can't login to Cisco ASA via ssh

When trying to login via ssh, I get challenged for password, but it always says authentication failure.  If I change the aaa auth to a RADIUS server instead of local user, it allows login.  ASDM access via the same user authenticates correctly.  The IP is in the allow list.  There are no failed login messages in the logging (I have it set to debug).  What am I missing?

Here's a snip of the config:

ssh outside
ssh timeout 60
ssh version 2
management-access outside
aaa-server radius protocol radius
aaa-server radius (inside) host
 key *****
 radius-common-pw *****
aaa-server radius (outside) host
 key *****
 radius-common-pw *****
aaa authentication serial console LOCAL
aaa authentication ssh console radius LOCAL
http server enable
username tester password Rfw82ualmh0VG/Ml encrypted
username tester attributes
 service-type nas-prompt

There are no routing/networking issues, and the permitted IP is being seen, as I am being challenged for authentication.
Who is Participating?
pgolding00Connect With a Mentor Commented:
ASA authentication is designed to work the way you are seeing it. LOCAL is either the only method you use, or its a backup for when all else fails. All-else-failing is considered to be when your radius, tacacs, kerberos, ldap or whatever server does not respond, not when it responds with "user not known" or "bass password".

You can change your config to "aaa authen ssh console LOCAL" to test that the locally configured user works for ssh. Then if you need/want to use local as a backup, return your config to "radius LOCAL" as you had initially. Then if you are locked out by the radius server config, access the radius server and stop the radius process, or create an access list entry between the firewall and radius server to block UDP ports 1645 and 1812, login, then restart radius or remove the filter.

Alternatively and if console access is no good, use telnet access as a backup and restrict telnet to access from a specific part of your network (single host or a management subnet perhaps), then use LOCAL only for "aaa authen telnet console".

Another alternative - add another radius server to the environment, but one that is normally not running. In it, configure just your backup user for the firewall. In the ASA config, create this as the first radius server and use a short timeout, for ssh only. Then, if you are locked out, start up your backup radius server and login. You would have to accept that under normal circumstances, ssh login would be little slower as the firewall will have to time-out on the backup radius server, then go to the normal one.
Pete LongTechnical ConsultantCommented:
have you generated an RSA Key for the SSH?

PetesASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

DarkpawAuthor Commented:
Yes, in fact I did it a second time, as well.

Worth mentioning here is that I can login via ssh as the default "pix" user, but not other "local" users.  That's how I am sure the new key pair worked....when I use Putty to connect, I got the prompt for the key changing, then am able to login as "pix", but not the local user.
Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

Are you challenged for just the password or the username and password.

Have you made any settings under the line vty 1 4 for the ssh access?
DarkpawAuthor Commented:
Challenged for username and password.  

The "line" config parameter doesn't exist in ASA 8.3.
For the line:
aaa authentication ssh console radius LOCAL

It will use RADIUS for authentication and fallback to local if there is no communication with the RADIUS servers. Check your RADIUS logs for user "tester".

Change the order so that it will allow the use of local first.
aaa authentication ssh console LOCAL radius
DarkpawAuthor Commented:
You can't.  "LOCAL" has to be the last selection in the list.

I opened a TAC with Cisco on it, and they think that there are two possibilities:
1.  a bug in IOS
2.  intended design
The thought in #2 is that it will only fall back to local if it is unable to reach the RADIUS server, not if a user doesn't exist.  I suppose this makes sense, in a way.  However, I pointed out that I want a local user that has full admin rights in the event that a rogue sysadmin changes access rights on the RADIUS server, so that I can override any changes an unauthorized user might make, without having to get on the physical console of it.  It's just a safety precaution, when using authentication from a non-local source.
Looks like it's the intended design. Ah well, maybe they will change it to be like the switch/router IOS which does allow the server group and local order to be changed.
Isn't this a bit moot, if a "malicious" person manages to create an account on the RADIUS server that grants access to the ASA, and changes the config, what would stop them changing the config to lock you out, even on console...

Using RADIUS allows for simpler user management, but you have to have the same level of security on your RADIUS server that you have on everything that you want it to "protect".

If you're worried about your RADIUS server being compromised, then I;d suggest working on that, not working on a "backup" login for your firewall.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.