Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

How do I find the preshared key value on an ASA Firewall?

How do I locate the preshared key on an ASA firewall. Specifically, how do I find out what ***** is in the below configuration within my config file on my ASA firewall running 8.4(4)1?

aaa-server xxxxxxx (MGMT) host xxx.xxx.xxx.xxx
timeout 30
key *****

 

  • Firewalling
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

You most likely have the

You most likely have the following command enabled:

key config-key password-encryption

you can remove it by using the no version of the command but you will need the "master passphrase" password that was used to create the encryption to be able to decrypt it.

ciscoasa(config)# more system:running-config | in key
 key CISCO

ciscoasa(config)# key config-key password-encryption
New key: ********
Confirm key: ********
ciscoasa(config)#
ciscoasa(config)# more system:running-config | in key
 key 8 J3z3YkeRt3Ciw/ZIpRu93MGHEMM2

There is no easy way to remove it if you do not have the master key...If you MUST have the aaa key you will need to backup your configuration, issue a write erase, and reload.  Then load your configuration again.

--

Please remember to select a correct answer and rate helpful post

-- Please remember to rate and select a correct answer
5 REPLIES

Hi Michael,You could use the

Hi Michael,

You could use the 'more system:running-config' command.

Please find useful link:

http://ccnpsecuritywannabe.blogspot.com/2014/03/backup-asa-configuration.html?m=0

 

New Member

The "more system: running

The "more system: running-config command" only gives me the "Failover Key". The key that I referenced above has something to do with the AAA server group. How do I find this other pre shared key associated with the AAA server group?

I just checked and on mine it

I just checked and on mine it gave me the key.

more system:run

 

no spaces

 

 

Mike

Hi Michael, for me more

Hi Michael,

 

for me more system:running-config gives the key in clear text associated with aaa server group.

ciscoasa# more system:running-config | in key
 key unique
ciscoasa# sh runn | in key
 key *****
ciscoasa#

 

You can try one more option... this will give you the desired result.

 

write net <tftp server>

 

You need to set the tctp server to do this which will give you all passowrds in clear text.

 

Regards

Karthik

 

VIP Green

You most likely have the

You most likely have the following command enabled:

key config-key password-encryption

you can remove it by using the no version of the command but you will need the "master passphrase" password that was used to create the encryption to be able to decrypt it.

ciscoasa(config)# more system:running-config | in key
 key CISCO

ciscoasa(config)# key config-key password-encryption
New key: ********
Confirm key: ********
ciscoasa(config)#
ciscoasa(config)# more system:running-config | in key
 key 8 J3z3YkeRt3Ciw/ZIpRu93MGHEMM2

There is no easy way to remove it if you do not have the master key...If you MUST have the aaa key you will need to backup your configuration, issue a write erase, and reload.  Then load your configuration again.

--

Please remember to select a correct answer and rate helpful post

-- Please remember to rate and select a correct answer
3734
Views
10
Helpful
5
Replies