ASA AAA Authentication: adding radius server fails

Unanswered Question
Nov 4th, 2009


Here's my aaa config:

aaa-server RADIUS1 protocol radius

aaa-server RADIUS1 host

key SuperSecretKey

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

http server enable

Whenever I try to add the radius server to ssh console it fails:

asa1(config)# aaa authentication ssh console RADIUS1 LOCAL

Range already exists.

Any hints?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Herbert Baerten Wed, 11/04/2009 - 23:30

First remove the existing config:

no aaa authentication ssh console LOCAL

Then apply the new config:

aaa authentication ssh console RADIUS1 LOCAL

jcw009 Thu, 11/05/2009 - 06:04

If I do this, will it mean that anyone who can be authenticated on the radius server can log into the firewall?

Herbert Baerten Thu, 11/05/2009 - 06:15


Depending on what Radius server it is, you may or may not be able to configure it to accept/reject the authentication based on some parameters like the ip address of the radius client.

But as far as the ASA is concerned, if the Radius server says it's ok, it lets the user in.

I assumed that that is what you wanted, since you were trying to implement this command?

jcw009 Thu, 11/05/2009 - 07:24

I think what I was trying to do was use my radius box like a tacacs box. It doesn't seem like that would work. I'm using Windows 2003 IAS as a radius server to authenticate vpn clients, and don't want anyone who can vpn in login to the firewall. May have to look into setting up a tacas box.

Thanks for your help!

hdashnau Thu, 11/05/2009 - 10:25

You could pass back the IETF service-type attribute on the radius server. You can then use this to restrict the access for these users.

Here is what is required for the

radius delivered service-type attribute to be enforced for CLI access:

"aaa authorization exec authentication-server" must be enabled

"aaa authentication enable console " must be enabled.

IETF RADIUS Service-Type attribute must be returned in the

access-accept packet.

Also note, make sure you are using a version of code with the fix for CSCsk89452

If you are using local authentication instead of radius this can also be done with the following commands:

username attributes

service-type <(admin,nas-prompt,remote-access)>



This Discussion