Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
92461
Views
57
Helpful
5
Replies

How do I find the preshared key value on an ASA Firewall?

Go to solution
Mike Keenan
Level 1
Level 1

‎08-04-2014 06:05 AM - edited ‎03-11-2019 09:34 PM

How do I locate the preshared key on an ASA firewall. Specifically, how do I find out what ***** is in the below configuration within my config file on my ASA firewall running 8.4(4)1?

aaa-server xxxxxxx (MGMT) host xxx.xxx.xxx.xxx
timeout 30
key *****

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to nkarthikeyan

‎08-06-2014 05:29 AM

You most likely have the following command enabled:

key config-key password-encryption

you can remove it by using the no version of the command but you will need the "master passphrase" password that was used to create the encryption to be able to decrypt it.

ciscoasa(config)# more system:running-config | in key
 key CISCO

ciscoasa(config)# key config-key password-encryption
New key: ********
Confirm key: ********
ciscoasa(config)#
ciscoasa(config)# more system:running-config | in key
 key 8 J3z3YkeRt3Ciw/ZIpRu93MGHEMM2

There is no easy way to remove it if you do not have the master key...If you MUST have the aaa key you will need to backup your configuration, issue a write erase, and reload.  Then load your configuration again.

--

Please remember to select a correct answer and rate helpful post

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

5 Replies 5

Go to solution
johnlloyd_13
Level 9
Level 9

‎08-04-2014 06:23 AM

Hi Michael,

You could use the 'more system:running-config' command.

Please find useful link:

http://ccnpsecuritywannabe.blogspot.com/2014/03/backup-asa-configuration.html?m=0

 

Go to solution
Mike Keenan
Level 1
Level 1
In response to johnlloyd_13

‎08-04-2014 12:31 PM

The "more system: running-config command" only gives me the "Failover Key". The key that I referenced above has something to do with the AAA server group. How do I find this other pre shared key associated with the AAA server group?

0 Helpful

Go to solution
burleyman
Level 8
Level 8
In response to Mike Keenan

‎08-04-2014 12:39 PM

I just checked and on mine it gave me the key.

more system:run

 

no spaces

 

 

Mike

Go to solution
nkarthikeyan
Level 7
Level 7
In response to Mike Keenan

‎08-05-2014 02:03 AM

Hi Michael,

 

for me more system:running-config gives the key in clear text associated with aaa server group.

ciscoasa# more system:running-config | in key
 key unique
ciscoasa# sh runn | in key
 key *****
ciscoasa#

 

You can try one more option... this will give you the desired result.

 

write net <tftp server>

 

You need to set the tctp server to do this which will give you all passowrds in clear text.

 

Regards

Karthik

 

Go to solution
Marius Gunnerud
VIP
VIP
In response to nkarthikeyan

‎08-06-2014 05:29 AM

You most likely have the following command enabled:

key config-key password-encryption

you can remove it by using the no version of the command but you will need the "master passphrase" password that was used to create the encryption to be able to decrypt it.

ciscoasa(config)# more system:running-config | in key
 key CISCO

ciscoasa(config)# key config-key password-encryption
New key: ********
Confirm key: ********
ciscoasa(config)#
ciscoasa(config)# more system:running-config | in key
 key 8 J3z3YkeRt3Ciw/ZIpRu93MGHEMM2

There is no easy way to remove it if you do not have the master key...If you MUST have the aaa key you will need to backup your configuration, issue a write erase, and reload.  Then load your configuration again.

--

Please remember to select a correct answer and rate helpful post

--
Please remember to select a correct answer and rate helpful posts
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card