08-21-2009 12:11 AM - edited 03-11-2019 09:08 AM
Hello
Has anyone got a working procedure for changing the EXEC & privilege EXEC passwords on an ASA?
I was thinking of logging on (using the old account), deleting the current details, applying the new account details - then, open a second ssh session to this device to test the new account.
This way I safeguard my access to the device should the new account not be configured correctly, as my first session is still up.
Will this work:
no enable password XXXX encrypted
no passwd XXXX encrypted
!
passwd ABCD
enable password EFGH
Thanks for helping!!
08-21-2009 09:55 AM
Hi Walter,
That will do the trick for you.
-Mike
09-10-2009 06:06 AM
Hi Michael,
On my ASA 5520, when I type in "no enable password ?" I get a prompt asking me to choose level 0-15. Of course it won't accept level 15, only 0-14 !! Anyways, I'm trying to give another engineer level 15 privileges without giving him our enable password. I enter the command "username Doe password John priv 15", but when I "ssh -l Doe" I do not get the enable prompt, only user prompt. Thoughts? Jimmyc
09-10-2009 09:18 AM
Hi Jimmy,
Depending on your AAA config, you can make this happen without changing/revealing your enable password. For example, with SSH you can configure:
ASA(config)# username Doe password John priv 15
ASA(config)# aaa authentication ssh console LOCAL
Then, when you SSH to the device, you'll get a prompt to provide a username and password. Once the user logs in successfully, they can use the 'enable' command to enter privileged exec mode with their own password ('John' in this case) and it will give them a # prompt at the privilege level associated with their user (i.e. 15).
Hope that helps.
-Mike
09-11-2009 05:15 AM
Hi Mike,
That is what I have, and it doesn't work. Just for grins, I even created a new user via cut and paste of your reply (Doe was changed to Doee, because the username must be at least four charachters). It still failed. I log into the ASA via "ssh -l Doee 10.1.1.1" and it puts me at the user prompt. "John" will not work as the password to go to enable, it still needs the private one. Sounds like a Cisco bug to me.
Should I remove the private enable-password?
Whatya think?
Jimmyc
09-11-2009 06:07 AM
Hi Jimmy,
You'll also need to add:
aaa authentication enable console LOCAL
My apologies for not including that before--shouldn't have assumed you had that already.
-Mike
09-11-2009 06:22 AM
You da man!
I did notice that pretty much makes the generic enable password obsolete, since any time you need to upgrade from user to enable it will ask you for your ID and personal password, yes?
When my daughter is ready to study game design, I'll ask her to look into RIT....
Thanks again.
09-11-2009 09:34 AM
You are correct--I pretty much don't have a use for the enable password once things are configured this way.
I don't actually work for RIT, I'm just a grad student there. It is a great school though.
Take care,
-Mike
09-12-2009 08:07 AM
Or another method is:
Login via SSH with your privilege level 15 account. You will have the > prompt. Now just type 'login' and enter your username and password again.....you will be at the Enable prompt.
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide