ACS 5.3 userbased/custom enable passwords

Similar Messages

• Cisco Secure ACS with UCP assistance and enable password

  I am running Cisco Secure ACS version 4.2 running on a
  Standalone Windows 2003 Enterprise 2003with the lastest
  windows service pack and update. Secure ACS is running
  fine and I can authenticate with Cisco routers and
  switches. The Windows 2003 server is also running Microsoft
  IIS Server. In other words, the IIS server and Cisco
  Secure ACS is running on the same windows 2003 server.
  I am trying to get Cisco User-Changeable password to work
  with Cisco Secure ACS. I followed the release notes lines
  by lines and the work around provided below:
  Also server require more privileges for the internal windows user that runs CSusercgi.exe.
  The name of the windows user that runs UCP is IUSR_<machine_name>.
  Workaround steps:
  1) Install UCP 4 on a machine that runs IIS server.
  2) Open IIS manager
  3) Locate Default Web Site
  4) Double click on the virtual name 'securecgi-bin'
  5) Right click on CSusercgi.exe and choose Properties
  6) Choose 'File Security' tab
  7) Choose 'Edit' in 'Authentication and access control' area
  8) Change username from IUSR_<machine_name> to 'Administrator' and enter his
  password (make sure that 'Integrated Windows authentication' is checked)
  I still can NOT get this to work. I got this error:
  It says:
  The page cannot be found
  The page you are looking for might have been removed,
  had its name changed, or is temporarily unavailable.
  HTTP Error 404 - File or directory not found.
  Internet Information Services (IIS)
  I modified everything in the Windows 2003 to be "ALLOWED" by
  EVERYONE. In other words, there are NO security on the windows 2003.
  It is still NOT working.
  The other question I have is that can Cisco UCP allow user
  to change his/her enable password?
  Can someone help? Thanks.

  Yes bastien,
  Thank you.
  But one thing more i want to know that in its Redundant AAA server, when i try to open IIS 6.0 window 2003; it prompts for Username and Password.
  I've given it several time; also going through Administrator account with administrative credentials but it always failed.
  Any suggestions/solution/?
  This time many thanks in advance.
  Regards
  Mehdi Raza

• TACACS enable password is not working after completing ACS & MS AD integration

  Enable password for (Router, Switches) is working fine if identify source is "Internal Users", unfortunately after completed the integration between ACS to MS AD, and change the Identity source to "AD1" I got the following result
  1. able to access network device (cisco switch) using MS AD username and password via SSH/Telnet.
  2. Enable password is not working (using the same user password configured in MS AD.
  3. When I revert back and change the ACS identity source from "AD1" to "Internal Users" enable password is working fine.
  Switch Tacacs Configuration
  aaa new-model
  aaa authentication login default none
  aaa authentication login ACS group tacacs+ local
  aaa authentication enable default group tacacs+ enable
  aaa authorization exec ACS group tacacs+ local 
  aaa authorization commands 15 ACS group tacacs+ local 
  aaa accounting exec ACS start-stop group tacacs+
  aaa accounting commands 15 ACS start-stop group tacacs+
  aaa authorization console
  aaa session-id common
  tacacs-server host 10.X.Y.11
  tacacs-server timeout 20
  tacacs-server directed-request
  tacacs-server key gacakey
  line vty 0 4
   session-timeout 5 
   access-class 5 in
   exec-timeout 5 0
   login authentication ACS
   authorization commands 15 ACS
   authorization exec ACS
   accounting commands 15 ACS
   accounting exec ACS
   logging synchronous
  This is my first ACS - AD integration experience, hoping to fix this issue with your support, thanks in advance.
  Regards,

  Hi Edward,
  I created a new shell profiles named "root" as the default one "Permit Access" can't be access or modified, underneath the steps I've made.
  1. Create a new shell profile name "root" with max privilege of 15. And then used it in "Default Device Admin/Authorization/Rule-1" shell profile - see attached file for more details.
  2. Telnet the Switch and then Issue "debug aaa authentication" using both "Root Shell" and "Permit Access" applied in Rule-1 profile.
  Note:
  I also attached here the captured screen and debug result for the "shell profiles"

• Radius authentication for the enable password

  Dear Sir
  I have an ACS and I have many switches in the network. I used to secure the telnet and
  enable access to these switches with tacacas+ authentication protocol. so the username and
  password is taken form the ACS internal database. Also the enable password is taken from
  the ACS. Today we changed the tacacas+ to Radius because we use the 802.1x framework on
  the wired network. Dot1x authentication worked fine and when you try to telnet to the
  switch the username and password is taken but the enable password isnot taken from the
  ACS. When I check the configuration on the ACS under the user page I found a checkmark to
  use the enable password as the PAP password of the user but this is only under tacacs+
  settings how can I make this for Radius This is my question. Please answer me asap. It is
  urgent.
  Thanks,

  Dear iqambhir
  Thank you very much for your help.
  I already did that but this makes the enable pasword shared with all users and we don't want that.
  I want the enable password to be taken as the PAP password of the user who tries to login but I didn't find that with radius. This option is there with tacacas+.
  I want to know why the router or the switch sends that user " $enab15$ ". Is this bug on the system?
  Pleae, If there is any other way to authenticate the enable password with the radius submit it.
  Thanks alot,

• 3750X Prompts for Device/Enable Password Instead of Local Username/Password

  I've got two 3750X switches that were built from a fairly basic template from my existing 3750/3560 switches. However, these new switches ONLY prompt for the device/enable passwords instead of the configured local username/password when connecting by console/telnet/ssh. Here's the config that I think is relevant, sans password strings. Only real difference is that the new switches are running an IOS 15.2 build, the 3750 switches are running 12.4, and the 3560 is currently running 15.0 (pending an update).
  enable secret 5 string
  username Administrator privilege 15 secret 5 string
  line con 0
   password 7 string
   login local
  line vty 0 4
   password 7 string
   login local
   length 0
  line vty 5 15
   password 7 string
   login
   length 0
  Any way to correct this?
  Thanks!

  usually you need "login local" under all the vty lines in order to authenticate locally unless you use ACS server for authentication.
  HTH

• Enabling Password controls in the Default Profile

  After sharing with customer metalink note 114930.1, customer has the following questions:
  1. Will Oracle suggest enabling password controls in the profile "Default" that is created during the installation without those controls enabled?
  2. Oracle accounts (SYS, SYSTEM etc.) are created with the default profile associated with them (at that time there are no manually created profiles). Does Oracle permit assigning other profiles (created after installation) to those most critical accounts
  Any help/direction is much appreciated

  Hi,
  1/ I don't know if Oracle would suggest that, but I would either enable password control if you have such a requirement, wherever you set it up, or don't touch anything if it's just to leave it disabled... I usually create specific profiles for the users and set up the limits according to the kind/type of users they are.
  2/ Don't you have no test instance?
  TEST> create profile p limit failed_login_attempts 5;
  Profil cr&#65533;
  TEST> alter user sys profile p;
  Utilisateur modifi
  TEST> alter user system profile p;
  Utilisateur modifi
  TEST> select username, profile from dba_users where username in ('SYS','SYSTEM');
  USERNAME                       PROFILE
  SYS                            P
  SYSTEM                         PMy 2cp,
  Yoann.

• Why do my firewalls only use the domain username and password for login and enable passwords, not a different enable password like my switches do? The RADIUS config looks the same...

  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:10.0pt;
  font-family:"Times New Roman","serif";}
  Issue:
  Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.
  Background:
  We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:
  Switches:
  Username:domain-username
  Password:domain-password
  SWITCH>enable
  Password:enable-password-in-Active-Directory
  SWITCH#
  Firewalls (as they currently are):
  Username:domain-username
  Password:domain-password
  FIREWALL>enable
  Password:domain-password
  FIREWALL #
  With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:
  Current switch configuration:
  aaa new-model
  aaa authentication login default group radius local
  aaa authentication enable default group radius enable
  aaa authorization exec default group radius local
  aaa session-id common
  radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
  radius-server source-ports 1645-1646
  radius-server key 7 1234abcd
  Current firewall configuration:
  aaa-server DC01 protocol radius
  aaa-server DC01 (outside) host 192.168.0.1
  aaa authentication ssh console DC01 LOCAL
  aaa authentication enable console DC01 LOCAL
  key 1234abcd
  Any help would be great, thanks!

  Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.
  But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example
  Firewalls :
  Username:domain-username
  Password:domain-password
  FIREWALL>show curpriv
  Username : domain-username
  Current privilege level : 1
  Current Mode/s : P_UNPR
  FIREWALL>enable
  Password:enable-password-from-running-config
  FIREWALL #show curpriv
  Username : enable_15
  Current privilege level : 15
  Current Mode/s : P_PRIV
  If you're using Authorization and Accounting it's recommended to stick with your current behavior.

• ACS 5.3 Showing Clear Text Password in Authorization reports

  Hello,
  When a tacacs user is changing the local password on the router (for local user), the acs 5.3 is showing the new password in clear text in authorization reports/logs.
  This behaviour is seen on acs 5.x, whereas acs 4.2 is showing encrypted password in the reports.
  I have checked debugs on Router and it is sending password in clear text in Tacacs Authorization packet but encrypted password in Tacacs Accounting logs.
  Debug tacacs accounting
  debug aaa accounting
  4w3d: TPLUS: Received accounting response with status PASS
  4w3d: TPLUS: Queuing AAA Accounting request 208 for processing
  4w3d: TPLUS: processing accounting request id 208
  4w3d: TPLUS: Sending AV task_id=459
  4w3d: TPLUS: Sending AV timezone=UTC
  4w3d: TPLUS: Sending AV service=shell
  4w3d: TPLUS: Sending AV priv-lvl=15
  4w3d: TPLUS: Sending AV cmd=username sansehga privilege 15 password *****
  4w3d: TPLUS: Accounting request created for 208(sanjay)
  debug tacas authorization
  debug aaa authorization
  4w3d: AAA/MEMORY: create_user (0x851611DC) user='sanjay' ruser='R1' ds0=0
  port='tty7' rem_addr='10.76.212.159' authen_type=ASCII service=NONE priv=15
  initial_task_id='0', vrf= (id=0)
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Port='tty7' list='' service=CMD
  4w3d: AAA/AUTHOR/CMD: tty7(1390711548) user='sanjay'
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV service=shell
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd=username
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sansehga
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=privilege
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=15
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=password
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=sehgal
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): send AV cmd-arg=<cr>
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): found list "default"
  4w3d: tty7 AAA/AUTHOR/CMD(1390711548): Method=tacacs+ (tacacs+)
  4w3d: AAA/AUTHOR/TAC+: (1390711548): user=sanjay
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV service=shell
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd=username
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sansehga
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=privilege
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=15
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=password
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=sehgal
  4w3d: AAA/AUTHOR/TAC+: (1390711548): send AV cmd-arg=<cr>
  4w3d: AAA/AUTHOR (1390711548): Post authorization status = PASS_ADD
  Please share if someone has found the fix to this problem.
  Regards,
  Akhtar

  Thanks Tarik,
  But it seems it did not help overall
  Akhtar: Cisco needs long time to fix bugs unless it is P1 or P2 bug. Otherwise they'll do it at their leisure.
  If you are not on latest patch already then upgrade. If you are already on the latest patch then wait for the next one. If your bug is not mentioned to be fixed on the resolved caveats don't panic. I've seen many bugs fixed but not mentioned in the release notes. What you need to do is to contact TAC so they contact the BU for your behalf to confirm if the bug is resolved or not.
  Regards,
  Amjad

• Resetting PIX 515E 'enable' password and/or Factory Reset

                     We have a PIX Firewall where the last user of the device had not changed the 'enable' password and username so we are locked out of the device. I did some research and found a password reset tool that was supposed to clear the 'enable' password on the device. I set up a TFTP with the 'np61.bin' file needed. I went into 'monitor>' mode, set the interface, address and server address and it pings with success. I pointed it at the file and sent the 'tftp' command. I saw it downloading and booting off the binary file and after letting it go for a little bit (I walked away for a little while and came back to my telnet prompt) I noticed it was stuck in a loop:
  No bootable image in flash. Please download an image from a network server in the monitor mode
  Failed to find an image to boot
  Rebooting......
                      I downloaded a copy of the latest firmware, 'pix804-28.bin', and repeated the process used for the password reset file. After loading, I am greeted with my familiar prompt:
  XXXX-XXX-Xx-Xx0-XX>
  XXXX-XXX-Xx-Xx0-XX>enable
  Username: pix
  Password: pix
  Username: pix
  Password:
  Username: cisco
  Password: cisco
  Access denied.
  XXXX-XXX-Xx-Xx0-XX>
                      I then did a hard reset, and was stuck back in the loop I was in before, asking me to reflash a boot image. I now need to somehow load the IOS back onto the router (As it seems to just be booting from the TFTP server), and then after that still remove the enable password or somehow default the entire firewall to Factory Defaults. If anyone knows how to solve my issue or has any ideas for me to try, you help would be greatly appreciated, thanks!

  Still having trouble with this, has no one encountered this problem before?

• Accounts getting disabled after enabling password expiration on BOXI R2 SP2

  Hi All,
  We have a strange issue with our production environment.After enabling password expiration on the enterprise some accounts got disabled,on further investigation I found that these users were either trying to log on to Designer or 2 tier Deski.
  I made them login through the Infoview to fix the issue.These users were Universe deginer or report writers.
  Any Suggestions

  Hi Tim,
  These accounts are Enterprise accounts,according to the users they were not given a chance and they never got any prompt for the password change it was disabled directly at the first login.
  These people were trying to logon using the Desginer or 2 Tier DESKI login and they are the members of the Administrtor Group also.
  Is it important to logon to infoview or 3 tier DESKI to change your password?
  I have no answer to give them why there accounts were disabled.
  Please suggest
  Thanks,
  Arun

• Enable password recovery in cisco 2950 with AAA

  Hello friends,
  I need to reccover switch enable password, i have already configured AAA also, when i am tryig to follow below proceedure finally saying Authorization failed. how can i recover enable password,
  Regards,
  Haris
  If I try to recover password like this description says
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swtrbl.html#wp1090048
  Step 1 Connect a terminal or PC with terminal-emulation software to the switch console port.
  Step 2 Set the line speed on the emulation software to 9600 baud.
  Step  3 Power off the switch. Reconnect the power cord to the switch and,  within 15 seconds, press the Mode button while the System LED is still  flashing green.
  Base ethernet MAC Address: 00:0x:xx:xx:xx:xx
  Xmodem file system is available.
  The password-recovery mechanism is enabled.
  The system has been interrupted prior to initializing the
  flash filesystem. The following commands will initialize
  the flash filesystem, and finish loading the operating
  system software:
  flash_init
  load_helper
  boot
  switch:
  Step 4 switch: flash_init
  Initializing Flash...
  flashfs[0]: 600 files, 19 directories
  flashfs[0]: 0 orphaned files, 0 orphaned directories
  flashfs[0]: Total bytes: 32514048
  flashfs[0]: Bytes used: 7713792
  flashfs[0]: Bytes available: 24800256
  flashfs[0]: flashfs fsck took 10 seconds.
  ...done Initializing Flash.
  Boot Sector Filesystem (bs) installed, fsid: 3
  Setting console baud rate to 9600...
  Step5 switch:load_helper
  Step6 switch: dir flash:
  Directory of flash:/
  2 -rwx 916 <date> vlan.dat
  5 drwx 192 <date> c2960-lanbase-mz.122-25.SEE1
  620 -rwx 5488 <date> config.text
  621 -rwx 5 <date> private-config.text
  24800256 bytes available (7713792 bytes used)
  Step7 switch: rename flash:config.text flash:config.text.old
  Step8 switch: boot
  Loading "flash:c2960-lanbase-mz.122-25.SEE1/c2960-lanbase-mz.122-25.SEE1.bin"...
  Initializing flashfs...
  flashfs[1]: 600 files, 19 directories
  flashfs[1]: 0 orphaned files, 0 orphaned directories
  flashfs[1]: Total bytes: 32514048
  flashfs[1]: Bytes used: 7713792
  flashfs[1]: Bytes available: 24800256
  flashfs[1]: flashfs fsck took 1 seconds.
  flashfs[1]: Initialization complete....done Initializing flashfs.
  64K bytes of flash-simulated non-volatile configuration memory.
  Base ethernet MAC Address : 00:0x:xx:xx:xx:xx
  Motherboard assembly number : xxxxxxxxxx
  Power supply part number : xxxxxxxxxxx
  Motherboard serial number : xxxxxxxxxxx
  Power supply serial number : xxxxxxxxxxx
  Model revision number : B0
  Motherboard revision number : B0
  Model number : WS-C2960G-24TC-L
  System serial number : xxxxxxxxxxxx
  Top Assembly Part Number : xxxxxxxxxxxx
  Top Assembly Revision Number : B0
  Version ID : V02
  CLEI Code Number : xxxxxxxxxxxxx
  Hardware Board Revision Number : 0x01
  Switch Ports Model SW Version SW Image
  * 1 24 WS-C2960G-24TC-L 12.2(25)SEE1 C2960-LANBASE-M
  Press RETURN to get started!
  Step9 Hit <Enter>
  Would you like to terminate autoinstall? [yes]: yes
  Step10
  --- System Configuration Dialog ---
  Would you like to enter the initial configuration dialog? [yes/no]no
  Switch>
  Step11 Switch> enable
  Step12 Switch# rename flash:config.text.old flash:config.text
  Destination filename [config.text]? <Enter>
  Step13 Switch# copy flash:config.text system:running-config
  Destination filename [running-config]?<Enter>
  5488 bytes copied in 0.940 secs (5838 bytes/sec)
  Step14 NewSwitchName#conf t
  % Authorization failed.
  Doesn't this procedure work any more ?

