Cisco ASA – Cannot Get To Enable Mode?

KB ID 0001105 

Problem

After setting up some firewalls last week I quickly jumped on them whilst VPN’d into the my work network to make sure I’d be able to log into and administer them remotely via SSH, and ASDM (in case anyone else wanted to use it). SSH gave me the new certificate prompt and logged me in, ADSM logged in. I left site a happy chap.

I went to login today via SSH and I could logon fine but I could not get to enable mode?

Well that was odd? Perhaps I’d had ‘fat fingers’ when typing the enable password? I logged into the ASDM and reset it. Still the problem persisted.

Solution

After scratching my head and getting a coffee I grabbed my boss and said, watch while I reset the password, and the password does not work? “Type YOUR password in again” he said, and annoyingly, the prompt went straight to enable. “That’s not normal behavior, I said”.

Luckily I have many firewalls to jump on and comparing the configs, pointed me to the answer. I didn’t setup the AAA on this firewall, someone else did. Take a look at the line indicated;

Essentially this lets you use your user account password to get to enable mode, (caveat see below). By using MY password twice I can get to enable mode;

Caveat

The account you are using must have the correct privilege level.

Top Tip:

With newer versions of ASA code you can use the following command;

[box] aaa authorization exec LOCAL auto-enable [/box]

To, automatically log straight into privilege mode.

Related Articles, References, Credits, or External Links

NA