aaa authentication ssh console LOCAL
Configures the ASA to use the local database for SSH authentication.
Overview
The 'aaa authentication ssh console LOCAL' command is used on Cisco ASA firewalls to enforce authentication for SSH access using the local user database. This command is part of the AAA (Authentication, Authorization, and Accounting) framework, which provides centralized or local security management. When configured, any SSH connection attempt to the ASA will prompt for a username and password that must match an entry in the local database. This is particularly useful in environments where external AAA servers (like TACACS+ or RADIUS) are not available or as a fallback method. The command operates in global configuration mode and is specific to the console (management) SSH sessions. It does not affect other services like Telnet, HTTP, or ASDM, which require separate AAA commands. On ASA platforms, the local database is managed via 'username' commands, and passwords can be encrypted. This command is essential for securing management access, especially in small to medium deployments. In troubleshooting workflows, verifying this command ensures that SSH authentication is correctly configured, preventing unauthorized access. The ASA's behavior differs from IOS routers, where 'aaa new-model' is required; on ASA, AAA is enabled by default for certain services. Understanding this command is critical for network engineers managing ASA firewalls, as misconfiguration can lead to lockout or security gaps.
aaa authentication ssh console LOCALWhen to Use This Command
- Enforcing local username/password authentication for SSH access to the ASA management interface.
- Replacing TACACS+ or RADIUS authentication with local database for SSH when external servers are unavailable.
- Providing fallback authentication method for SSH when primary AAA servers are unreachable.
- Securing SSH access with locally defined credentials for small deployments without external AAA.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| aaa authentication ssh console LOCAL | aaa authentication ssh console LOCAL | This is the full command with no parameters. 'aaa authentication' invokes the AAA authentication subsystem, 'ssh' specifies the service, 'console' indicates management access, and 'LOCAL' specifies the local database as the authentication method. |
Command Examples
Basic local SSH authentication
aaa authentication ssh console LOCALNo output is displayed upon successful configuration. The command is entered in global configuration mode.
Verifying SSH authentication configuration
show running-config aaaaaa authentication ssh console LOCAL
The output shows the current AAA configuration for SSH authentication, confirming that local authentication is set.
Understanding the Output
The command 'aaa authentication ssh console LOCAL' does not produce any output when entered correctly. To verify the configuration, use 'show running-config aaa' or 'show running-config | include aaa authentication ssh'. The output will display the line 'aaa authentication ssh console LOCAL' if configured. If the command is missing, SSH authentication may fall back to other methods or fail. A healthy configuration shows the exact command in the running config. Common issues include typos or missing 'LOCAL' keyword, which would cause authentication to fail.
Configuration Scenarios
Enabling Local SSH Authentication on ASA
A small office with a single ASA firewall needs to secure SSH access using local usernames.
Topology
Internet --- ASA (inside: 192.168.1.1) --- Internal NetworkSteps
- 1.Create local usernames: username admin password cisco123
- 2.Enable SSH: ssh 192.168.1.0 255.255.255.0 inside
- 3.Configure local authentication: aaa authentication ssh console LOCAL
! Configure local username username admin password cisco123 ! Enable SSH on inside interface ssh 192.168.1.0 255.255.255.0 inside ! Set local authentication for SSH aaa authentication ssh console LOCAL
Verify: Use 'show running-config aaa' to confirm the command is present. Attempt SSH from a client (e.g., ssh admin@192.168.1.1) and verify successful login.
Watch out: If no local usernames are configured, SSH access will be denied even with this command. Always create usernames first.
Troubleshooting with This Command
When troubleshooting SSH authentication issues on ASA, first verify that the 'aaa authentication ssh console LOCAL' command is present in the running configuration. Use 'show running-config | include aaa authentication ssh' to check. If missing, add it. Next, ensure local usernames exist with 'show running-config | include username'. If usernames are missing, create them. Check SSH access list with 'show ssh' to confirm allowed hosts. If authentication fails, enable debugging with 'debug aaa authentication' to see the authentication process. Common issues include incorrect username/password, locked accounts, or mismatched SSH version. Also, verify that the SSH service is enabled on the interface. On ASA, the 'ssh' command must specify the allowed networks. If the client IP is not permitted, the connection will be rejected before authentication. Additionally, ensure that the ASA has a hostname and domain name configured, as SSH keys depend on them. Use 'show crypto key mypubkey rsa' to verify RSA keys exist. If not, generate them with 'crypto key generate rsa modulus 2048'. Finally, check for any ACLs blocking SSH traffic. The ASA's logging can also provide clues; use 'show log' to view authentication failures. Remember that this command only affects SSH; other services like HTTPS or Telnet require separate AAA commands. If using multiple authentication methods, the order matters; 'LOCAL' should be the last method if used as fallback.
CCNA Exam Tips
Remember that 'aaa authentication ssh console LOCAL' only affects SSH; Telnet and HTTP use separate commands.
On ASA, the local database is configured via 'username' commands; ensure usernames exist before enabling this command.
In CCNP Security exams, know that 'LOCAL' is case-sensitive and must be uppercase.
Common Mistakes
Forgetting to create local usernames before enabling local authentication, resulting in lockout.
Using 'aaa authentication ssh console' without 'LOCAL' or with a wrong method, causing authentication failure.
Confusing this command with 'aaa authentication enable console LOCAL' which controls enable mode access.
Platform Notes
On Cisco ASA, the 'aaa authentication ssh console LOCAL' command is specific to the ASA platform and differs from IOS. In IOS, AAA must be enabled globally with 'aaa new-model', and authentication is configured under line vty. On ASA, AAA is built-in and the command directly applies to the management SSH service. There is no equivalent 'line vty' configuration. For Telnet, use 'aaa authentication telnet console LOCAL'. For HTTP/ASDM, use 'aaa authentication http console LOCAL'. The ASA also supports 'aaa authentication serial console LOCAL' for console port access. In terms of version differences, this command has been available since early ASA versions and remains consistent. On newer ASA versions with Firepower services, the command still applies to the ASA portion. For equivalent commands on other platforms, on IOS-XE, you would configure 'aaa new-model', then 'aaa authentication login default local', and 'line vty 0 4' with 'login authentication default'. On NX-OS, similar AAA commands exist but with different syntax. Understanding these differences is crucial for multi-vendor environments. The ASA does not support 'aaa authentication ssh console LOCAL' with multiple methods in a single command; you must use a method list if combining methods. However, for simplicity, 'LOCAL' alone is common.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions