5

I have created a test user that is set to privilege 15 in the config:

username test password **************** encrypted privilege 15

When I log in to the ASA 5510 I am in privilege 1 according to sh curpriv:

login as: test
test@192.168.1.253's password:
Type help or '?' for a list of available commands.
asa> sh curpriv
Username : test
Current privilege level : 1
Current Mode/s : P_UNPR

Attempting enable fails even though I know I have the correct enable password:

asa> en
Password: *************************
Password: *************************
Password: *************************
Access denied.

Logging in from unprivileged puts me on privilege 15 and I can do as a please:

asa> login
Username : test
Pasword: *************************
asa> sh curpriv
Current privilege level : 15
Current Mode/s : P_PRIV
asa>

The only thing I can track this to is a configuration change I made where I removed a VPN user we no longer needed.

Why do I start at privilege level 1 when logging into a Cisco ASA 5510?

user9517
  • 115,471
  • 20
  • 215
  • 297
Alain O'Dea
  • 645
  • 3
  • 12
  • 27

3 Answers3

6

As of 2011.11.28 the accepted answer, while correct in some cases, is not accurate in others.

The ASA uses a slightly different model than traditional IOS routers and this where some of the confusion sits. The second piece is whether or not aaa authentication enable console LOCAL is configured.

Scenario 1 - Enable Authentication Not Configured

Relevant ASA config

enable password enablepass1
aaa authentication ssh console LOCAL
username user1 password pass1 privilege 15

Results

login as: user1
user1@ASA's password: pass1
ASA> enable
Password: enablepass1
ASA#

If enable authentication is not configured, a user with privilege 15 must still use the enable password to enter privileged exec mode if entering privileged exec mode through enable.

Scenario 2 - Enable Authentication Not Configured but using login

Relevant ASA config

enable password enablepass1
aaa authentication ssh console LOCAL
username user1 password pass1 privilege 15

Results

login as: user1
user1@ASA's password: pass1
ASA> login
Username: user1
Password: pass1
ASA#

If enable authentication is not configured, a user with privilege 15 can use the login command to enter privileged exec mode without knowing or using the enable password.

Scenario 3 - Enable Authentication Configured

Relevant ASA config

enable password enablepass1
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
username user1 password pass1 privilege 15

Results

login as: user1
user1@ASA's password: pass1
ASA> enable
Password: enablepass1
Password: pass1
ASA#

If enable authentication is configured, a user with privilege 15 can use login or enable to gain access to privileged exec mode. If using enable, the password required will be the user password and not the enable password.

Weaver
  • 1,952
  • 12
  • 13
4

You can login directly in enable mode if your privilege level allows it.

I am running asa916-k8.bin on 5510

The command is aaa authorization exec LOCAL auto-enable

Ravi L

Ravi
  • 115
  • 2
  • 8
  • This was added in ASA Version 9.1(5) which was released in March 2014. It certainly works now, but wouldn't have then. Thank you for sharing this. – Alain O'Dea Jun 19 '15 at 20:08
3

I was confused by this as well but it turns out you just have to enter the password twice. 

user test pass rootbeer priv 15

The user test will login and then when prompted for the enable password the user will enter rootbeer

evolvd
  • 1,384
  • 6
  • 33
  • 58
  • Thank you very much :) That is exactly what I was missing. – Alain O'Dea Nov 15 '11 at 12:42
  • @evolvd The "enter the password twice" is contingent on differing scenarios. I have attempted to explain the scenarios with examples in an answer. – Weaver Nov 28 '11 at 06:34