topic Re: Cisco ASA RADIUS for SSH and LOCAL for Serial in Network Security

Cisco ASA RADIUS for SSH and LOCAL for Serial

m.s.rees1 — Tue, 22 Oct 2024 12:13:56 GMT

Hi,

We have just come across a problem. Just wondering if anyone can point us in the right direction. We have RADIUS set up for SSH access on our ASA firewall, which is working fine. We would like to use a console lead and login using the local account (not RADIUS) but we're getting issues doing so and can't log in. Here is our config:

aaa-server RAD-SERV protocol radius
aaa-server RAD-SERV (mgmt) host x.x.x.x
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console RAD-SERV LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history

enable password ***** pbkdf2

username cisco password ***** pbkdf2

It doesn't prompt for the username only for the enable password... the enable password we have set doesn't work.

Is there something we've missed or got wrong? - appreciate any help. Thanks.

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

Flavio Miranda — Tue, 22 Oct 2024 12:34:54 GMT

@m.s.rees1

How your " line con 0" is configured?

And give your user privilege 15

username test privilege 15 password cisco123

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

m.s.rees1 — Tue, 22 Oct 2024 15:02:36 GMT

It doesn't accept the "line con 0" think it's because it's a firewall not a switch?

I'll try adding the extra privilege.

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

Aref Alsouqi — Tue, 22 Oct 2024 15:45:55 GMT

Do you see any interesting logs if you enable "debug aaa authentication"?

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

m.s.rees1 — Tue, 22 Oct 2024 15:50:15 GMT

I will enable this and have look. Thanks.

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

m.s.rees1 — Tue, 29 Oct 2024 13:09:27 GMT

I have tested other devices with the same config and they work as expected, so it seems like there is an issue with the device. We will likely try a reload to see if this solves it.

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

Cristian Matei — Tue, 29 Oct 2024 23:16:06 GMT

Hi,

Use the "login" command to get username login prompt; afterwards, when using "enable" to get into exec mode, use the user's password instead of the configured enable password.

Your test fails as bad on your config, when you type "enable" it will ask for the user's password, however since there's no user logged in, it will fail.

Best,

Cristian.

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

m.s.rees1 — Mon, 11 Nov 2024 09:00:07 GMT

Sorry for delay, we are still yet to reload this as it's an integral device. We have copied the config from this firewall exactly as below and it still doesn't work on console cable (but this firewall works as expected), it is a bit of an odd one:

aaa-server nps-radius protocol radius
aaa-server nps-radius (management) host 172.x.x.x
aaa authentication ssh console nps-radius
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history

user-identity default-domain LOCAL
username admin password ***** pbkdf2
enable password ***** pbkdf2

Re: Cisco ASA RADIUS for SSH and LOCAL for Serial

m.s.rees1 — Mon, 18 Nov 2024 08:25:28 GMT

We solved this. I failed to mention (apologies, I thought I had!) that this is a virtual firewall. We realised that when resetting the enable password, it was only done on the admin context and not the system context. Once we realised this, it all worked as expected. Thanks for your input.