should I remove the private enable-password?

Whatya think?


robertson.michael Fri, 09/11/2009 - 06:07

Hi Jimmy,

You'll also need to add:

aaa authentication enable console LOCAL

My apologies for not including that before--shouldn't have assumed you had that already.


jimmyc_2 Fri, 09/11/2009 - 06:22

You da man!

I did notice that pretty much makes the generic enable password obsolete, since any time you need to upgrade from user to enable it will ask you for your ID and personal password, yes?

When my daughter is ready to study game design, I'll ask her to look into RIT....

Thanks again.

robertson.michael Fri, 09/11/2009 - 09:34

You are correct--I pretty much don't have a use for the enable password once things are configured this way.

I don't actually work for RIT, I'm just a grad student there. It is a great school though.

Take care,


clark.d Sat, 09/12/2009 - 08:07

Or another method is:

Login via SSH with your privilege level 15 account. You will have the > prompt. Now just type 'login' and enter your username and password will be at the Enable prompt.



This Discussion