Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
527
Views
4
Helpful
8
Replies

Cisco ASA RADIUS for SSH and LOCAL for Serial

Go to solution
m.s.rees1
Level 1
Level 1

‎10-22-2024 05:13 AM

Hi,

We have just come across a problem. Just wondering if anyone can point us in the right direction. We have RADIUS set up for SSH access on our ASA firewall, which is working fine. We would like to use a console lead and login using the local account (not RADIUS) but we're getting issues doing so and can't log in. Here is our config:

aaa-server RAD-SERV protocol radius
aaa-server RAD-SERV (mgmt) host x.x.x.x
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console RAD-SERV LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history

enable password ***** pbkdf2

username cisco password ***** pbkdf2

It doesn't prompt for the username only for the enable password... the enable password we have set doesn't work.

Is there something we've missed or got wrong? - appreciate any help. Thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
m.s.rees1
Level 1
Level 1

‎11-18-2024 12:25 AM

We solved this. I failed to mention (apologies, I thought I had!) that this is a virtual firewall. We realised that when resetting the enable password, it was only done on the admin context and not the system context. Once we realised this, it all worked as expected. Thanks for your input.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Flavio Miranda
VIP
VIP

‎10-22-2024 05:34 AM

@m.s.rees1 

 How your " line con 0"  is configured?

And give your user privilege 15

username test privilege 15 password cisco123

Go to solution
m.s.rees1
Level 1
Level 1
In response to Flavio Miranda

‎10-22-2024 08:02 AM

It doesn't accept the "line con 0" think it's because it's a firewall not a switch?

I'll try adding the extra privilege.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to m.s.rees1

‎10-22-2024 08:45 AM

Do you see any interesting logs if you enable "debug aaa authentication"?

Go to solution
m.s.rees1
Level 1
Level 1
In response to Aref Alsouqi

‎10-22-2024 08:50 AM

I will enable this and have look. Thanks.

Go to solution
m.s.rees1
Level 1
Level 1
In response to m.s.rees1

‎10-29-2024 06:09 AM

I have tested other devices with the same config and they work as expected, so it seems like there is an issue with the device. We will likely try a reload to see if this solves it.

0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni

‎10-29-2024 04:16 PM

Hi,

   Use the "login" command to get username login prompt; afterwards, when using "enable" to get into exec mode, use the user's password instead of the configured enable password.

  Your test fails as bad on your config, when you type "enable" it will ask for the user's password, however since there's no user logged in, it will fail.

Best,

Cristian.

0 Helpful

Go to solution
m.s.rees1
Level 1
Level 1
In response to Cristian Matei

‎11-11-2024 01:00 AM

Sorry for delay, we are still yet to reload this as it's an integral device. We have copied the config from this firewall exactly as below and it still doesn't work on console cable (but this firewall works as expected), it is a bit of an odd one:

aaa-server nps-radius protocol radius
aaa-server nps-radius (management) host 172.x.x.x
aaa authentication ssh console nps-radius
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history

user-identity default-domain LOCAL
username admin password ***** pbkdf2
enable password ***** pbkdf2

 

Go to solution
m.s.rees1
Level 1
Level 1

‎11-18-2024 12:25 AM

We solved this. I failed to mention (apologies, I thought I had!) that this is a virtual firewall. We realised that when resetting the enable password, it was only done on the admin context and not the system context. Once we realised this, it all worked as expected. Thanks for your input.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card