We help IT Professionals succeed at work.

can't login to Cisco ASA via ssh

Medium Priority
4,415 Views
Last Modified: 2012-05-11
When trying to login via ssh, I get challenged for password, but it always says authentication failure.  If I change the aaa auth to a RADIUS server instead of local user, it allows login.  ASDM access via the same user authenticates correctly.  The IP is in the allow list.  There are no failed login messages in the logging (I have it set to debug).  What am I missing?

Here's a snip of the config:

ssh 172.16.xxx.xxx 255.255.255.255 outside
ssh timeout 60
ssh version 2
management-access outside
aaa-server radius protocol radius
aaa-server radius (inside) host 172.16.xxx.xxx
 key *****
 radius-common-pw *****
aaa-server radius (outside) host 172.16.xxx.xxx
 key *****
 radius-common-pw *****
aaa authentication serial console LOCAL
aaa authentication ssh console radius LOCAL
http server enable
username tester password Rfw82ualmh0VG/Ml encrypted
username tester attributes
 service-type nas-prompt

There are no routing/networking issues, and the permitted IP is being seen, as I am being challenged for authentication.
Comment
Watch Question

Pete LongTechnical Architect
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
have you generated an RSA Key for the SSH?

PetesASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...
PetesASA(config)#

See http://www.petenetlive.com/KB/Article/0000173.htm

Author

Commented:
Yes, in fact I did it a second time, as well.

Worth mentioning here is that I can login via ssh as the default "pix" user, but not other "local" users.  That's how I am sure the new key pair worked....when I use Putty to connect, I got the prompt for the key changing, then am able to login as "pix", but not the local user.
Are you challenged for just the password or the username and password.

Have you made any settings under the line vty 1 4 for the ssh access?

Author

Commented:
Challenged for username and password.  

The "line" config parameter doesn't exist in ASA 8.3.

Commented:
For the line:
aaa authentication ssh console radius LOCAL

It will use RADIUS for authentication and fallback to local if there is no communication with the RADIUS servers. Check your RADIUS logs for user "tester".

Change the order so that it will allow the use of local first.
aaa authentication ssh console LOCAL radius

Author

Commented:
You can't.  "LOCAL" has to be the last selection in the list.

I opened a TAC with Cisco on it, and they think that there are two possibilities:
1.  a bug in IOS
2.  intended design
The thought in #2 is that it will only fall back to local if it is unable to reach the RADIUS server, not if a user doesn't exist.  I suppose this makes sense, in a way.  However, I pointed out that I want a local user that has full admin rights in the event that a rogue sysadmin changes access rights on the RADIUS server, so that I can override any changes an unauthorized user might make, without having to get on the physical console of it.  It's just a safety precaution, when using authentication from a non-local source.

Commented:
Looks like it's the intended design. Ah well, maybe they will change it to be like the switch/router IOS which does allow the server group and local order to be changed.
CERTIFIED EXPERT
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
CERTIFIED EXPERT

Commented:
Isn't this a bit moot, if a "malicious" person manages to create an account on the RADIUS server that grants access to the ASA, and changes the config, what would stop them changing the config to lock you out, even on console...

Using RADIUS allows for simpler user management, but you have to have the same level of security on your RADIUS server that you have on everything that you want it to "protect".

If you're worried about your RADIUS server being compromised, then I;d suggest working on that, not working on a "backup" login for your firewall.



Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.