user can't login firewall via SSH

Publication Date:  2013-09-30 Views:  503 Downloads:  0
Issue Description
This topology is as follows.

The version of Eudemon200E-X is V300R001C00SPC700.
Intranet use can login the firewall via telnet and SSH using a local user name Admin, and can login that via telnet using a username in the Domain, but can’t via SSH using a username in the Domain.
The configuration related with Radius server and SSH is as follows:
#
radius-server template radiusocc
radius-server shared-key %$%$`NqmW/$g:'89a#+r5Q:)MMD;%$%$
radius-server authentication 10.0.16.30 1812
radius-server accounting 10.0.16.30 1813
#
aaa
local-user admin password cipher %$%$;aa5#\>Sz/`y2"&D/%)"M4+"%$%$
local-user admin service-type web terminal telnet ssh
local-user admin level 15
local-user velascoma@test.com password cipher %$%$;NZ07b_zO~8YvBR"{l*O[:1(%$%$
authentication-scheme default
authentication-scheme radiusocc
  authentication-mode  radius  local
#
authorization-scheme default
authorization-scheme radiusocc
  authorization-mode  none
#
accounting-scheme default
#
domain default
domain test.com
  authentication-scheme  radiusocc
  radius-server radiusocc
#
#
user-interface con 0
user-interface tty 2
authentication-mode password
modem both
user-interface vty 0 4
authentication-mode aaa
#
undo ssh server compatible-ssh1x enable
stelnet server enable
ssh user admin
ssh user velascoma@test.com
ssh user admin authentication-type password
ssh user admin service-type all
ssh user velascoma@test.com service-type stelnet
#

Alarm Information
none
Handling Process
(1) Check the configuration related with radius server, we found that there is nothing wrong.

<Eudemon200E>dis radius-server config
00:58:36  2013/09/21
  -------------------------------------------------------------------
  Server-template-name             :  radiusocc
  Protocol-version                 :  standard
  Traffic-unit                     :  B
  Shared-secret-key                :  %$%$`NqmW/$g:'89a#+r5Q:)MMD;%$%$
  Group-filter                     :  class
  Timeout-interval(in second)      :  5
  Primary-authentication-server    : 10.0.16.30:1812:LoopBack-1
  Primary-accounting-server        :  10.0.16.30:1813:LoopBack-1
  Secondary-authentication-server  :  0.0.0.0:0:LoopBack0
  Secondary-accounting-server      :  0.0.0.0:0:LoopBack0
  Retransmission                   :  3
  Domain-included                  :  YES
  DM-enabled                       :  NO
  -------------------------------------------------------------------

AS intranet user can login the firewall via telnet using a domain user, we can concluded that the configuration of radius server is correct, and the route between firewall and radius server is reachable.
(2) We ask the customer to open all the related debug information via these commands:

[Eudemon200E]diagnose
[Eudemon200E-diagnose]debugging acm admin all
[Eudemon200E-diagnose]debugging ucm all
[Eudemon200E-diagnose]debugging aaa message verbose
[Eudemon200E-diagnose]debugging aaa all
[Eudemon200E-diagnose]debugging radius all
<Eudemon200E>debugging radius packet
<Eudemon200E>debugging ssh server all  all
<Eudemon200E>terminal debugging
<Eudemon200E>terminal monitor
We can see these important debug information:

2013-09-20 22:52:47 pruebas %%01SSH/4/USER_NOAUTH(l): No authentication type is configured for the user velascoma@test.com.
*0.61980750 pruebas SSH/7/AUTH_TYPE:The SSH user velascoma@test.com's auth-type is none, use command' SSH user {user-name} authentication-type {auth-method}' to set it.
*0.61980960 pruebas SSH/7/FSM_MOVE:FSM moved from SSH_Main_SSHProcess to SSH_Main_Disconnect.
*0.61982320 pruebas UCM/7/DebugInfo:
  [UCM DBG]Timer type:SYN Parameter:10000
*0.61987910 pruebas UCM/7/DebugInfo:
  [UCM DBG]MSG Recv From:IKE Code:UNKNOWN Src:4294967295 Dst:1342242561
*0.61988040 pruebas AAA/7/AAADBG:
[AAA debug]  Code: unknown  UserID: 4294967295

From the product document, we can see the description of the this command “SSH user {user-name} authentication-type {auth-method}”, from which we can know the root cause that the domain user can’t login the firewall via SSH.
ssh user authentication-type
Function
Using the ssh user user-name authentication-type command, you can configure the authentication mode for the SSH user.
Using the undo ssh user-name authentication-type command, you can cancel the authentication mode of the SSH user and restore the default configuration, that is, no authentication mode is adopted.
By default, the authentication mode of the SSH user is not configured.
Usage Guidelines
A new SSH user cannot log in unless being configured with an authentication mode. The newly configured authentication mode takes effect on next login.

As there are so many domain user stored in the radius server that we configured another command “ssh authentication-type default password”, the description of which is as follows:
ssh authentication-type default password
Function

Using the ssh authentication-type default password command, you can configure the password authentication for the SSH user.
Using the undo ssh authentication-type default password command, you can remove the configured default authentication type.
By default, no authentication type is configured.
Usage Guidelines
Specify the authentication type for the newly added SSH user. If the authentication type is specified in the ssh authentication-type default password command, this user uses the password authentication type by default.


After command “ssh authentication-type default password” is input, the issue is solved.
Root Cause
(1) The configuration related with Radius Server is incorrect
(2) The route is unreachable.
(3) The configuration related with SSH is incorrect
Suggestions
While configuring SSH, make sure that you configure the authentication mode for SSH users.

END