[rancid] ASA-5585 Enable mode
Piegorsch, Weylin William
weylin at bu.edu
Tue Jan 2 04:36:28 UTC 2018
Awesome. Though, since it’s the default parameter, would it make sense to account for it in clogin?
weylin
From: Azher <azheramin at gmail.com>
Date: Monday, January 1, 2018 at 23:09
To: Weylin Piegorsch <weylin at bu.edu>
Subject: Re: [rancid] ASA-5585 Enable mode
Thanks, that fixed it.
no aaa authentication login-history
-Azher
On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin at bu.edu<mailto:weylin at bu.edu>> wrote:
This is a behavior change to the ASA made in version 9.8. I believe it’s a response to a US DOD mandate, to aid in detecting unauthorized logins. At least, that was a requirement implemented sometime around 2005 (for systems that supported the capability), though I can’t find a .mil URL more recent than 2008 discussing the requirement (though I can find it referenced in some current commercial locations like Red Hat’s site).
I noticed it recently in lab trials; I had assumed Cisco decided it made sense to make this the normal behavior for all deployments, given ASA stands for Adaptive Security Appliance. I hadn’t noticed it in rancid, since I’m still in lab trials.
Luckily, it’s configurable, see “Enable and View the Login History” at this URL:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.pdf
weylin
-----Original Message-----
From: heasley <heas at shrubbery.net<mailto:heas at shrubbery.net>>
Date: Sunday, December 31, 2017 at 16:19
To: Azher <azheramin at gmail.com<mailto:azheramin at gmail.com>>
Cc: <rancid-discuss at shrubbery.net<mailto:rancid-discuss at shrubbery.net>>
Subject: Re: [rancid] ASA-5585 Enable mode
Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> Hi All,
>
> Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with RANCID.
>
> Same config does not work for ASA-5585, 9.8(1). I am not sure why it is
> sending "admin" twice and later it sends "enable" at the prompt .... Any
> suggestions ?
>
> add user sslvpnb admin
> add password sslvpnb pass1 pass2
> add autoenable sslvpnb 0
> add method sslvpnb ssh
>
> [rancid at rancid ~]$ more var/asa/router.db
> sslvpn1;cisco;up
> sslvpn2;cisco;up
> sslvpna;cisco;up
> sslvpnb;cisco;up
>
> [rancid at rancid ~]$ clogin sslvpnb
> sslvpnb
> spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> admin at sslvpnb's password:
> User admin logged in to sslvpnb
> Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28 2017
> from 68.181.191.19<tel:68.181.191.19>
> Failed logins since the last login: 0. Last failed login: 06:47:32 PST Dec
> 28 2017 from 68.181.191.19
its sending admin again because it sees "login:" before a prompt. why
is it displaying this?
> Type help or '?' for a list of available commands.
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
>
> Error: Unrecognized command, check your enable command
> sslvpnb> admin
> ^
> ERROR: % Invalid input detected at '^' marker.
> sslvpnb> enable
> Password:
> Invalid password
> Password:
> Invalid password
> Password:
> Invalid password
> Access denied.
> sslvpnb>
>
>
> Thanks
> -Azher
> _______________________________________________
> Rancid-discuss mailing list
> Rancid-discuss at shrubbery.net<mailto:Rancid-discuss at shrubbery.net>
> http://www.shrubbery.net/mailman/listinfo/rancid-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180102/108b8e34/attachment.html>
More information about the Rancid-discuss
mailing list