https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047265#M438577 <HTML><HEAD></HEAD><BODY><P>Hello Mukundh,</P><P></P><P>I would say it's because of this:</P><P></P><P><SPAN style="text-decoration: underline;">aaa-server RADIUS deadtime 10</SPAN></P><P></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">"While the command may be configured even without having configured the LOCAL method on any of the three authentication and authorization commands described earlier, it only affects operations when a user has configured two methods. Obviously, at this time, the second method must and be <EM>LOCAL</EM>.</P><P> <A name="wp1161114" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The command specifies the minutes a particular method should be marked unresponsive and skipped. When a AAA server group has been marked unresponsive, the firewall will immediately perform the authentication or authorization against the next method which will be the local firewall user database. Every server in a group must be marked unresponsive before the entire group will be declared unresponsive.</P><P> <A name="wp1161115" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">When you configure the deadtime to "0", the AAA server group is never considered unresponsive and all authentication and authorization requests are always attempted against this AAA server group first before using the next method in the method list (for example, falling back to the local user database).</P><P> <A name="wp1161116" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The<STRONG> [no]</STRONG> form of this command restores the<STRONG> aaa-server </STRONG>command to its default value of 10 minutes.</P><P> <A name="wp1161117" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The <EM>deadtime</EM> begins as soon as the last server in the AAA server group has been marked DOWN. A server is marked down when maximum number of attempts defined in max-attempts has been reached and failed to receive a response. Upon expiration of the deadtime, the AAA server group becomes active and all requests will are submitted once again to the AAA servers in the AAA server group."</P><P></P><P></P><P>So in your case you should be able to use the radius authentication method 10 minutes later the radius server went down,</P><P></P><P>Please change it to 1 minute, wait and see how it behaves.</P><P></P><P>Regards,</P><P></P><P>Julio</P><P></P><P></P><P><STRONG>Rate all the helpful posts</STRONG></P></BODY></HTML> Thu, 06 Sep 2012 17:24:27 GMT Julio Carvajal 2012-09-06T17:24:27Z https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047264#M438576 <P>Hi all,</P><P></P><P>I have a PIX 515 Ewhich does authentication for SSH via RADIUS protocol and fails over to the local database if radius server goes offline. But when the radius server comes back online, authentication still takes place through LOCAL and not the radius server. Following are the commands:</P><P></P><P>aaa-server RADIUS protocol radius </P><P>aaa-server RADIUS max-failed-attempts 3 </P><P>aaa-server RADIUS deadtime 10 </P><P>aaa-server RADIUS (outside) host 208.86.100.41 vinakom1365 timeout 5</P><P>aaa-server LOCAL protocol local </P><P>aaa authentication ssh console RADIUS LOCAL</P><P></P><P></P><P>Cisco PIX Firewall Version 6.3(5)</P><P></P><P></P><P>Can anyone let me know what the issue is?</P><P></P><P></P><P>Thanks</P><P>Mukundh</P> Mon, 11 Mar 2019 23:51:00 GMT https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047264#M438576 mukundh86 2019-03-11T23:51:00Z https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047265#M438577 <HTML><HEAD></HEAD><BODY><P>Hello Mukundh,</P><P></P><P>I would say it's because of this:</P><P></P><P><SPAN style="text-decoration: underline;">aaa-server RADIUS deadtime 10</SPAN></P><P></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">"While the command may be configured even without having configured the LOCAL method on any of the three authentication and authorization commands described earlier, it only affects operations when a user has configured two methods. Obviously, at this time, the second method must and be <EM>LOCAL</EM>.</P><P> <A name="wp1161114" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The command specifies the minutes a particular method should be marked unresponsive and skipped. When a AAA server group has been marked unresponsive, the firewall will immediately perform the authentication or authorization against the next method which will be the local firewall user database. Every server in a group must be marked unresponsive before the entire group will be declared unresponsive.</P><P> <A name="wp1161115" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">When you configure the deadtime to "0", the AAA server group is never considered unresponsive and all authentication and authorization requests are always attempted against this AAA server group first before using the next method in the method list (for example, falling back to the local user database).</P><P> <A name="wp1161116" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The<STRONG> [no]</STRONG> form of this command restores the<STRONG> aaa-server </STRONG>command to its default value of 10 minutes.</P><P> <A name="wp1161117" style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12.800000190734863px; background-color: #ffffff;"></A></P><P style="color: #000000; font-family: Arial, Helvetica, sans-serif; font-size: 12px; margin: 1px 0em 6px; background-color: #ffffff;">The <EM>deadtime</EM> begins as soon as the last server in the AAA server group has been marked DOWN. A server is marked down when maximum number of attempts defined in max-attempts has been reached and failed to receive a response. Upon expiration of the deadtime, the AAA server group becomes active and all requests will are submitted once again to the AAA servers in the AAA server group."</P><P></P><P></P><P>So in your case you should be able to use the radius authentication method 10 minutes later the radius server went down,</P><P></P><P>Please change it to 1 minute, wait and see how it behaves.</P><P></P><P>Regards,</P><P></P><P>Julio</P><P></P><P></P><P><STRONG>Rate all the helpful posts</STRONG></P></BODY></HTML> Thu, 06 Sep 2012 17:24:27 GMT https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047265#M438577 Julio Carvajal 2012-09-06T17:24:27Z https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047266#M438578 <HTML><HEAD></HEAD><BODY><P>Hi Julio,</P><P></P><P>You are correct. I had to reduce deadtime to resolve the issue.</P><P></P><P></P><P>Thanks for your help <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Mukundh</P></BODY></HTML> Thu, 06 Sep 2012 23:37:16 GMT https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047266#M438578 mukundh86 2012-09-06T23:37:16Z https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047267#M438579 <HTML><HEAD></HEAD><BODY><P>Hello Mukundh,</P><P></P><P>My pleasure</P><P></P><P>Julio</P></BODY></HTML> Thu, 06 Sep 2012 23:38:58 GMT https://community.cisco.com/t5/network-security/ssh-authentication-in-pix-515e/m-p/2047267#M438579 Julio Carvajal 2012-09-06T23:38:58Z