Access-list for AAA radius? help please!

robbo79871 — Tue, 12 Mar 2019 07:05:27 GMT

I'm trying to SSH into a vty line on my router that is sitting on the OUTSIDE interface of an ASA. I have tried from the actual router and a PC inside the ASA to and i'm getting the same "Open" message and go to enter the password but when i enter the password and hit enter it does nothing and just times out.

Will post the relevant config for router and ASA below:

hostname Router3

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

aaa new-model

aaa authentication login loginlist group radius

aaa authorization exec authorlist group radius

username bob privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

ip ssh version 2

ip domain-name ROUTER3

interface FastEthernet0/0

ip address 172.16.30.1 255.255.255.0

duplex auto

speed auto

ip classless

ip route 10.30.0.0 255.255.255.0 172.16.30.2

ip route 0.0.0.0 0.0.0.0 172.16.30.2

ip flow-export version 9

radius-server host 10.30.0.10 auth-port 1645 key Secret

radius-server key Secret

line con 0

line aux 0

line vty 0 4

transport input ssh

line vty 5

transport input ssh

line vty 6 15

transport input ssh

end

_______________________________________________________________________________________________________________

Firewall ASA

hostname ASA2

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

switchport access vlan 30

interface Ethernet0/2

switchport access vlan 30

interface Vlan1

no nameif

security-level 100

no ip address

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

webvpn

enable outside

enable inside

route outside 0.0.0.0 0.0.0.0 172.16.30.1 1

access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-list test extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list test extended permit icmp host 172.16.30.1 host 10.30.0.10

access-list aaa extended permit udp any 10.30.0.0 255.255.255.0 eq 1645

access-group aaa in interface outside

group-policy webvpn internal

group-policy webvpn attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list value test1

username bob password 4IncP7vTjpaba2aF encrypted

username bob attributes

vpn-group-policy webvpn

class-map inspect

match default-inspection-traffic

class-map test

policy-map global

class inspect

inspect icmp

class test

service-policy global global

telnet timeout 5

ssh timeout 5

___________________________________________________________________________

Also, the details in packet tracer on the radius server are:

client name = R1 client ip= 172.16.30.1 service type=radius key=Secret port=1645

username= tim password= pass

Hello;

Maykol Rojas — Mon, 04 Jan 2016 20:49:32 GMT

Hello;

What happens if you remove authorization? Are you able to get in?

Mike.

Hi

robbo79871 — Tue, 05 Jan 2016 00:17:20 GMT

No it still doesnt let me, i have changed the access lists arounf a bit to see if anything works. I am now able to ping from the outside router to the AAA server but cannot SSH into the router from an inside PC and get the radius authentication to work also.

Here are the new updates:

object network asa_inside_address

subnet 10.30.0.1 255.255.255.255

object network inside_network

subnet 10.30.0.0 255.255.255.0

access-list website_outside extended permit icmp any object asa_inside_address

access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0 eq 1645

access-list website_outside extended permit icmp any object inside_network

access-group website_outside in interface outside

I must be missing something cant see what?

topic Hello; in Network Security

Access-list for AAA radius? help please!

Hello;

Hi