Cisco AAA/Identity/Nac :: How To Setup Enable Mode Password On ASA 5510
Jan 24, 2013
how do I setup an enable password for an ASA 5510? At the moment its setup to authenticate using RADIUS (which I'd like to keep doing) but I need to setup an enable mode password.
I have been experimenting with acs 4.2 and a cisco asa 5510. I have managed to authenticate the ASA users with my tacacs server. The user "test" is authenticated with the tacacs server, and can log in. But the enable password is wrong, because i dont know where to place it in the tacacs server.
Now my question is, where do i set my enable password when authenticatig with tacacs+. And for this i mean in the acs 4.2, i know how to do it on the asa.
how to Config the ACS 4.2 server runs in TACACS + mode (users accounts configured the ACS) mode to authenticate enable mode password on the asa using the same AD account?
I am trying to get users in the external identity store (AD) to be dropped directly into enable mode after being authenticated, since I don't know of a way to set an enable password for users in an external identity store. I think it has something to do with shell attributes but I'm not realy sure.
So here's what I tried.Linking identity group to external group and provide full command priviliges - enable still didn't work Creating duplicate users in the internal identity store and setting the password type field to AD1 - That gives me the ability to get to the enable password prompt hit enter on the blank promt then prompts for Old and new passwords but fails everytime with an Error in Authentication.
How to configure authentication of enable password using acs 5.3. I have installed acs 5.3 and created user and gave relevant passwords. Following config is done on router
aaa new-model aaa authentication login default group tacacs+ local aaa authen enable default group tacacs+ enable tacacs-server host x.x.x.x key xxxxx
Now when I telnet router, i can authenticate username/pass with acs5.3 but when i try to enter enable command and give password, it gives me error in authentication. What is the process of configuring enable passwords?
I configured the below config in Routers it is working good , but when i do the same in SWITCH-2960 , i am getting a problem not able to login to enable mode ... i am getting the basic login only ....
Error msg : % Error in Authentication.
Need to be configured at TAFE Network Devices: Code...
I successfully authenticate through ACS to my Identity Store, but only get dropped into a non-enable prompt: ciscoasa> How can I get an Authenticated user directly into enable mode?
I have migrated my ACS data from 4.1 to 5.1 and everything is working fine to test the connection I have configured a switch to get the authentication from the new Tacacs server, using my old username and password..i got in perfectly but when the switch asked my for enable which is the same password, it refused the password.(I have unchecked the <use a different password for enable> option) I deleted my switch from the Tacacs to enter locally, I went in with no problems..i thought that the problem may be from the old configuration.so I created a new username and password to check, and the problem still exist.
Changed my AD password and now i cannot get into the enable side of the cisco switches on our network (we have no routers).Looking on the logs for the ACS v4.2 I can see the following -
On TACACS+ Accounting you can see the connections which have worked - it the initial tty connections -
When i look in the failed attempts i see the following Auth failed - External DB user invalid or bad password or on another occasion internal error or EAP-TLS or PEAP authentication failed due to unknown CAcertificate during SSL handshake.
I am trying to migrate an ACS 4.1.1(24) using the migraton tool to ACS 5.2. The tool is working OK. It migrates the users, groups, NDG, etc. and the reports are showing no errors.
The problem is with the Enable password of the users. The users in the ACS 4 have the TACACS+ Enable Password configured, but after the migration it appears empty in the ACS 5.
Recently I came across a router (Cisco 3845, IOS 12.4) configured for TACACS, one local username and an enable password. Going through the configuration I noticed the router didn't have an enable secret password which I thought was strange. The TACACS config is below, comments regarding the TACACS config and the consequences of not having an enable secret or if there is a need for one.
aaa authentication login default group tacacs+ aaa authentication login no_tacacs enable aaa authorization exec default group tacacs+ aaa authorization commands 1 default group tacacs+ aaa authorization commands 15 default group tacacs+ aaa accounting exec default start-stop group tacacs+ aaa accounting commands 1 default start-stop group tacacs+ aaa accounting commands 15 default start-stop group tacacs+ aaa accounting network default start-stop group tacacs+
I tried to authenticate and authorized Nokia/checkpoint Nortel/AD3 and Nortel 5510 platform using an 4.1 for windows ACS. the ACCESS-REQUEST is well processed bi the radius server wich send ACCESS-ACCEPT to the AAA Client (ie NORTEL or NOKIA), but i'have got privilege access denied on the Client side. RADIUS IETF Dictionnary is used for every device. all others Cisco Devices authenticate and are well authorized.
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh aaa authentication ssh console SERVER_RADIUS LOCAL ssh 0.0.0.0 0.0.0.0 outside ssh 0.0.0.0 0.0.0.0 inside ssh timeout 60
I have a TWC wideband modem and service. I know that they will enable bridge mode if I ask them. My questions are. After they enable it whats my setup? Do I just run a cable from their modem into a new router that I then set up on my own? Is it that simple?
How i can enable promiscuous mode on my Atheros AR9285 Wireless Network Adapter? I'm using windows 7 starter.driver version of my Atheros AR9285 Wireless Network Adapter:9.2.0.427.
On my 2650 Router it just has only Telnet password.It has no enable mode password set.After reboot it is goes to prompt mode BB.I am unable to go to enable mode .how can i go back to enable mode on this router?
I had configured one access point CAP3602E in flex connect mode through a WLC 5508 after deploying the access point in flex control mode the local mac-filering is not working. before it was working when ap was in local mode. any body have to know is the mac-filtering working in flex-control mode ?
Is there a way to configure a ASA 5500 firewall so that when i access the firewall via SSH, my user is in privileged exec mode immediately after i have entered the log in credentials? So no need to enter "enable" anymore. I know how to do that with a router but couldn't figure it out for the ASA.
