topic Hi Jouni,The sh run ssh only in Network Security

Unable to SSH in to ASA with new created user

Charger1129 — Tue, 12 Mar 2019 04:47:03 GMT

Hello. I have an ASA 5510 firewall running an older verison of code. I"m trying to create a new user account to log in but I can't seem to SSH with this account. ASDM works fine but SSH fails. I thought the command would have been:

username newuser password usertest123 privilege 15

But I can't SSH with this. What am I missing?

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Does ssh work OK with other

Marvin Rhoads — Fri, 19 Sep 2014 13:02:51 GMT

Does ssh work OK with other local users?

If not, you may be missing:

aaa authentication ssh console LOCAL

Hi, In addition to what

Jouni Forss — Fri, 19 Sep 2014 13:07:06 GMT

Hi,

In addition to what Marvin suggested I would suggest simply checking the ASDM logs while the users tries to log in with SSH.

Also if there is others using SSH connections to the ASA I would confirm if the new users is in a different subnet and perhaps even behind another interface on the ASA and you perhaps have not allowed SSH connection from that subnet?

Check the output of the command

show run ssh

To check which users can connect with SSH to the ASA.

- Jouni

Hi Jouni,The sh run ssh only

Charger1129 — Fri, 19 Sep 2014 13:22:54 GMT

Hi Jouni,

The sh run ssh only shows me the subnets that are allowed to SSH in. No users in this list.

I think this may be what's

Charger1129 — Fri, 19 Sep 2014 13:26:20 GMT

I think this may be what's missing. Here's the error I received though when trying to add this to the configuration. I'm assuming I need to create this group?

FIrewall-ASA(config)# aaa authentication ssh console local
ERROR: aaa-server group local does not exist
Usage: [no] aaa mac-exempt match <mac-list-id>
[no] aaa authentication secure-http-client
[no] aaa authentication listener http|https <if_name> [port <port>] [redirect]
[no] aaa authentication|authorization|accounting include|exclude <svc>
<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
[no] aaa authentication serial|telnet|ssh|http|enable console
<server_tag> [LOCAL]
[no] aaa accounting telnet|ssh|serial|enable console <server_tag>
[no] aaa authentication|authorization|accounting match
<access_list_name> <if_name> <server_tag>
[no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
[no] aaa accounting command {privilege <level>} <tacacs_server_tag>
[no] aaa proxy-limit <proxy limit> | disable
[no] aaa local authentication attempts max-fail <fail-attempts>
clear configure aaa
clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
show running-config [all] aaa [authentication|authorization|accounting
|max-exempt|proxy-limit]
show aaa local user [lockout]

I believe it's case-sensitive

Marvin Rhoads — Fri, 19 Sep 2014 14:37:59 GMT

I believe it's case-sensitive.

aaa authentication ssh console LOCAL

Looks like you were right!

Charger1129 — Fri, 19 Sep 2014 15:26:21 GMT

Looks like you were right! Definitely case sensitive.

Another question on the topic. The enable password regardless of user is the same for all users correct?

For LOCAL users, yes - the

Marvin Rhoads — Fri, 19 Sep 2014 18:28:02 GMT

For LOCAL users, yes - the enable password is common between users.

If you use external authentication (and the user is authorized for enable), then they re-use their login password for enable access.

As of ASA 9.2 you can also allow direct login to enable level ("aaa authorization exec") as described in the Release Notes.