Why do I start at privilege level 1 when logging into a Cisco ASA 5510?

I have created a test user that is set to privilege 15 in the config:

username test password **************** encrypted privilege 15

When I log in to the ASA 5510 I am in privilege 1 according to sh curpriv:

login as: test
[email protected]'s password:
Type help or '?' for a list of available commands.
asa> sh curpriv
Username : test
Current privilege level : 1
Current Mode/s : P_UNPR

Attempting enable fails even though I know I have the correct enable password:

asa> en
Password: *************************
Password: *************************
Password: *************************
Access denied.

Logging in from unprivileged puts me on privilege 15 and I can do as a please:

asa> login
Username : test
Pasword: *************************
asa> sh curpriv
Current privilege level : 15
Current Mode/s : P_PRIV
asa> 

The only thing I can track this to is a configuration change I made where I removed a VPN user we no longer needed.

Why do I start at privilege level 1 when logging into a Cisco ASA 5510?


As of 2011.11.28 the accepted answer, while correct in some cases, is not accurate in others.

The ASA uses a slightly different model than traditional IOS routers and this where some of the confusion sits. The second piece is whether or not aaa authentication enable console LOCAL is configured.

Scenario 1 - Enable Authentication Not Configured

Relevant ASA config

enable password enablepass1
aaa authentication ssh console LOCAL
username user1 password pass1 privilege 15

Results

login as: user1
user1@ASA's password: pass1
ASA> enable
Password: enablepass1
ASA#

If enable authentication is not configured, a user with privilege 15 must still use the enable password to enter privileged exec mode if entering privileged exec mode through enable.

Scenario 2 - Enable Authentication Not Configured but using login

Relevant ASA config

enable password enablepass1
aaa authentication ssh console LOCAL
username user1 password pass1 privilege 15

Results

login as: user1
user1@ASA's password: pass1
ASA> login
Username: user1
Password: pass1
ASA#

If enable authentication is not configured, a user with privilege 15 can use the login command to enter privileged exec mode without knowing or using the enable password.

Scenario 3 - Enable Authentication Configured

Relevant ASA config

enable password enablepass1
aaa authentication ssh console LOCAL
aaa authentication enable console LOCAL
username user1 password pass1 privilege 15

Results

login as: user1
user1@ASA's password: pass1
ASA> enable
Password: enablepass1
Password: pass1
ASA#

If enable authentication is configured, a user with privilege 15 can use login or enable to gain access to privileged exec mode. If using enable, the password required will be the user password and not the enable password.


You can login directly in enable mode if your privilege level allows it.

I am running asa916-k8.bin on 5510

The command is aaa authorization exec LOCAL auto-enable

Ravi L


I was confused by this as well but it turns out you just have to enter the password twice.

user test pass rootbeer priv 15

The user test will login and then when prompted for the enable password the user will enter rootbeer