So I have a Windows 2008 R2 SP1 Enterprise Server and a gigabit LAN network card onboard. But it refuses to run at gigabit speed and if forced to it, it just says that network cable is unplugged and doesn't work.
I tried switching to a newer and better motherboard (still with gigabit LAN)I have updated drivers.I have checked cables (which are all cat 6 cables and work just fine with other computers in gigabit LAN mode)I've checked and switched ports on the switch and the switch itself...no change. They work just fine with other non-W2008 machines, they get gigabit LAN
I am completely stomped as to what I can do to fix this. It runs just fine in 100 Mbit mode, but can't in any way get it in gigabit mode.I am completely stomped as to why it refuses...is this a limitation of Windows 2008 or something or is there a fix to this?
under ubuntu 10.10.I have the cable DLC5 Xilinx.The problem is: I do not know how to enable the JTAG mode on the DAP-1160.I understand that I must set a pin on the 147 on the RTL8186. but I have no idea where is on the DAP-160 PCB.
My current production network is setup using VTP in Client mode, and I am looking to enable VTP Transparent so I can enable the extended VLANs. My main question would be, would enabling VTP Transparent on my 6509 affect all of the access switches it is connected to? And if so, would changing all of the access switches to VTP Transparent allow them to regain connectivity quickly with little downtime? Or is there another way that I should be handling this situation to enable the extended VLANs?
(5508 WLC, 1142N APs).I understand if I enable the AP mode to Rogue Detector from the details page of the AP, the AP stops accepting requests and is now looking for rogue items on the wired network. Is this the same when I enable Rogue Location Discovery Protocol? Will I lose the wireless functionality of all of my APs on the controller?
Next question, when I look at the Rogue Summary on the Monitoring page I see three Adhoc Rogue devices. When I select the Detail link only one shows. I remember the other two were HP mutifuction devices with WIFI enabled but I cannot retrieve that information anymore.
configuring AAA on 1841 router, initially it authenticates me well using my TACAS+ login. but though i have configured enable password in router, router directly puts me in privilage mod without asking enable password .
my configs for AAA as below
aaa authentication login ACS group tacacs+ local aaa authentication enable default group tacacs+ enable aaa authorization config-commands aaa authorization exec ACS group tacacs+ local aaa authorization commands 0 ACS group tacacs+ local aaa authorization commands 15 ACS group tacacs+ local aaa accounting commands 1 ACS start-stop group tacacs+ aaa accounting commands 15 ACS start-stop group tacacs+
I have setup an Identity Firewall on a ASA version 5.6 on a DMZ interface.I have installed the ADAgent on a domain member Win2008 and configured as follows: [code]
where ashdew is a domain user and ACL 122(only one line) is applied on the dmz interface and NAT is properly configured.The ADagent has been properly tested and ASA can register to it.The ASA can connect to AD DC controller and query user database.I have placed a laptop ip 172.17.h.x on the DMZ and can ping the DMZ interface.
The laptop cannot authenticate on the domain and the asa does not seem to retrieve the user identity.Do I need to add extra rules in the access-list 122 to permit trafic to DC?Can I check on the AD Agent if it can retrieve the user to ip mapping ?
I need to recover switch enable password, i have already configured AAA also, when i am tryig to follow below proceedure finally saying Authorization failed. how can i recover enable password,If I try to recover password like this description says [URL]
Step 1 Connect a terminal or PC with terminal-emulation software to the switch console port.
Step 2 Set the line speed on the emulation software to 9600 baud.
Step 3 Power off the switch. Reconnect the power cord to the switch and, within 15 seconds, press the Mode button while the System LED is still flashing green.
Base ethernet MAC Address: 00:0x:xx:xx:xx:xx Xmodem file system is available. The password-recovery mechanism is enabled.
The system has been interrupted prior to initializing the flash filesystem. The following commands will initialize the flash filesystem, and finish loading the operating system software:
I have a cisco 1801 router that is not prompting for enable password.After loging into router thru telnet it puts direct into privelege mode without promting for enable password.Here is the configuration:
User Access Verification Username: adminPassword:xxxxx#sh runBuilding configuration... Current configuration : 2132 bytes!version 12.4service timestamps debug datetime msecservice timestamps log datetime msecservice password-encryption!hostname xxxxxx!boot-start-markerboot-end-marker!enable password 7 022F0A5D0208063555692B!no aaa new-model!!dot11 syslog!!ip cefno ip dhcp use vrf connectedip dhcp excluded-address 192.168.0.1 192.168.0.10!ip dhcp pool LAN import all network 192.168.0.0 255.255.255.0 default-router 192.168.0.1!!!multilink bundle-name authenticated!!username admin privilege 15 password 7 112017031E1C02181Dusername user privilege 3 password 7 091D1C5A100B111B05051033!!archivelog config hidekeys!!!!!interface ATM0no ip addressno atm ilmi-keepalivepvc xxxxx
Today I wanted to change my passwords on my router Cisco 888e.I connect by telnet my router and access the enable mode.Then, I set my enable password to passwordxxx with the command enable password password1.After a show run, i could see in this config my new password correctly set. Then, I set my enable secret password to passwordxxx (the same) with the command enable secret password password1.I log off the enable mode.Try to log on with the command en but when I type the new or the old password, I receive a 'Access denied' message.
And I'm sure of the new one because on my command line to define it I could see this new password in clear!What are my solutions to access the enable mode again?If I reboot my router, it'll run the previous config file with the old password? I've only worked on the running config file and haven't apply these changes to the nvram.
We are installaing a new RSP720 on 7606 platform and facing a peculiar problem. It is prompting for a enable password. We have not configured anything on router yet, still it is asking for enable password.