  The password recovery worked, but you copied your problematic config back to the switch. Skip Step 13 and paste only the working part of the config to the switch.
  You can see your renamed config with "more flash:config.text.old".

• How to enable password request for restart and shutdown?

  Hi,
  I'm neither a Linux nor an Arch Linux newbie, but inexperienced regarding this particular issue.
  I want to enable password request for restart and shutdown and want to know if I'm mistaken, because trial and error might become to time-consuming while working on a project.
  I read https://wiki.archlinux.org/index.php/Al … o_shutdown.
  $ ls -hAl /usr/bin/shutdown
  lrwxrwxrwx 1 root root 9 Apr 22 03:02 /usr/bin/shutdown -> systemctl
  If I try to run $ shutdown -hP 28 or $ shutdown -c nothings happens, I need to run $ sudo shutdown -hP 28 and $ sudo shutdown -c and type a password. That's the way I want it.
  If I e.g. run $ shutdown -r now no password is needed. I want to disable this. It should behave the same way as shutdown -hP/-c behave. I want to type
  $ sudo shutdown -r now or $ sudo systemctl reboot etc. and then the password should be required.
  $ sudo grep -vn "#" /etc/sudoers | grep [[:blank:]]
  72:root ALL=(ALL) ALL
  73:rocketmouse ALL=(ALL) ALL
  The user "rocketmouse" should have all permissions after typing a password, but not without typing the password.
  IIUC what's written at https://wiki.archlinux.org/index.php/Polkit, I need to edit
  $ pkaction | grep login
  org.freedesktop.accounts.set-login-option
  org.freedesktop.login1.attach-device
  org.freedesktop.login1.flush-devices
  org.freedesktop.login1.hibernate
  org.freedesktop.login1.hibernate-ignore-inhibit
  org.freedesktop.login1.hibernate-multiple-sessions
  org.freedesktop.login1.inhibit-block-idle
  org.freedesktop.login1.inhibit-block-shutdown
  org.freedesktop.login1.inhibit-block-sleep
  org.freedesktop.login1.inhibit-delay-shutdown
  org.freedesktop.login1.inhibit-delay-sleep
  org.freedesktop.login1.inhibit-handle-hibernate-key
  org.freedesktop.login1.inhibit-handle-lid-switch
  org.freedesktop.login1.inhibit-handle-power-key
  org.freedesktop.login1.inhibit-handle-suspend-key
  org.freedesktop.login1.power-off
  org.freedesktop.login1.power-off-ignore-inhibit
  org.freedesktop.login1.power-off-multiple-sessions
  org.freedesktop.login1.reboot
  org.freedesktop.login1.reboot-ignore-inhibit
  org.freedesktop.login1.reboot-multiple-sessions
  org.freedesktop.login1.set-user-linger
  org.freedesktop.login1.suspend
  org.freedesktop.login1.suspend-ignore-inhibit
  org.freedesktop.login1.suspend-multiple-sessions
  org.freedesktop.machine1.login
  IOW I need to replace every yes and no etc. with auth_admin in $ grep -v lang /usr/share/polkit-1/actions/org.freedesktop.login1.policy.
  Am I mistaken?
  Regards,
  Ralf

