can't login to Cisco ASA via ssh

Posted on 2011-04-25
Last Modified: 2012-05-11
When trying to login via ssh, I get challenged for password, but it always says authentication failure.  If I change the aaa auth to a RADIUS server instead of local user, it allows login.  ASDM access via the same user authenticates correctly.  The IP is in the allow list.  There are no failed login messages in the logging (I have it set to debug).  What am I missing?

Here's a snip of the config:

ssh outside
ssh timeout 60
ssh version 2
management-access outside
aaa-server radius protocol radius
aaa-server radius (inside) host
 key *****
 radius-common-pw *****
aaa-server radius (outside) host
 key *****
 radius-common-pw *****
aaa authentication serial console LOCAL
aaa authentication ssh console radius LOCAL
http server enable
username tester password Rfw82ualmh0VG/Ml encrypted
username tester attributes
 service-type nas-prompt

There are no routing/networking issues, and the permitted IP is being seen, as I am being challenged for authentication.
Question by:Darkpaw
    LVL 57

    Expert Comment

    by:Pete Long
    have you generated an RSA Key for the SSH?

    PetesASA(config)# crypto key generate rsa
    INFO: The name for the keys will be: <Default-RSA-Key>
    Keypair generation process begin. Please wait...


    Author Comment

    Yes, in fact I did it a second time, as well.

    Worth mentioning here is that I can login via ssh as the default "pix" user, but not other "local" users.  That's how I am sure the new key pair worked....when I use Putty to connect, I got the prompt for the key changing, then am able to login as "pix", but not the local user.
    LVL 3

    Expert Comment

    Are you challenged for just the password or the username and password.

    Have you made any settings under the line vty 1 4 for the ssh access?

    Author Comment

    Challenged for username and password.  

    The "line" config parameter doesn't exist in ASA 8.3.
    LVL 15

    Expert Comment

    For the line:
    aaa authentication ssh console radius LOCAL

    It will use RADIUS for authentication and fallback to local if there is no communication with the RADIUS servers. Check your RADIUS logs for user "tester".

    Change the order so that it will allow the use of local first.
    aaa authentication ssh console LOCAL radius

    Author Comment

    You can't.  "LOCAL" has to be the last selection in the list.

    I opened a TAC with Cisco on it, and they think that there are two possibilities:
    1.  a bug in IOS
    2.  intended design
    The thought in #2 is that it will only fall back to local if it is unable to reach the RADIUS server, not if a user doesn't exist.  I suppose this makes sense, in a way.  However, I pointed out that I want a local user that has full admin rights in the event that a rogue sysadmin changes access rights on the RADIUS server, so that I can override any changes an unauthorized user might make, without having to get on the physical console of it.  It's just a safety precaution, when using authentication from a non-local source.
    LVL 15

    Expert Comment

    Looks like it's the intended design. Ah well, maybe they will change it to be like the switch/router IOS which does allow the server group and local order to be changed.
    LVL 8

    Accepted Solution

    ASA authentication is designed to work the way you are seeing it. LOCAL is either the only method you use, or its a backup for when all else fails. All-else-failing is considered to be when your radius, tacacs, kerberos, ldap or whatever server does not respond, not when it responds with "user not known" or "bass password".

    You can change your config to "aaa authen ssh console LOCAL" to test that the locally configured user works for ssh. Then if you need/want to use local as a backup, return your config to "radius LOCAL" as you had initially. Then if you are locked out by the radius server config, access the radius server and stop the radius process, or create an access list entry between the firewall and radius server to block UDP ports 1645 and 1812, login, then restart radius or remove the filter.

    Alternatively and if console access is no good, use telnet access as a backup and restrict telnet to access from a specific part of your network (single host or a management subnet perhaps), then use LOCAL only for "aaa authen telnet console".

    Another alternative - add another radius server to the environment, but one that is normally not running. In it, configure just your backup user for the firewall. In the ASA config, create this as the first radius server and use a short timeout, for ssh only. Then, if you are locked out, start up your backup radius server and login. You would have to accept that under normal circumstances, ssh login would be little slower as the firewall will have to time-out on the backup radius server, then go to the normal one.
    LVL 36

    Expert Comment

    Isn't this a bit moot, if a "malicious" person manages to create an account on the RADIUS server that grants access to the ASA, and changes the config, what would stop them changing the config to lock you out, even on console...

    Using RADIUS allows for simpler user management, but you have to have the same level of security on your RADIUS server that you have on everything that you want it to "protect".

    If you're worried about your RADIUS server being compromised, then I;d suggest working on that, not working on a "backup" login for your firewall.


    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Join & Write a Comment

    This is about downgrading PIX Version 8.0(4) & ASDM 6.1(5) to PIX 7.2(4) and ASDM 5.2(4) but with only 64MB RAM and 16MB flash. Background: You have a Cisco Pix 515E which was running on PIX 7.2(4) and its supporting ASDM 5.2(4) without any i…
    Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
    Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now