enable password [password]
Sets the password required to enter privileged EXEC mode from user EXEC mode.
Overview
The 'enable password' command on Cisco ASA firewalls is used to set a password that controls access to privileged EXEC mode (also known as enable mode). Privileged EXEC mode provides access to configuration commands and advanced troubleshooting tools. Without a password, any user who gains access to user EXEC mode can simply type 'enable' and enter privileged mode without authentication. This command is one of the most basic security measures on any Cisco device. However, it stores the password in plain text in the running configuration, making it visible to anyone who can view the configuration. For this reason, Cisco recommends using 'enable secret' instead, which encrypts the password using MD5 hashing. On ASA firewalls, both commands can be configured, but if both are present, the 'enable secret' takes precedence. The 'enable password' command is often used in lab environments or as a fallback when AAA servers are unavailable. It is important to note that the password is case-sensitive and can include alphanumeric characters and special symbols. When troubleshooting access issues, verifying the enable password configuration is a quick step to ensure that basic authentication is in place. In a typical workflow, after initial configuration, an administrator sets the enable password to secure the device. If AAA authentication is configured for enable access, the local enable password may still be used as a backup method. Understanding the difference between 'enable password' and 'enable secret' is crucial for security compliance and exam success.
enable password [password]When to Use This Command
- Securing initial access to privileged mode on an ASA firewall.
- Setting a simple password for lab or testing environments.
- Configuring a backup password when using AAA authentication.
- Enforcing basic access control for junior administrators.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| password | password | The plain-text password string. It can contain letters, numbers, and special characters. The maximum length is typically 16 characters on ASA, but may vary by version. The password is case-sensitive. |
Command Examples
Setting enable password
enable password Cisco123Sets the enable password to 'Cisco123'. No output is displayed; the command is applied silently.
Verifying enable password configuration
show running-config | include enable passwordenable password Cisco123
Displays the current enable password in the running configuration.
Understanding the Output
The 'enable password' command does not produce output when executed. To verify the configuration, use 'show running-config' and look for the line 'enable password <password>'. The password is displayed in plain text, which is a security risk. For production, use 'enable secret' which encrypts the password. A missing 'enable password' line means no password is set, allowing anyone to enter privileged mode without authentication. A healthy configuration includes either an 'enable password' or 'enable secret' command.
Configuration Scenarios
Basic Enable Password Setup
A small office ASA firewall with no AAA server. The administrator wants to set a simple password for enable access.
Topology
N/ASteps
- 1.Enter global configuration mode: configure terminal
- 2.Set the enable password: enable password MyPass123
- 3.Exit configuration mode: exit
- 4.Verify: show running-config | include enable password
! Configuration enable password MyPass123
Verify: Use 'show running-config' to confirm the line 'enable password MyPass123' appears.
Watch out: If you also configure 'enable secret', the secret overrides the password. Ensure you use the correct command for your security needs.
Troubleshooting with This Command
When troubleshooting enable access issues on an ASA, first verify if an enable password or secret is configured. Use 'show running-config | include enable' to see both. If neither is present, anyone can enter privileged mode by typing 'enable' at the user EXEC prompt. If you have forgotten the enable password, you may need to perform a password recovery procedure, which typically involves rebooting the ASA and interrupting the boot process to access ROMMON mode. In ROMMON, you can bypass the startup configuration and set a new password. For AAA-authenticated enable access, check the AAA server configuration and ensure the server is reachable. If the AAA server is down, the local enable password (if configured) serves as a fallback. If you are unable to enter privileged mode, check for any access restrictions such as 'aaa authentication enable console' that might be blocking local authentication. Also, ensure that the password you are typing matches exactly, including case sensitivity. If the password contains special characters, be careful with keyboard layout or escape sequences. In summary, the 'enable password' command is straightforward but its absence or misconfiguration can lock you out of the device.
CCNA Exam Tips
Remember that 'enable password' stores the password in plain text; 'enable secret' uses MD5 hashing and is preferred.
On ASA, 'enable password' and 'enable secret' can coexist; the secret takes precedence.
In CCNP Security exams, know that 'enable password' is less secure and should be avoided in production.
Common Mistakes
Using 'enable password' instead of 'enable secret' – exposes password in config.
Forgetting to set any enable password – leaves privileged mode unprotected.
Setting a weak password that can be easily guessed or brute-forced.
Platform Notes
On Cisco ASA, the 'enable password' command behaves similarly to Cisco IOS, but there are some differences. ASA uses a different configuration hierarchy; the command is entered in global configuration mode. Unlike IOS, ASA does not support the 'service password-encryption' command to encrypt the enable password in the config; instead, you must use 'enable secret' for encryption. ASA also supports 'username' commands with passwords that can be used for enable access if AAA is configured. In ASA version 9.x and later, the maximum password length for 'enable password' is 16 characters, while 'enable secret' supports longer passwords. On other platforms like Cisco IOS, the 'enable password' command is deprecated in favor of 'enable secret'. For ASA, it is still available but not recommended for production. When migrating from IOS to ASA, note that the 'enable secret' command uses MD5 hashing on ASA, similar to IOS. There is no direct equivalent on other firewall platforms like Palo Alto or Fortinet, which use different authentication mechanisms.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions