Solved: I believe it's case-sensitive

Charger1129 · ‎09-19-2014

Hello. I have an ASA 5510 firewall running an older verison of code. I"m trying to create a new user account to log in but I can't seem to SSH with this account. ASDM works fine but SSH fails. I thought the command would have been:

username newuser password usertest123 privilege 15

But I can't SSH with this. What am I missing?

Cisco Adaptive Security Appliance Software Version 7.2(4)
Device Manager Version 5.2(4)

Marvin Rhoads · ‎09-19-2014

I believe it's case-sensitive.

aaa authentication ssh console LOCAL

View solution in original post

Marvin Rhoads · ‎09-19-2014

Does ssh work OK with other local users?

If not, you may be missing:

aaa authentication ssh console LOCAL

Charger1129 · ‎09-19-2014

I think this may be what's missing. Here's the error I received though when trying to add this to the configuration. I'm assuming I need to create this group?

FIrewall-ASA(config)# aaa authentication ssh console local
ERROR: aaa-server group local does not exist
Usage: [no] aaa mac-exempt match <mac-list-id>
[no] aaa authentication secure-http-client
[no] aaa authentication listener http|https <if_name> [port <port>] [redirect]
[no] aaa authentication|authorization|accounting include|exclude <svc>
<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
[no] aaa authentication serial|telnet|ssh|http|enable console
<server_tag> [LOCAL]
[no] aaa accounting telnet|ssh|serial|enable console <server_tag>
[no] aaa authentication|authorization|accounting match
<access_list_name> <if_name> <server_tag>
[no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
[no] aaa accounting command {privilege <level>} <tacacs_server_tag>
[no] aaa proxy-limit <proxy limit> | disable
[no] aaa local authentication attempts max-fail <fail-attempts>
clear configure aaa
clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
show running-config [all] aaa [authentication|authorization|accounting
|max-exempt|proxy-limit]
show aaa local user [lockout]

Marvin Rhoads · ‎09-19-2014

I believe it's case-sensitive.

aaa authentication ssh console LOCAL

Charger1129 · ‎09-19-2014

Looks like you were right! Definitely case sensitive.

Another question on the topic. The enable password regardless of user is the same for all users correct?

Marvin Rhoads · ‎09-19-2014

For LOCAL users, yes - the enable password is common between users.

If you use external authentication (and the user is authorized for enable), then they re-use their login password for enable access.

As of ASA 9.2 you can also allow direct login to enable level ("aaa authorization exec") as described in the Release Notes.

Jouni Forss · ‎09-19-2014

Hi,

In addition to what Marvin suggested I would suggest simply checking the ASDM logs while the users tries to log in with SSH.

Also if there is others using SSH connections to the ASA I would confirm if the new users is in a different subnet and perhaps even behind another interface on the ASA and you perhaps have not allowed SSH connection from that subnet?

Check the output of the command

show run ssh

To check which users can connect with SSH to the ASA.

- Jouni

Charger1129 · ‎09-19-2014

Hi Jouni,

The sh run ssh only shows me the subnets that are allowed to SSH in. No users in this list.

Unable to SSH in to ASA with new created user