[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


can't login to Cisco ASA via ssh

Posted on 2011-04-25
Medium Priority
Last Modified: 2012-05-11
When trying to login via ssh, I get challenged for password, but it always says authentication failure.  If I change the aaa auth to a RADIUS server instead of local user, it allows login.  ASDM access via the same user authenticates correctly.  The IP is in the allow list.  There are no failed login messages in the logging (I have it set to debug).  What am I missing?

Here's a snip of the config:

ssh 172.16.xxx.xxx outside
ssh timeout 60
ssh version 2
management-access outside
aaa-server radius protocol radius
aaa-server radius (inside) host 172.16.xxx.xxx
 key *****
 radius-common-pw *****
aaa-server radius (outside) host 172.16.xxx.xxx
 key *****
 radius-common-pw *****
aaa authentication serial console LOCAL
aaa authentication ssh console radius LOCAL
http server enable
username tester password Rfw82ualmh0VG/Ml encrypted
username tester attributes
 service-type nas-prompt

There are no routing/networking issues, and the permitted IP is being seen, as I am being challenged for authentication.
Question by:Darkpaw
LVL 57

Expert Comment

by:Pete Long
ID: 35460509
have you generated an RSA Key for the SSH?

PetesASA(config)# crypto key generate rsa
INFO: The name for the keys will be: <Default-RSA-Key>
Keypair generation process begin. Please wait...

See http://www.petenetlive.com/KB/Article/0000173.htm

Author Comment

ID: 35460605
Yes, in fact I did it a second time, as well.

Worth mentioning here is that I can login via ssh as the default "pix" user, but not other "local" users.  That's how I am sure the new key pair worked....when I use Putty to connect, I got the prompt for the key changing, then am able to login as "pix", but not the local user.

Expert Comment

ID: 35461070
Are you challenged for just the password or the username and password.

Have you made any settings under the line vty 1 4 for the ssh access?
Prepare for an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program curriculum features two internationally recognized certifications from the EC-Council at no additional time or cost.


Author Comment

ID: 35461082
Challenged for username and password.  

The "line" config parameter doesn't exist in ASA 8.3.
LVL 15

Expert Comment

ID: 35464144
For the line:
aaa authentication ssh console radius LOCAL

It will use RADIUS for authentication and fallback to local if there is no communication with the RADIUS servers. Check your RADIUS logs for user "tester".

Change the order so that it will allow the use of local first.
aaa authentication ssh console LOCAL radius

Author Comment

ID: 35466006
You can't.  "LOCAL" has to be the last selection in the list.

I opened a TAC with Cisco on it, and they think that there are two possibilities:
1.  a bug in IOS
2.  intended design
The thought in #2 is that it will only fall back to local if it is unable to reach the RADIUS server, not if a user doesn't exist.  I suppose this makes sense, in a way.  However, I pointed out that I want a local user that has full admin rights in the event that a rogue sysadmin changes access rights on the RADIUS server, so that I can override any changes an unauthorized user might make, without having to get on the physical console of it.  It's just a safety precaution, when using authentication from a non-local source.
LVL 15

Expert Comment

ID: 35470062
Looks like it's the intended design. Ah well, maybe they will change it to be like the switch/router IOS which does allow the server group and local order to be changed.

Accepted Solution

pgolding00 earned 1000 total points
ID: 35472331
ASA authentication is designed to work the way you are seeing it. LOCAL is either the only method you use, or its a backup for when all else fails. All-else-failing is considered to be when your radius, tacacs, kerberos, ldap or whatever server does not respond, not when it responds with "user not known" or "bass password".

You can change your config to "aaa authen ssh console LOCAL" to test that the locally configured user works for ssh. Then if you need/want to use local as a backup, return your config to "radius LOCAL" as you had initially. Then if you are locked out by the radius server config, access the radius server and stop the radius process, or create an access list entry between the firewall and radius server to block UDP ports 1645 and 1812, login, then restart radius or remove the filter.

Alternatively and if console access is no good, use telnet access as a backup and restrict telnet to access from a specific part of your network (single host or a management subnet perhaps), then use LOCAL only for "aaa authen telnet console".

Another alternative - add another radius server to the environment, but one that is normally not running. In it, configure just your backup user for the firewall. In the ASA config, create this as the first radius server and use a short timeout, for ssh only. Then, if you are locked out, start up your backup radius server and login. You would have to accept that under normal circumstances, ssh login would be little slower as the firewall will have to time-out on the backup radius server, then go to the normal one.
LVL 37

Expert Comment

ID: 35477990
Isn't this a bit moot, if a "malicious" person manages to create an account on the RADIUS server that grants access to the ASA, and changes the config, what would stop them changing the config to lock you out, even on console...

Using RADIUS allows for simpler user management, but you have to have the same level of security on your RADIUS server that you have on everything that you want it to "protect".

If you're worried about your RADIUS server being compromised, then I;d suggest working on that, not working on a "backup" login for your firewall.


Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses
Course of the Month18 days, 20 hours left to enroll

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question