Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1660
Views
5
Helpful
4
Replies

On-box managed FTD SSH RADIUS authentication broken with 7.3

andrew.butterworth
Level 7
Level 7

‎01-18-2023 03:29 PM - edited ‎01-18-2023 03:37 PM

I have a HA pair of vFTD's in the lab that were upgraded from 7.2 to 7.3 last year when 7.3 became available.  I've just noticed that RADIUS authentication for SSH no longer works.  Its fine for HTTPS access, but not SSH.  It was working for 7.2 (and prior releases).  The RADIUS server (MS NPS) is configured with the correct attributes in the policy for both SSH & HTTPS (Service-Type=Administrative for SSH and Cisco-AV-Pair=fdm.userrole.authority.admin for HTTPS).  I can see on the RADIUS server the authentication was successful, however on the SSH session I see these messages

 

End of keyboard-interactive prompts from server
!!! Your username is not defined with a service type that is valid for this system. You are not authorized to access the system. !!!

 

I am assuming it's an issue with interpreting the 'Service-Type=Administrative' attribute sent from the RADIUS server and I can only think its a bug as the HTML help details don't have any differences to what should be configured on the RADIUS server from 7.2.

Andy

 

Labels:
0 Helpful
4 Replies 4

Arne Bier
VIP
VIP

‎01-18-2023 03:51 PM

Any chance you can capture the UDP traffic between the vFTD and the NPS? NPS is notoriously hard to troubleshoot - if this was an ISE RADIUS server I'd ask you to perform a TCPdump to see what the vFTD is sending - in that RADIUS Access-Request you will see all the attributes that the vFTD is sending. And then you can modify the NPS accordingly.

0 Helpful

andrew.butterworth
Level 7
Level 7
In response to Arne Bier

‎01-19-2023 03:32 AM - edited ‎01-19-2023 04:15 AM

I've done a wireshark capture on the NPS server and I can see the FTD send 'service-type=Authenticate-Only'.  I've updated the NPS policy so it returns this (plus tried others as well), however I get the same "!!! Your username is not defined with a service type that is valid for this system. You are not authorized to access the system. !!!" message on the SSH console.

The FTD sends these AVPs:

rad-req.jpg

This is what is being sent back ("Service-Type=Authenticate-Only" configured on the NPS server)

rad-acc.jpg

Fairly sure this is a bug as this didn't happen with 7.2

 

Arne Bier
VIP
VIP

‎01-19-2023 02:48 PM

unfortunately I don't have a comparative system to check against. Perhaps best course of action is to open a TAC case

0 Helpful

andrew.butterworth
Level 7
Level 7

‎04-11-2024 02:48 AM

Upgraded to 7.4.1 and the issue has gone away...

0 Helpful
Customers Also Viewed These Support Documents