https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257332#M763841 <P>Hi,</P><P></P><P>Here's my aaa config:</P><P>aaa-server RADIUS1 protocol radius</P><P>aaa-server RADIUS1 host 172.30.10.24</P><P> key SuperSecretKey</P><P>aaa authentication ssh console LOCAL</P><P>aaa authentication enable console LOCAL</P><P>aaa authorization command LOCAL</P><P>http server enable</P><P></P><P>Whenever I try to add the radius server to ssh console it fails:</P><P>asa1(config)# aaa authentication ssh console RADIUS1 LOCAL</P><P>Range already exists.</P><P></P><P></P><P>Any hints?</P><P></P><P>Thanks!</P><P></P><P>Jeff</P><P></P> Mon, 11 Mar 2019 16:36:13 GMT jcw009 2019-03-11T16:36:13Z https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257332#M763841 <P>Hi,</P><P></P><P>Here's my aaa config:</P><P>aaa-server RADIUS1 protocol radius</P><P>aaa-server RADIUS1 host 172.30.10.24</P><P> key SuperSecretKey</P><P>aaa authentication ssh console LOCAL</P><P>aaa authentication enable console LOCAL</P><P>aaa authorization command LOCAL</P><P>http server enable</P><P></P><P>Whenever I try to add the radius server to ssh console it fails:</P><P>asa1(config)# aaa authentication ssh console RADIUS1 LOCAL</P><P>Range already exists.</P><P></P><P></P><P>Any hints?</P><P></P><P>Thanks!</P><P></P><P>Jeff</P><P></P> Mon, 11 Mar 2019 16:36:13 GMT https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257332#M763841 jcw009 2019-03-11T16:36:13Z https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257333#M763842 <HTML><HEAD></HEAD><BODY><P>First remove the existing config:</P><P></P><P>no aaa authentication ssh console LOCAL</P><P></P><P>Then apply the new config:</P><P></P><P>aaa authentication ssh console RADIUS1 LOCAL </P></BODY></HTML> Thu, 05 Nov 2009 07:30:40 GMT https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257333#M763842 Herbert Baerten 2009-11-05T07:30:40Z https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257334#M763845 <HTML><HEAD></HEAD><BODY><P>If I do this, will it mean that anyone who can be authenticated on the radius server can log into the firewall?</P></BODY></HTML> Thu, 05 Nov 2009 14:04:22 GMT https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257334#M763845 jcw009 2009-11-05T14:04:22Z https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257335#M763846 <HTML><HEAD></HEAD><BODY><P>Yes.</P><P></P><P>Depending on what Radius server it is, you may or may not be able to configure it to accept/reject the authentication based on some parameters like the ip address of the radius client.</P><P></P><P>But as far as the ASA is concerned, if the Radius server says it's ok, it lets the user in.</P><P></P><P>I assumed that that is what you wanted, since you were trying to implement this command?</P></BODY></HTML> Thu, 05 Nov 2009 14:15:05 GMT https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257335#M763846 Herbert Baerten 2009-11-05T14:15:05Z https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257336#M763847 <HTML><HEAD></HEAD><BODY><P>I think what I was trying to do was use my radius box like a tacacs box. It doesn't seem like that would work. I'm using Windows 2003 IAS as a radius server to authenticate vpn clients, and don't want anyone who can vpn in login to the firewall. May have to look into setting up a tacas box.</P><P></P><P>Thanks for your help!</P></BODY></HTML> Thu, 05 Nov 2009 15:24:50 GMT https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257336#M763847 jcw009 2009-11-05T15:24:50Z https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257337#M763848 <HTML><HEAD></HEAD><BODY><P>You could pass back the IETF service-type attribute on the radius server. You can then use this to restrict the access for these users.</P><P></P><P>Here is what is required for the </P><P>radius delivered service-type attribute to be enforced for CLI access:</P><P> </P><P></P><P> "aaa authorization exec authentication-server" must be enabled</P><P></P><P> "aaa authentication enable console <AUTH-SERVER>" must be enabled.</AUTH-SERVER></P><P></P><P> IETF RADIUS Service-Type attribute must be returned in the </P><P>access-accept packet.</P><P></P><P></P><P>Also note, make sure you are using a version of code with the fix for CSCsk89452</P><P></P><P>If you are using local authentication instead of radius this can also be done with the following commands: </P><P></P><P>username <NAME> attributes</NAME></P><P> service-type &lt;(admin,nas-prompt,remote-access)&gt;</P><P></P><P></P><P>-heather</P></BODY></HTML> Thu, 05 Nov 2009 18:25:36 GMT https://community.cisco.com/t5/network-security/asa-aaa-authentication-adding-radius-server-fails/m-p/1257337#M763848 hdashnau 2009-11-05T18:25:36Z