ASA 5505 Username and Password
Hi All,
I am trying to configure an ASA 5505 with a username and password. I set all the pass words:
password xxxxxxx
enable password xxxxxxx
username xxxxxx password xxxxxxx
When I reload the device it prompts me for the username, then the password and it fails and just asks for the username again. I have even tried to delete the username/password combo but it still prompts me for it. When I do password recovery the confreg is 0x00000001. I am no ASA expert and this is getting a bit frustrating.
When I first configured the device and reloaded it, everything worked fine.....once. Upon the second reload it just keeps prompting me.
Thanks for any help.
Bill
Hello Carter,
Hmm, it sounds like a config-register problem.
So when you are in rommon you got to set the confreg to be on 0x41 so you can ignore the startup-config.
Then when you enter to the ASA please do the following:
enable password cisco
username password cisco
config-register 0x01
wr
and then finally reload,
Regards,
Julio
Similar Messages
-
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
Issue:
Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.
Background:
We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:
Switches:
Username:domain-username
Password:domain-password
SWITCH>enable
Password:enable-password-in-Active-Directory
SWITCH#
Firewalls (as they currently are):
Username:domain-username
Password:domain-password
FIREWALL>enable
Password:domain-password
FIREWALL #
With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:
Current switch configuration:
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa session-id common
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 1234abcd
Current firewall configuration:
aaa-server DC01 protocol radius
aaa-server DC01 (outside) host 192.168.0.1
aaa authentication ssh console DC01 LOCAL
aaa authentication enable console DC01 LOCAL
key 1234abcd
Any help would be great, thanks!Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.
But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example
Firewalls :
Username:domain-username
Password:domain-password
FIREWALL>show curpriv
Username : domain-username
Current privilege level : 1
Current Mode/s : P_UNPR
FIREWALL>enable
Password:enable-password-from-running-config
FIREWALL #show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
If you're using Authorization and Accounting it's recommended to stick with your current behavior. -
SSH local database username and password not working
I have a weird issue. I recently setup an ASA 5510 and had SSH working. To make it easier on my VPN users I then decided I wanted to setup a Windows 2008 Network Policy Server for RADIUS authentication. Ever since I added the RADIUS part to aaa authentication, when I use SSH to connect to the ASA it will not take the local user name and password I have setup. I can however get in using a Domain user name and password. Below is the SSH and AAA configuration. Am I missing something here? The username and password in the ASA is not on the domain and it's like the ASA is not even trying LOCAL when it tries to authenticate. I want it to use the local username and password if possible. I'm kind of new to ASA's..
On another note, I have never been able to SSH in on the internal interface. I always get a "The remote system refused the connection" error message. I can only use the outside interface.
Site-ASA# sh run | in ssh
aaa authentication ssh console SERVER_RADIUS LOCAL
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
ssh version 2
Site-ASA# sh run | in aaa
aaa-server SERVER_RADIUS protocol radius
aaa-server SERVER_RADIUS (inside) host 10.0.0.6
aaa authentication ssh console SERVER_RADIUS LOCAL
aaa authentication http console SERVER_RADIUS LOCAL
Site-ASA#
If there are any other config that would help I would be more than happy to display them
Thanks!Thanks for the reply. I was just coming in to update this because you are exactly correct. For some reason I kept thinking that if the authentication failed via RADIUS it would use local which is not the case.
Problem (or no problem) resolved. -
Change the Event username and password
I am trying to change the event subscription username and password for the Cisco IPS module for the ASA's. I have them tied into the IME, but went through the setup I must have goofed and checked the box that said use same username and password for event subscription as configuration values.
While I see this marked as answered, the answer is vague. It lacks real information about the account that was reset. I do notice that if this event is filtered that the SID is incremented by one for each event.
Example:
S-1-5-21-282.....-....-....-5169
S-1-5-21-282.....-....-....-5170
S-1-5-21-282.....-....-....-5171
and so on and so forth. As it is incremental, there may be an account, local to the machine, for a service that is turned off and the computer may attempt to reset the account when the service cannot be connected. Possibly a disabled service,
a bad entry in the registry.... just my thoughts. If we observe the SID, it is a different account that is reset with each iteration of that event.
R, J -
I have a request from a cutomer to run a script to create multiple username and password on ACS5.3 Appliance. Does anyone has any suggestion on how to go about this?
Have you tried using the import option on the ACS? You can put all your accounts in a csv file and upload it into the ASA.
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/user/guide/users_id_stores.html#wp1132152
If that doesnt work you can use the REST Web Services in ACS also:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.3/sdk/rest.html
Thanks,
Tarik Admani
*Please rate helpful posts* -
Reporting Services username and password prompting
We have several branch office locations and one reporting services server. All of the branch office locations can access the reporting services server, but we have one location for the passed week, each time they make a connection to this server, it prompts
them for a username and password and will not allow them to connect even if the correct username and password is correct.
I have tried adding the server to the IE intranet/trusted site list. Set IE security on all zones to automatically logon with current username and password.
What is strange is that this is the only branch office site that is having this issue. It is almost like kerberos is broken for this site location only.
DOes anyone has any suggestions what could be causing this problem for all computers in this one location. Nothing has changed on their local servers nor have we pushed any updates to the machines.Hi bubba1984,
As per my understanding, I think this issue is caused by Kerberos authentication. Kerberos is an authentication protocol that allows clients that create authentication tokens to associate a specific destination to that token. In the failure case, there is
a mismatch between the destination specified in the token and the report server process configuration. Due to this mismatch, the underlying Kerberos authentication scheme supported by Windows prevents report server from authenticating the user.
To fix this issue, please try to remove RSWindowsNegotiate and ensure RSWindowsNTLM is specified in the rsreportserver.config file. For more details, please take the following article as reference:
http://blogs.msdn.com/b/lukaszp/archive/2008/03/26/solving-the-reporting-services-login-issue-in-the-february-ctp-of-sql-server-2008.aspx
Hope this helps.
Thanks,
Katherine Xiong
Katherine Xiong
TechNet Community Support -
Single sign-on and different usernames and passwords
Hello,
I am building a Portal with WLPS 3.5 and WLS 6.0. I tried to get
information about the background of single sign-on.
I understand, that I need a Realm (i.e. LDAP Realm) to authenticate the
user for the first login to the portal (with username and password).
Now I would like to integrate my webmail-programm (to get emails from
Lotus Notes via Internet) as a portlet.
For my understanding the user has to authorizate to get access to webmail.
Therefore I create a ACL for webmail and this ACL is assigned to my
security Realm.
I would like the portlet to show after login the number of mails for the
specific user. But where are the username and password for webmail stored
and how are they received and forwarded?
I understand that my ACL included all users that have access to webmail
(i.e. all users). But I only want emails for the specific user.
Does WLS get all usernames and passwords while the first login? Do I have to
implement a algorithmen to get the specific username and password for the
requested resource in my portlet?
Has anyone solved a similar problem or can tell me where I can get more
information. I read the WebLogic Security document but I cant find a
answer to my questions.
Thanks
LydiaLydia,
I'm not an expert in this area, but I can give you a start.
As for single sign-on, there are different levels. For single sign-on across web-apps,
the servlet spec requires this (section 12.6 of th 2.3 spec) and therefore Weblogic
does this.
What you are talking about is single sign-on across back-end applications through
a web-app. BEA has partnered with Securant (just acquired by RSA) to provide this
kind of functionality. Browse to http://www.rsasecurity.com/products/ and look
at the ClearTrust product. BEA has also partnered with Netegrity (www.netegrity.com)
with their SiteMinder product. Neither is included in the Weblogic license. I'm
sure either vendor would be excited to explain how their product will solve your
problem if you give them a call.
As for where the username and passwords are stored, that is up to the realm. If
you are using the default WLPS RDBMSRealm, the username and encrypted password
are stored in the WLCS_USER table. If you are using LDAPRealm, they are stored
in your LDAP server.
Hope this was useful!
PJL
[email protected] wrote:
Hello,
I am using PersonalizationServer 3.5 and WLS 6.0 SP 2.
Now I try to unterstand the functionality of Single sign-on when a user
has different usernames and passwords for different applications.
Can someone explain where the usernames and passwords for a user are
stored (all in the LDAP-realm or a RDBMS-realm?) When a user access the
application how username and passwords are mapped? Or usernames and
passwords for all applications are the same and will be equalized?
Precisely I would like to get access to a mail-account for a specific
user
(webmail from Lotus Notes).
Thanks for any help
Lydia -
How do i send the username and password to yahoo web page through url
how do i send the username and password to yahoo web page through url i.e as Query string so that my account in yahoo will open...
If you don't mind using a library, then download and use the Apache HttpClient library. It takes care of all these details for you.
-
Please excuse the lousy table...Its late :-)
I have a multi-server SP2010 farm. Patched up to
Configuration database version: 14.0.6106.5002
My goal is to have a claims based web application that authenticated to ADAM for Extranet. I have configured the servers exactly to MSDN and technet specs (following this spec to the
letter (
http://technet.microsoft.com/en-us/library/ee806882.aspx) to allow the forms side of the web app to authenticate to ADAM.
IT WORKS IN DEV!!! , which is a single server farm. However, it does not work in production. I get the following:
Claims Auth log entries:
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
f2ut
Verbose
Authenticated with login provider. Validating request security token.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Using membership provider 'ADAMProvider'.
