Cisco ASA – Cannot Get To Enable Mode?

KB ID 0001105 

Problem

After setting up some firewalls last week I quickly jumped on them whilst VPN’d into the my work network to make sure I’d be able to log into and administer them remotely via SSH, and ASDM (in case anyone else wanted to use it). SSH gave me the new certificate prompt and logged me in, ADSM logged in. I left site a happy chap.

I went to login today via SSH and I could logon fine but I could not get to enable mode?

cannot get to enable mode

Well that was odd? Perhaps I’d had ‘fat fingers’ when typing the enable password? I logged into the ASDM and reset it. Still the problem persisted.

Solution

After scratching my head and getting a coffee I grabbed my boss and said, watch while I reset the password, and the password does not work? “Type YOUR password in again” he said, and annoyingly, the prompt went straight to enable. “That’s not normal behavior, I said”.

Luckily I have many firewalls to jump on and comparing the configs, pointed me to the answer. I didn’t setup the AAA on this firewall, someone else did. Take a look at the line indicated;

ASA enable mode via AAA

Essentially this lets you use your user account password to get to enable mode, (caveat see below). By using MY password twice I can get to enable mode;

ASA enable mode via AAA

Caveat

The account you are using must have the correct privilege level.

ASA user priv level

Top Tip:

With newer versions of ASA code you can use the following command;

aaa authorization exec LOCAL auto-enable

To, automatically log straight into privilege mode.

Related Articles, References, Credits, or External Links

NA

 

Author: Migrated

Share This Post On