Resetting the EXEC passwords on an ASA

walter1972 · ‎08-21-2009

Hello

Has anyone got a working procedure for changing the EXEC & privilege EXEC passwords on an ASA?

I was thinking of logging on (using the old account), deleting the current details, applying the new account details - then, open a second ssh session to this device to test the new account.

This way I safeguard my access to the device should the new account not be configured correctly, as my first session is still up.

Will this work:

no enable password XXXX encrypted

no passwd XXXX encrypted

!

passwd ABCD

enable password EFGH

Thanks for helping!!

robertson.michael · ‎08-21-2009

Hi Walter,

That will do the trick for you.

-Mike

jimmyc_2 · ‎09-10-2009

Hi Michael,

On my ASA 5520, when I type in "no enable password ?" I get a prompt asking me to choose level 0-15. Of course it won't accept level 15, only 0-14 !! Anyways, I'm trying to give another engineer level 15 privileges without giving him our enable password. I enter the command "username Doe password John priv 15", but when I "ssh -l Doe" I do not get the enable prompt, only user prompt. Thoughts? Jimmyc

robertson.michael · ‎09-10-2009

Hi Jimmy,

Depending on your AAA config, you can make this happen without changing/revealing your enable password. For example, with SSH you can configure:

ASA(config)# username Doe password John priv 15

ASA(config)# aaa authentication ssh console LOCAL

Then, when you SSH to the device, you'll get a prompt to provide a username and password. Once the user logs in successfully, they can use the 'enable' command to enter privileged exec mode with their own password ('John' in this case) and it will give them a # prompt at the privilege level associated with their user (i.e. 15).

Hope that helps.

-Mike

jimmyc_2 · ‎09-11-2009

Hi Mike,

That is what I have, and it doesn't work. Just for grins, I even created a new user via cut and paste of your reply (Doe was changed to Doee, because the username must be at least four charachters). It still failed. I log into the ASA via "ssh -l Doee 10.1.1.1" and it puts me at the user prompt. "John" will not work as the password to go to enable, it still needs the private one. Sounds like a Cisco bug to me.

Should I remove the private enable-password?

Whatya think?

Jimmyc

robertson.michael · ‎09-11-2009

Hi Jimmy,

You'll also need to add:

aaa authentication enable console LOCAL

My apologies for not including that before--shouldn't have assumed you had that already.

-Mike

jimmyc_2 · ‎09-11-2009

You da man!

I did notice that pretty much makes the generic enable password obsolete, since any time you need to upgrade from user to enable it will ask you for your ID and personal password, yes?

When my daughter is ready to study game design, I'll ask her to look into RIT....

Thanks again.

robertson.michael · ‎09-11-2009

You are correct--I pretty much don't have a use for the enable password once things are configured this way.

I don't actually work for RIT, I'm just a grad student there. It is a great school though.

Take care,

-Mike

clark.d · ‎09-12-2009

Or another method is:

Login via SSH with your privilege level 15 account. You will have the > prompt. Now just type 'login' and enter your username and password again.....you will be at the Enable prompt.

Dave