Loading...
Loading...
- In some cases, a remote user login via SSH using password authentication method fails after the Firepower eXtensible Operating System (FXOS) upgrade. Remote users in this case refer to users authenticated using AAA, for example a TACACS server. - In the case of a Linux-based SSH client, the following message is shown: Permission denied, please try again. Case 1: # ssh -o PreferredAuthentications=password remote_user1@192.0.2.1 remote_user1@192.0.2.1's password: Permission denied, please try again. remote_user1@192.0.2.1's password: Case 2: # ssh -o PreferredAuthentications=password,keyboard-interactive remote_user1@192.0.2.1 remote_user1@192.0.2.1's password: Permission denied, please try again. remote_user1@192.0.2.1's password: Case 3: # ssh -o PreferredAuthentications=keyboard-interactive,password remote_user1@192.0.2.1 (remote_user1@192.0.2.1) Password: (remote_user1@192.0.2.1) Password: (remote_user1@192.0.2.1) Password: Permission denied, please try again. - Additionally, in a decrypted packet capture between the FXOS and the remote authentication server, the user password provided by FXOS to the authentication server is "\b\n\r\177INCOR". For example, below is the output of a decrypted packet of an authentication type message sent from the FXOS to the remote TACACS server. Expected password: Cisco!123 Observed (failing case): \b\n\r\177INCOR Frame 14: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) Ethernet II, Src: 00:11:22:33:44:55, Dst: 66:77:88:99:aa:bb Internet Protocol Version 4, Src: 192.0.2.1, Dst: 192.0.2.2 Transmission Control Protocol, Src Port: 59690, Dst Port: 49, Seq: 1, Ack: 1, Len: 52 TACACS+ Major version: TACACS+ Minor version: 1 Type: Authentication (1) Sequence number: 1 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 130850580 Packet length: 40 Encrypted Request Decrypted Request Action: Inbound Login (1) Privilege Level: 1 Authentication type: PAP (2) Service: Login (1) User len: 8 User: ciscotac Port len: 1 Port: 0 Remaddr len: 14 Remote Address: 192.0.2.100 Password Length: 9 Password: \b\n\r\177INCOR <===========
All conditions must match: 1. FXOS is installed or upgraded to a newer release, with the issue observed on recent releases such as 2.17.x. 2. AAA using TACACS or RADIUS is configured and active on the FXOS. 3. The remote user attempts to log in to the FXOS using SSH with password-based authentication. In the case of a standard Linux-based SSH client, the symptoms can be reproduced by specifying any of the following: # ssh user@192.0.2.1 # ssh -o PreferredAuthentications=password user@192.0.2.1 # ssh -o PreferredAuthentications=password,keyboard-interactive user@192.0.2.1 # ssh -o PreferredAuthentications=keyboard-interactive,password user@192.0.2.1
If password-based authentication is used, log in to the Firepower Chassis Manager first, and then log in to FXOS using SSH.
- A similar issue is documented in defect CSCwb89257, which covers older FXOS releases. - However, CSCwb89257 appears to only address earlier versions, and the same behavior is now observed again on newer FXOS releases. - Testing confirms that this issue is independent of the SSH authentication method order. Even when keyboard-interactive is configured as the first authentication method, the issue still reproduces. SSH debug confirms that keyboard-interactive is attempted first, for example: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: keyboard-interactive - However, authentication still fails, and the client later falls back to password, which also fails. - Packet capture analysis shows that during authentication, FXOS sends an incorrect or corrupted password to the TACACS server. For example: Password: \b\n\r\177INCOR The expected password in this example is: Password: Cisco!123 - The TACACS server correctly rejects the authentication request because the password received is invalid. - When logging in to the Firepower Chassis Manager first and then accessing FXOS CLI, the password is transmitted correctly. For example: Frame 34: 118 bytes on wire (944 bits), 118 bytes captured (944 bits) Ethernet II, Src: 00:11:22:33:44:55, Dst: 66:77:88:99:aa:bb Internet Protocol Version 4, Src: 192.0.2.1, Dst: 192.0.2.2 Transmission Control Protocol, Src Port: 39718, Dst Port: 49, Seq: 1, Ack: 1, Len: 52 TACACS+ Major version: TACACS+ Minor version: 1 Type: Authentication (1) Sequence number: 1 Flags: 0x00 (Encrypted payload, Multiple Connections) Session ID: 1268384658 Packet length: 40 Encrypted Request Decrypted Request Action: Inbound Login (1) Privilege Level: 1 Authentication type: PAP (2) Service: Login (1) User len: 8 User: ciscotac Port len: 1 Port: 0 Remaddr len: 14 Remote Address: 192.0.2.100 Password Length: 9 Password: Cisco!123 <=========== - This confirms that the issue is on the FXOS side and is not related to the SSH client configuration, authentication method order, or AAA server behavior.
Click on a version to see all relevant bugs
Cisco Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.