Cisco ASA: Why do I sometimes need a username/password when entering enable mode

ciscocisco-asa

I'm automating some interaction with Cisco ASA devices. I need to do the following:

login over ssh
send 'enable', provide enable password
send 'configure terminal'
send some other commands, never going to deeper level of config.
send exit (gets me back to enable mode prompt)
disable (should get me back to the basic prompt)

Then a bit later, another scripted bit tries to send 'enable' again. This time, the device asks for a username and password. Not just the enable password. This happens consistently on some devices I have tried and never on others. I'm guessing it is something to do with 'disable'. I don't have to use that command, I just need to drop from enable mode back to a regular prompt so that future bits can always expect to start from the base '>' prompt.

Apologies in advance if this is too basic of a question. Any ideas?

Best Answer

Ahh, the answer appears to be this configuration setting:

   aaa authentication enable console LOCAL

With that, disable then enable will require a password.

Related Solutions

Cisco ASA: provide admin access without providing the enable password

You could use the local user database on the ASA applicance to create usernames and passwords with the privilege levels you want the users to have upon login.

Here is how to create local users:

hostname>enable
hostname#configure terminal
hostname(config)#username [UserName] privilege 15 password [PasswordHere]    //privilege level 15 is root (admin) access.

//The below commands make sure the username/password login method will apply to both console and vty lines. If you have an AUX port make sure to include it aswell.
hostname(config)#line con 0
hostname(config-line)#login local
hostname(config-line)#exit
hostname(config)#line vty 0 15
hostname(config-line)#login local
hostname(config-line)#exit
hostname(config)#exit

The above is just a sample configuration. If you are not to expirienced with the command line make sure to check the documentation if you are unsure about what a command does.

Cisco ASA 5505 – need more site-to-site VPNs

If you can imagine a situation where you might need over 25 tunnels, go for the 5510; no sense in throwing the extra money at a 5505 security plus license if it won't sustain your needs in the long run.

That said, if 15-20 is all you'll ever need, then it's a lot more cost effective to get the license upgrade.

Cisco's limits on the devices are pretty arbitrary; they have very little to do with performance constraints on the ASA, and everything to do with having a lot of false barriers in place to force you to go with a more expensive device. I wouldn't expect any performance issues with the 5505, until you're saturating those 100mb interfaces.

Best Answer

Related Solutions

Cisco ASA: provide admin access without providing the enable password

Cisco ASA 5505 – need more site-to-site VPNs

Related Topic