[rancid] ASA-5585 Enable mode

Piegorsch, Weylin William weylin at bu.edu
Tue Jan 2 04:36:28 UTC 2018


Awesome.  Though, since it’s the default parameter, would it make sense to account for it in clogin?
weylin

From: Azher <azheramin at gmail.com>
Date: Monday, January 1, 2018 at 23:09
To: Weylin Piegorsch <weylin at bu.edu>
Subject: Re: [rancid] ASA-5585 Enable mode

Thanks, that fixed it.

no aaa authentication login-history
-Azher

On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
This is a behavior change to the ASA made in version 9.8.  I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins.  At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site).

I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance.  I hadn’t noticed it in rancid, since I’m still in lab trials.

Luckily, it’s configurable, see “Enable and View the Login History” at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf

weylin

-----Original Message-----
From: heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>
Date: Sunday, December 31, 2017 at 16:19
To: Azher <azheramin at gmail.com<mailto:azheramin at gmail.com>>
Cc: <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] ASA-5585 Enable mode

    Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
    > Hi All,
    >
    > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
    >
    > Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
    > sending "admin" twice and later it sends "enable" at the prompt .... Any
    > suggestions ?
    >
    > add user sslvpnb admin
    > add password sslvpnb pass1 pass2
    > add autoenable sslvpnb 0
    > add method sslvpnb ssh
    >
    > [rancid at rancid ~]$ more var/asa/router.db
    > sslvpn1;cisco;up
    > sslvpn2;cisco;up
    > sslvpna;cisco;up
    > sslvpnb;cisco;up
    >
    > [rancid at rancid ~]$ clogin sslvpnb
    > sslvpnb
    > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
    > admin at sslvpnb's password:
    > User admin logged in to sslvpnb
    > Logins over the last 44 days: 29.  Last login: 18:09:41 PST Dec 28 2017
    > from 68.181.191.19<tel:68.181.191.19>
    > Failed logins since the last login: 0.  Last failed login: 06:47:32 PST Dec
    > 28 2017 from 68.181.191.19

    its sending admin again because it sees "login:" before a prompt.  why
    is it displaying this?

    > Type help or '?' for a list of available commands.
    > sslvpnb> admin
    >          ^
    > ERROR: % Invalid input detected at '^' marker.
    >
    > Error: Unrecognized command, check your enable command
    > sslvpnb> admin
    >          ^
    > ERROR: % Invalid input detected at '^' marker.
    > sslvpnb> enable
    > Password:
    > Invalid password
    > Password:
    > Invalid password
    > Password:
    > Invalid password
    > Access denied.
    > sslvpnb>
    >
    >
    > Thanks
    > -Azher

    > _______________________________________________
    > Rancid-discuss mailing list
    > Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
    > http://www.shrubbery.net/mailman/listinfo/rancid-discuss




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180102/108b8e34/attachment.html>


More information about the Rancid-discuss mailing list