  You'll need to create a rules file which uses javascript.
  https://wiki.archlinux.org/index.php/Po … tion_rules
  // /etc/polkit-1/rules.d/10-admin-shutdown-reboot.rules
  polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.login1.power-off" ||
  action.id == "org.freedesktop.login1.power-off-ignore-inhibit" ||
  /*...SOME_MORE_IDS_HERE...*/
  // return polkit.Result.AUTH_ADMIN_KEEP;
  return polkit.Result.AUTH_SELF_KEEP;
  Last edited by progandy (2015-06-21 17:42:35)

• How to Enable password saving in SAP Logon for Windows

  how to Enable password saving in SAP Logon for Windows

  Even though password saving, in SAP Logon for Windows is disabled by default, this can be enabled following the steps listed below:
      Open the command prompt by navigating to Start → Run and by typing “cmd”.
      Go to the \SAP\FrontEnd\SAPgui directory (in Program Files), through the command prompt.
      Create the necessary value in Windows registry by typing: sapshcut -register An information message will appear.
      Open the registry editor, in order to access Windows registry, by navigating to Start → Run and by typing “regedit”.
      Go to the HKEY_CURRENT_USER\Software\SAP\SAPShortcut\Security registry key.
      Change the value data of “EnablePassword“ from 0 to 1.
      Close SAP Logon and open it again, in case it was open during the whole process.

• Cisco router 3800 hub .. enable password not configure

  Dear All,
          Please Help me what i do ?
  When i m configured enable password by command Router(config)#enable password xyz
  Then password is not set the same is in secret password
  pls tell the problem and what the solution for that. 

  Hi,
  Not sure if I understand your question.  If you assigned a password using "enable password xyz"
  You can see the password if you issue "sh run" you can than change the password to whatever you want.
  Maybe you can clarify what you are trying to do
  HTH

• Cisco ASA Enable Password

  Hey,
  I am trying to change the enable password on cisco ASA 5510.  I run enable password <password>.  I log off, and log back in with my username/password and type en, it asks for a password and enter the password that I just set but it does not work.
  what am I missing?
  Thanks

  Are you using the local user database or a TACACS or RADIUS server to authenticate?
  If using a TACACS or RADIUS server enter your user password when you type enable.  If that doesn't work disconnect the TACACS or RADIUS server and try to enter the enable password you created.
  If using the local user database, are you sure that you are entering the password correctly?  Perhaps you typed it incorrectly when creating it and accidentally put a space at the begining or end?
  If non of the above work then you will need to perform a password recovery:
  Reboot your ASA
  Press the Esc key to enter ROMON mode when prompted
  Change the configuration register value to 0x41 by using the command confreg 0x41
  To tell the ASA to ignor the startup configuration issue the command confreg
       Current Configuration Register: 0x00000041
       Configuration Summary:
         boot default image from Flash
         ignore system configuration
       Do you wish to change this configuration? y/n [n]: y
      5.  At the prompt enter Y
      6.  Accept all default values when prompted
      7.  Reload the ASA by enter the command boot
      8.  When prompted enter enable and leave the password blank
      9.  Issue the command copy start run
    10.  Enter configuration mode configure terminal
    11.  Enter the command no config-register (the value is returned to its default value of 0x1)
    12.  Save your configuration copy run start
  Please remember to rate and select a correct answer