Can’t Login to Your ASA via SSH or Telnet?

I deployed a Cisco ASA at a location and couldn’t get logged in via SSH. I would get prompted, but, no matter what username/password I put in, it would just reject me. After some digging, it turns out that I forgot this command.

aaa authentication ssh console LOCAL

When I put this in, it let me right in as expected. I have no clue what the deal was. I guess I assumed that the ASA would use the local userbase if a AAA service wasn’t configured. I guessed wrong.

I’m sure this will apply to telnet sessions as well. I’d also bet money that equivalent PIX OS versions do that same, so keep an eye out.

Aaron Conaway

I shake my head around sometimes and see what falls out. That's what lands on these pages.

More Posts

Follow Me:
Twitter

9 comments for “Can’t Login to Your ASA via SSH or Telnet?

  1. July 6, 2008 at 4:36 am

    This is normal and logical behavior. If you don’t put any aaa statement in your config console (and telnet) only ask for password and not the username. This is the “global” password not the password associated with a user. In case of http (asdm) you can leave the username empty and only provide the enable password. In case of ssh the username is mandatory so ASA/PIX require you to use the special (“magic”) username “pix”. This is documented by Cisco.

  2. September 1, 2010 at 7:52 am

    Heres some more information that might be helpfull,

    Cisco ASA Allow Management

    Pete
    PeteNetLive

  3. sb
    November 24, 2011 at 10:39 am

    v helpful. thanks.

  4. Omair Khalid
    September 24, 2012 at 11:59 am

    Thankx alot, saved my travel back to office.

  5. Mike
    July 3, 2013 at 3:33 pm

    Awesome thanks, this was driving me bonkers.

  6. William
    May 12, 2014 at 2:33 pm

    helped me out today. Thank you very much for your post!

  7. October 2, 2014 at 6:21 pm

    My ASA was almost out of the window. This post saved it. Thanks!

  8. Thabo
    December 8, 2015 at 12:38 am

    Thanks for this posting it has really helped me this morning

  9. Steve S
    September 27, 2016 at 8:43 am

    This post lives on! Been working on this for a couple of hours and it was driving me crazy.
    Thanks

Leave a Reply

Your email address will not be published. Required fields are marked *