Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
6
Replies

Using RADIUS and Local SSH authentication at the same time ASA5506

jbeach44
Level 1
Level 1

‎02-29-2024 09:23 AM

Hello!

We have RADIUS via AD set up to ssh into our ASA's with a failback to local if RADIUS is down. I want to be able to use both RADIUS and LOCAL accounts at the same time, even when RADIUS is up. How can I accomplish this? 

Current config:

aaa-server ConsoleAuth protocol radius
aaa-server ConsoleAuth (inside) host x.x.x.x
key *****
user-identity default-domain LOCAL
aaa authentication ssh console ConsoleAuth LOCAL
aaa authentication telnet console ConsoleAuth LOCAL
aaa authentication serial console ConsoleAuth LOCAL
aaa authentication http console ConsoleAuth LOCAL
aaa authentication enable console ConsoleAuth LOCAL
aaa authorization command LOCAL
aaa authentication login-history

 

Thank you!!

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎02-29-2024 09:30 AM - edited ‎02-29-2024 09:54 AM

aaa authentication ssh console ConsoleAuth LOCAL <- this is correct' the asa will check radius group ConsoleAuth then fallback to local

Sorry I missed this part ""even when RADIUS is up""' why you not add user in radius same as local (same user and password) this way if radius up then it auth by radius is down auth by local.

MHM

0 Helpful

jbeach44
Level 1
Level 1
In response to MHM Cisco World

‎02-29-2024 10:36 AM

Thank you for the reply,

Basically, we use Auvik for monitoring and config backups. Auvik needs an account to ssh into the ASA's and we have been using an AD account via RADIUS but this account keeps getting locked out. Auvik support is unable to figure out why. We have a separate account that we use for our C9300 switches and that never gets locked out. I was trying to figure out if it is possible to have both local account access and radius access at the same time but apparently it is not. 

 

Thanks

0 Helpful

MHM Cisco World
VIP
VIP
In response to jbeach44

‎02-29-2024 10:42 AM

Did you check session timeout of asa ssh ? 

MHM

0 Helpful

jbeach44
Level 1
Level 1
In response to MHM Cisco World

‎02-29-2024 10:43 AM

ssh timeout is set to 5

0 Helpful

MHM Cisco World
VIP
VIP
In response to jbeach44

‎02-29-2024 10:46 AM

Then check if monitor loss connect in same time that session is end 

MHM

0 Helpful

Rob Ingram
VIP
VIP

‎02-29-2024 09:40 AM

@jbeach44 unfortunately you cannot use both at the sametime, the ASA will only use the local database if all RADIUS servers are unavailable/unresponsive.

0 Helpful
Customers Also Viewed These Support Documents