[rancid] ASA-5585 Enable mode
Azher
azheramin at gmail.com
Tue Jan 2 04:41:19 UTC 2018
I think so. Having this detected by clogin would definitely help many
others.
-Azher
On Mon, Jan 1, 2018 at 8:36 PM, Piegorsch, Weylin William <weylin at bu.edu>
wrote:
> Awesome. Though, since it’s the default parameter, would it make sense to
> account for it in clogin?
>
> weylin
>
>
>
> *From: *Azher <azheramin at gmail.com>
> *Date: *Monday, January 1, 2018 at 23:09
> *To: *Weylin Piegorsch <weylin at bu.edu>
>
> *Subject: *Re: [rancid] ASA-5585 Enable mode
>
>
>
> Thanks, that fixed it.
>
> no aaa authentication login-history
>
> -Azher
>
>
>
> On Mon, Jan 1, 2018 at 7:18 PM, Piegorsch, Weylin William <weylin at bu.edu>
> wrote:
>
> This is a behavior change to the ASA made in version 9.8. I believe it’s
> a response to a US DOD mandate, to aid in detecting unauthorized logins.
> At least, that was a requirement implemented sometime around 2005 (for
> systems that supported the capability), though I can’t find a .mil URL more
> recent than 2008 discussing the requirement (though I can find it
> referenced in some current commercial locations like Red Hat’s site).
>
> I noticed it recently in lab trials; I had assumed Cisco decided it made
> sense to make this the normal behavior for all deployments, given ASA
> stands for Adaptive Security Appliance. I hadn’t noticed it in rancid,
> since I’m still in lab trials.
>
> Luckily, it’s configurable, see “Enable and View the Login History” at
> this URL:
> https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/
> configuration/general/asa-98-general-config/admin-management.pdf
>
> weylin
>
>
> -----Original Message-----
> From: heasley <heas at shrubbery.net>
> Date: Sunday, December 31, 2017 at 16:19
> To: Azher <azheramin at gmail.com>
> Cc: <rancid-discuss at shrubbery.net>
> Subject: Re: [rancid] ASA-5585 Enable mode
>
> Thu, Dec 28, 2017 at 06:42:46PM -0800, Azher:
> > Hi All,
> >
> > Our current Cisco ASA devices "ASA5550" , 8.4(7)30, work fine with
> RANCID.
> >
> > Same config does not work for ASA-5585, 9.8(1). I am not sure why it
> is
> > sending "admin" twice and later it sends "enable" at the prompt ....
> Any
> > suggestions ?
> >
> > add user sslvpnb admin
> > add password sslvpnb pass1 pass2
> > add autoenable sslvpnb 0
> > add method sslvpnb ssh
> >
> > [rancid at rancid ~]$ more var/asa/router.db
> > sslvpn1;cisco;up
> > sslvpn2;cisco;up
> > sslvpna;cisco;up
> > sslvpnb;cisco;up
> >
> > [rancid at rancid ~]$ clogin sslvpnb
> > sslvpnb
> > spawn ssh -c aes128-ctr,aes128-cbc,3des-cbc -x -l admin sslvpnb
> > admin at sslvpnb's password:
> > User admin logged in to sslvpnb
> > Logins over the last 44 days: 29. Last login: 18:09:41 PST Dec 28
> 2017
> > from 68.181.191.19
> > Failed logins since the last login: 0. Last failed login: 06:47:32
> PST Dec
> > 28 2017 from 68.181.191.19
>
> its sending admin again because it sees "login:" before a prompt. why
> is it displaying this?
>
> > Type help or '?' for a list of available commands.
> > sslvpnb> admin
> > ^
> > ERROR: % Invalid input detected at '^' marker.
> >
> > Error: Unrecognized command, check your enable command
> > sslvpnb> admin
> > ^
> > ERROR: % Invalid input detected at '^' marker.
> > sslvpnb> enable
> > Password:
> > Invalid password
> > Password:
> > Invalid password
> > Password:
> > Invalid password
> > Access denied.
> > sslvpnb>
> >
> >
> > Thanks
> > -Azher
>
> > _______________________________________________
> > Rancid-discuss mailing list
> > Rancid-discuss at shrubbery.net
> > http://www.shrubbery.net/mailman/listinfo/rancid-discuss
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.shrubbery.net/pipermail/rancid-discuss/attachments/20180101/83f3b164/attachment.html>
More information about the Rancid-discuss
mailing list