cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1268
Views
5
Helpful
5
Replies
Paul
Beginner

ASA5500 SSH using AAA RADIUS

Hello - having issues getting SSH to authenticate properly on a Cisco ASA 5500. Below are the respective configs and debug outputs. Any help is appreciated.

///ASA CONFIG

# sh run aaa
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication ssh console RADIUS
aaa authorization exec LOCAL auto-enable

# sh run ssh
no ssh stricthostkeycheck
ssh xx.xx.xx.xx 255.0.0.0 inside
ssh xx.xx.xx.xx 255.255.255.255 outside
ssh timeout 60
ssh key-exchange group dh-group1-sha1

# sh run aaa-server
aaa-server RADIUS protocol radius
 reactivation-mode depletion deadtime 5
aaa-server RADIUS (inside) host xx.xx.xx.xx
 retry-interval 7
 timeout 9
 key *****
 acl-netmask-convert wildcard
aaa-server RADIUS (inside) host xx.xx.xx.xx
 retry-interval 7
 timeout 9
 key *****
 acl-netmask-convert wildcard

# test aaa-server authentication RADIUS
Server IP Address or name: xx.xx.xx.xx
Username: USERNAME
Password: **********
INFO: Attempting Authentication test to IP address <xx.xx.xx.xx> (timeout: 11 seconds)
INFO: Authentication Successful

Testing authentication from ASA to RADIUS server is successful for same UN/PW using from shell.

////SSH DEBUG

# Device ssh opened successfully.
SSH0: SSH client: IP = ‘xx.xx.xx.xx’  interface # = 2
SSH: host key initialised
SSH0: starting SSH control process
SSH0: Exchanging versions - SSH-1.99-Cisco-1.25

SSH0: send SSH message: outdata is NULL

server version string:SSH-1.99-Cisco-1.25
SSH0: receive SSH message: 83 (83)
SSH0: client version is - SSH-2.0-OpenSSH_6.2

client version string:SSH-2.0-OpenSSH_6.2

SSH2 0: send: len 304 (includes padlen 6)
SSH2 0: SSH2_MSG_KEXINIT sent
SSH2 0: ssh_receive: 1380 bytes received
SSH2 0: input: packet len 1592
SSH2 0: partial packet 8, need 1584, maclen 0
SSH2 0: ssh_receive: 212 bytes received
SSH2 0: partial packet 8, need 1584, maclen 0
SSH2 0: input: padlen 6
SSH2 0: received packet type 20

SSH2 0: SSH2_MSG_KEXINIT received
SSH2: kex: client->server aes128-ctr hmac-md5 none
SSH2: kex: server->client aes128-ctr hmac-md5 none
SSH2 0: expecting SSH2_MSG_KEXDH_INIT
SSH2 0: ssh_receive: 144 bytes received
SSH2 0: input: packet len 144
SSH2 0: partial packet 8, need 136, maclen 0
SSH2 0: input: padlen 6
SSH2 0: received packet type 30

SSH2 0: SSH2_MSG_KEXDH_INIT received
SSH2 0: signature length 143
SSH2 0: send: len 448 (includes padlen 7)
SSH2: kex_derive_keys complete
SSH2 0: send: len 16 (includes padlen 10)
SSH2 0: newkeys: mode 1
SSH2 0: SSH2_MSG_NEWKEYS sent
SSH2 0: waiting for SSH2_MSG_NEWKEYS
SSH2 0: ssh_receive: 16 bytes received
SSH2 0: input: packet len 16
SSH2 0: partial packet 8, need 8, maclen 0
SSH2 0: input: padlen 10
SSH2 0: newkeys: mode 0
SSH2 0: received packet type 21

SSH2 0: SSH2_MSG_NEWKEYS received
SSH2 0: ssh_receive: 48 bytes received
SSH2 0: input: packet len 32
SSH2 0: partial packet 16, need 16, maclen 16
SSH2 0: MAC #3 ok
SSH2 0: input: padlen 10
SSH2 0: received packet type 5

SSH2 0: send: len 32 (includes padlen 10)
SSH2 0: done calc MAC out #3
SSH2 0: ssh_receive: 64 bytes received
SSH2 0: input: packet len 48
SSH2 0: partial packet 16, need 32, maclen 16
SSH2 0: MAC #4 ok
SSH2 0: input: padlen 5
SSH2 0: received packet type 50
SSH(USERNAME): user authen method is 'use AAA', aaa server group ID = 4

SSH2 0: send: len 48 (includes padlen 19)
SSH2 0: done calc MAC out #4
SSH2 0: ssh_receive: 624 bytes received
SSH2 0: input: packet len 608
SSH2 0: partial packet 16, need 592, maclen 16
SSH2 0: MAC #5 ok
SSH2 0: input: padlen 9
SSH2 0: received packet type 50
SSH(USERNAME): user authen method is 'use AAA', aaa server group ID = 4

SSH2 0: Bad username  ///Not sure why I'm getting bad username here
SSH2 0: send: len 48 (includes padlen 19)
SSH2 0: done calc MAC out #5
SSH2 0: ssh_receive: 144 bytes received
SSH2 0: input: packet len 128
SSH2 0: partial packet 16, need 112, maclen 16
SSH2 0: MAC #6 ok
SSH2 0: input: padlen 66
SSH2 0: received packet type 50
SSH(USERNAME): user authen method is 'use AAA', aaa server group ID = 4

SSH2 0: send: len 48 (includes padlen 19)
SSH2 0: done calc MAC out #6
SSH2 0: authentication failed for USERNAME

I'm going to verify the RADIUS server is configured properly, however I don't think this is the case since the ASA>RADIUS auth tests fine, it is only by SSH does it fail.

5 REPLIES 5
Gagandeep Singh
Cisco Employee

Hi,

Few questions:

1) Is there any specific reason of  having " acl-netmask-convert wildcard" in radius server definition.

2) Try to change shared key on both ASA and TACACS.

3) What error you get on server when try to do SSH on ASA.

Regards

Gagan

Hi Gagan,

No reason for the for netmask-convert, removing this command does not change the behavior.

prompt from ssh console:

Permission denied, please try again.

When testing authentication from the ASA to RADIUS server, is the key not transferred in this process? I would think it is.

Did you try to reset the SSH keys on ASA.

Also what error on radius server is coming in authentication report.

Regards

Gagan

After much troubleshooting, we've finally got this to work. For whatever reason I added

ssh scopy enable

to the ssh config on the ASA and it started accepting the connections and elevating correctly. I still don't understand why this command helped?

Angel Castillo
Beginner

do you have the logs on the RADIUS server?

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube