Access-list for AAA radius? help please!

robbo79871 · ‎01-01-2016

Hi

I'm trying to SSH into a vty line on my router that is sitting on the OUTSIDE interface of an ASA. I have tried from the actual router and a PC inside the ASA to and i'm getting the same "Open" message and go to enter the password but when i enter the password and hit enter it does nothing and just times out.

Will post the relevant config for router and ASA below:

hostname Router3

!

enable secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

aaa new-model

!

aaa authentication login loginlist group radius

!

aaa authorization exec authorlist group radius

!

username bob privilege 15 secret 5 $1$mERr$hx5rVt7rPNoS4wqbXKX7m0

!

ip ssh version 2

ip domain-name ROUTER3

!

interface FastEthernet0/0

ip address 172.16.30.1 255.255.255.0

duplex auto

speed auto

!

ip classless

ip route 10.30.0.0 255.255.255.0 172.16.30.2

ip route 0.0.0.0 0.0.0.0 172.16.30.2

!

ip flow-export version 9

!

radius-server host 10.30.0.10 auth-port 1645 key Secret

radius-server key Secret

!

line con 0

!

line aux 0

!

line vty 0 4

login authentication loginlist

transport input ssh

line vty 5

transport input ssh

line vty 6 15

transport input ssh

!

end

_______________________________________________________________________________________________________________

Firewall ASA

hostname ASA2

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

switchport access vlan 30

!

interface Ethernet0/2

switchport access vlan 30

!

interface Vlan1

no nameif

security-level 100

no ip address

!

interface Vlan2

nameif outside

security-level 0

ip address 172.16.30.2 255.255.255.0

!

interface Vlan30

nameif inside

security-level 100

ip address 10.30.0.1 255.255.255.0

!

webvpn

enable outside

enable inside

!

route outside 0.0.0.0 0.0.0.0 172.16.30.1 1

!

access-list VPN_1 extended permit icmp 10.30.0.0 255.255.255.0 10.20.0.0 255.255.255.0

access-list test extended permit icmp 10.20.0.0 255.255.255.0 10.30.0.0 255.255.255.0

access-list test extended permit icmp host 172.16.30.1 host 10.30.0.10

access-list aaa extended permit udp any 10.30.0.0 255.255.255.0 eq 1645

!

access-group aaa in interface outside

!

group-policy webvpn internal

group-policy webvpn attributes

vpn-tunnel-protocol ssl-clientless

webvpn

url-list value test1

username bob password 4IncP7vTjpaba2aF encrypted

username bob attributes

vpn-group-policy webvpn

!

class-map inspect

match default-inspection-traffic

class-map test

!

policy-map global

class inspect

inspect icmp

class test

!

service-policy global global

!

telnet timeout 5

ssh timeout 5

!

___________________________________________________________________________

Also, the details in packet tracer on the radius server are:

client name = R1 client ip= 172.16.30.1 service type=radius key=Secret port=1645

!

username= tim password= pass

Maykol Rojas · ‎01-04-2016

Hello;

What happens if you remove authorization? Are you able to get in?

Mike.

Mike

robbo79871 · ‎01-04-2016

Hi

No it still doesnt let me, i have changed the access lists arounf a bit to see if anything works. I am now able to ping from the outside router to the AAA server but cannot SSH into the router from an inside PC and get the radius authentication to work also.

Here are the new updates:

object network asa_inside_address

subnet 10.30.0.1 255.255.255.255

object network inside_network

subnet 10.30.0.0 255.255.255.0

access-list website_outside extended permit icmp any object asa_inside_address

access-list website_outside extended permit udp any 10.30.0.0 255.255.255.0 eq 1645

access-list website_outside extended permit icmp any object inside_network

!

access-group website_outside in interface outside

!

I must be missing something cant see what?