1:06:25 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Doing password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Verbose
Failed password check on '[email protected]'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
0
Unexpected
Password check on '[email protected]' generated exception: 'System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security
token username and password could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).'.
1:06:46 AM
w3wp.exe (0x0EDC)
0x1790
SharePoint Foundation
Claims Authentication
fo1t
Monitorable
SPSecurityTokenService.Issue() failed: System.ServiceModel.FaultException`1[Microsoft.IdentityModel.Tokens.FailedAuthenticationException]: The security token username and password
could not be validated. (Fault Detail is equal to Microsoft.IdentityModel.Tokens.FailedAuthenticationException: The security token username and password could not be validated.).
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
fsq7
High
Request for security token failed with exception: System.ServiceModel.FaultException: The security token username and password could not be validated.
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.ReadResponse(Message response)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst, RequestSecurityTokenResponse& rstr)
at Microsoft.IdentityModel.Protocols.WSTrust.WSTrustChannel.Issue(RequestSecurityToken rst)
at Microsoft.SharePoint.SPSecurityContext.SecurityTokenForContext(Uri context, Boolean bearerToken, SecurityToken onBehalfOf, SecurityToken actAs, SecurityToken delegateTo)
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
8306
Critical
An exception occurred when trying to issue security token: The security token username and password could not be validated..
1:06:46 AM
w3wp.exe (0x1B34)
0x08A0
SharePoint Foundation
Claims Authentication
f2un
Verbose
Form authentication failed.
I have tried EVERYTHING (well, nt everything, I don’t have the fix I suppose).
I found plenty out there and nothing directly correlates with this issue.
I searched on all parts of the errors I got.
This contains an interesting blurb about setting up access for the apppool id correctly.
That’s not the case for me. It works in dev and the same id are used there.
http://sharepoint-2010-world.blogspot.com/2011/03/adam-forms-based-authentication-in.html
This was good but it doesn’t give specs on what the environment looks like:
http://social.msdn.microsoft.com/Forums/en/sharepoint2010general/thread/557143a6-4b36-4939-bb7f-d62a9335fd18
The was interesting…but I am patched up beyond the June 2011 CU so it’s a moot point:
http://social.technet.microsoft.com/Forums/en-US/sharepoint2010setup/thread/9b8368ef-c5e5-4ead-b348-7b2b5587cfc8
Any and all help would be greatly appreciated!Hi.
You say its a multiserver farm, do you have more than one web server then?
If thats the case, have you tried accessing the site on each server directly?
Found this for you, maybe that can help?
Troubleshooting Exceptions: System.ServiceModel.FaultException`1
http://msdn.microsoft.com/en-us/library/bb907220.aspx
and this:
SharePoint 2010 Claims Authentication - The security token username and password could not be validated reoccurring every morning
http://social.technet.microsoft.com/Forums/pl-PL/sharepoint2010setup/thread/383f1f9b-5c4a-4e19-b770-2a54b7ab1ca1
and
This seems to be a good guide:
http://donalconlon.wordpress.com/2010/02/23/configuring-forms-base-authentication-for-sharepoint-2010-using-iis7/
Good luck
Thomas Balkeståhl - Technical Specialist - SharePoint - http://blksthl.wordpress.com -
I do not know my apple administrator username and password. How do I find out what it is? I am trying to download IBM Notes and Domino onto my MacBook Pro and I cannot download the software without verifying my apple administrator username and password.
iOS is only for mobile devices, so:
Resetting or changing a password:
For Snow Leopard or earlier: http://support.apple.com/kb/HT1274
For Lion or later: http://support.apple.com/kb/HT6022
For Mavericks users:
http://www.macworld.co.uk/how-to/mac-software/how-change-admin-password-mac-3535 328/
This is also useful:
http://www.macworld.co.uk/ipad-iphone/news/?newsid=3463233&olo=email
If it's running Mac OS X 10.6.8 or earlier, insert a Mac OS X install DVD, restart with the Option key held down, click on it, and use the Reset Password utility.
If it's running Mac OS X 10.7 or newer, restart with the Command and R keys held down, open the Terminal, and use the resetpassword command:
https://discussions.apple.com/docs/DOC-4101 -
I have a iphone 5 and I can login with my apple id to purchase music. However, when I try to login into icloud using the very same username and password that I use in the apple store it does not work to enter icloud, so what what gives???
I could do that, however when I select the icloud button (or whatever the heck it is) I am asked to enter the apple id and password. So if you are suppose to create another one for icloud you'd think it would give you the option at this point which would be logical.
-
I have to log onto my companies wifi by first going thru a log on page that equires a username and password. before i updated to ios 6. it worked fine now it just goes to the login page and when i hit enter it doesnt do anything just stays stuck on that page. however the phone will log onto a regular wifi router that doesnt require any kind of username or password. any ideas on how to fix it. i have tried everything including reseting all network settings.
1. Settings>General>Reset>Reset Network Settings
or
2. Use "Forget This Network" -
Server 2003 VPN clients can't verify username and password
Hi,
Hoping someone can help or point me in the right direction. I have a Windows Server 2003 R2 standard SP2 running RRAS. It has Dual NIC's and is configured for PPTP VPN. I am using a BT Business Hub 5 for internet access and using the BT Static IP service.
The BT Hub assigns the static IP address chosen to the Server using DHCP. The firewall is configured to port forward PPTP traffic to the 2003 server. This all works correctly.
The 2003 server is on a domain where the DC is a 2008 R2 server. The DC also acts as the DNS and DHCP for the network.
The default gateway for the domain is pointed towards our WinGate proxy server which also acts as a DNS server.
The 2003 server LAN NIC is configured manually, usually I would not configure a deafult gateway on the LAN NIC as the WAN NIC needs the default gateway for the BT Hub.
The problem I am having is if a default gateway is configured on the LAN NIC, I can connect to the VPN and it will logon to the network. Once connected everything works ok. If the connection drops, when trying to reconnect the client can no longer verify
the user name and password against the domain and the connection is refused.
If I do not have a default gateway configured in the LAN NIC the VPN clients can not verify the username and password for the domain at all and I get RPC failure errors in the event viewer with the source dnsapi.
Once this error occurs the only way I can get the clients to reconnect is to disable the WAN NIC, restart the RRAS service and enable the WAN NIC again.
Any insight will be much appreciated.Hello,
for Networking configuration questions better ask in
http://social.technet.microsoft.com/Forums/windowsserver/en-US/home#forum=winserverNIS&filter=alltypes&sort=lastpostdesc&content=Search
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter: -
How to connect an apple tv to an enterprise network with a username and a password?
I need to use it over my university's wifi. theres no option to enter username and password. how to connect the apple tv to such enterprise network?Contact the University's IT dept, they may be able to set something up on the network to allow the ATV to connect without the need for a user name/password.
-
See detail in original question. Here is the text from the dialog box which comes up, with fields for Username and Password: "The proxy fastun.com:7000 is requesting a user name and password. The site says: "fasTun"." This means I'm unable to use MFF. I've uninstalled MFF and re-installed MFF and the same occurs. The problem arose after I'd been surfing the Net and got to a German site. From that point onwards my internet became very slow. When I ran "speedtest.net" my computer was going thruugh Frankfurt, Germany, instead of Canberra, Australia! Can you please help?
== This happened ==
Every time Firefox opened
== Following my doing a System Restore to a point prior to the computer slowing down. From that point on I've been unable to use MFF to connect to any websites. The problem does not appear using Windows Internet Explorer 8, nor is there an issue with speed of downloads. ==
== User Agent ==
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media Center PC 4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)Check the proxy settings under Tools -> Options -> Advanced - Network tab, Settings button.
You probably want No Proxy, if it is set to anything else.
See https://support.mozilla.com/en-US/kb/Options+window+-+Advanced+panel#Connection_Settings_Dialog
http://fastun.com (a registration required web accelerator / anonymizer) indicates it has some sort of Firefox add-on. Do you see a relevant one in Tools -> Add-ons -> Extensions? Try disabling it.
If you are not sure which one it is, try [[Safe Mode]] to disable all of them.
Maybe you are looking for
-
Can I create a 2nd iTunes account on one PC that caters for two seperate devices for different people?
-
How to get Historic Data in Oracle
Hi, THe following query might be useful to generate the consecutive dates from given date to sysdate. SELECT dt FROM ( SELECT to_date('02/19/1981','mm/dd/yyyy')+rownum-1 AS dt FROM user_objects WHERE TRUNC(dt)<=TRUNC(SYSDATE);NOw lets co
-
PDF + Print directly to the printer
I need to have the print directly to the printer option enabled for a legacy app to print properly. However with this option on PDF's will not print. Even when enabling the print as image option, it still fails. Does anyone have a solution? *after te
-
Net price must be greater than 0 in PO
Hi All, i have a scenario where the PO is created with reference to the contract. The material has scales (quantity) to it. The user now wants to increase the PO quantity and when he tries to save it we get a msg "net price must be greater than 0" Th
-
Dear Team, In iSO 6 while talking to some one I could lock the screen in the middle of the call and I could continue the call, this helps me in may ways 1. I dont press the key board accidentally so that key presses wont be sent to IVR if Iam talking