ASA Enable_15 user account

Looking to do some cleanup on our ASAs, viewing ASDM shows an account called enable_15 that has full privileges, but VPN group policy and VPN Group Lock are both NA (as opposed to inherit group policy for the others.)

What is this account for? Is it a real account? Can it be deleted?

'Sh run | include usernames' shows the expected users (enable_15 is not listed.)

'Sh ver' shows that the last change made to the config was made by enable_15.

From what I am reading, this has something to do with AAA and commands being sent from the context of that account, instead of the actual user account... can someone explain this to me a little better?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Vask3n

Hey man, I think this is like the built-in "default" account for when you are not explicitly logged in with a named user account but are in privileged exec mode.

Like if you were to type

R1>enable
R1>****
R1#

At that point you are "logged in" with the enable_15 account. I might be wrong but that is my understanding of it, it's mentioned here:

Cisco Security Appliance Command Line Configuration Guide, Version 8.0 - Managing System Access [Cisco ASA 5500-X Series Next-Generation Firewalls] - Cisco

"Username. If you are logged in as the default user, the name is enable_1 (user EXEC) or enable_15 (privileged EXEC)."

theodoxa

Somehow, the ASA has a blank enable secret (just hit enter) by default. I wonder if the "enable_15" account may have something to do with this. As much as I've tried, I cannot get a router/switch to take a blank enable secret - I wouldn't have one on lab devices except that IOS won't let you reach privileged mode via the VTY lines if you don't have an enable password/secret.

colemic

@Vask3n I saw that page, but it didn't really explain what I am asking (most likely my ignorance.) As for your example, it doesn't have a blank password (won't let me log in with it blank.)

I am clueless as to how this phantom account was able to issue a write mem command. (according to sh ver)

@theodoxa it appears that in our case the pw was changed at some point...

Vask3n

colemic wrote: »

@Vask3n I saw that page, but it didn't really explain what I am asking (most likely my ignorance.) As for your example, it doesn't have a blank password (won't let me log in with it blank.)

I think my example was probably confusing to begin with, sorry about that. What I was trying to get at is that this enable_15 is a built-in, non-removable system account that exists as a placeholder for Privilege Level 15 access. This is the account that kicks in when you escalate to Privileged mode from the user exec mode.

Another way to look at this is:

When you type enable at the command line, it's actually getting translated to enable 15 behind the scenes. So when you type that in, you are indirectly logging in to the enable_15 account

colemic

Got it, that makes sense... kind of surprised it's visible in the ASDM, I would think bad things would (or would not, LOL) happen if it were deleted. thanks!