topic Re: ISE 2.2 FMC user radius authentication in Network Access Control

ISE 2.2 FMC user radius authentication

Erik Svendsen — Fri, 21 Feb 2020 18:58:44 GMT

Hello everyone,

I'm working to have the user FMC user authentication through cisco ISE (with AD), but I cannot find a proper documentation, just some old stuff like https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html .

Does anyone has a proper example about how this must be done?

ISE is on version 2.2 (already integrated with AD0, FMC on 6.2.3.1.

Thank you!

Best regards.

Re: ISE 2.2 FMC user radius authentication

Marvin Rhoads — Mon, 18 Jun 2018 15:27:23 GMT

Even though it's several years old the basics of using ISE (or any other external RADIUS server) for FMC use authentication haven't changed.

I use the method described in the article you mentioned with my installation (ISE 2.4 and FMC 6.2.3.2) just fine.

Re: ISE 2.2 FMC user radius authentication

stomoroga — Tue, 19 Jun 2018 08:44:19 GMT

Hello Marvin,

Thanks for the reply.

The problem I have is the authorization through AD.

check_auth_radius: szUser: XXX
RADIUS config file: /var/tmp/fF3Rri8AVH/radiusclient_0.conf
radiusauth - response: |User-Name=xxx|
radiusauth - response: |State=ReauthSession:0ac7c82cbjeyc4zZNkNstxPVbwVeRV79i9a1aaxK74wxv27M7rQ|
radiusauth - response: |Class=[x.x.x/S-1-5-32-545, S-1-5-21-588942262-2422670607-1746572812-94476]|
radiusauth - response: |Class=CACS:0ac7c82cbjeyc4zZNkNstxPVbwVeRV79i9a1aaxK74wxv27M7rQ:DKIX09INF-ISE-1/313846743/128638|
"xxx" RADIUS Authentication OK
No Access

The authentication is working, though, I'm not able to authorized myself.

Not sure how the Class and Groups needs to be setup in the FMC or what attribute the ASA VPN should have in ISE.

Still working on this.

Best regards.

Re: ISE 2.2 FMC user radius authentication

Matteo Comisso — Tue, 05 Mar 2019 08:54:07 GMT

I've just configured this on FMC version 6.2.3.8 following this guide: https://goo.gl/pm1e4G

Just a note: under the RADIUS-Specific Parameters section, instead of "Class=User Identity Groups:Sourcefire Administrator" I've set it to "Class=Administrator".

Best regards,

Matteo

Re: ISE 2.2 FMC user radius authentication

N3t W0rK3r — Fri, 22 Mar 2019 20:28:21 GMT

For what it's worth, I am having the very same problem/frustration.

I'd like to know the exact strings to enter into the FMC's RADIUS-Specific Parameters Administrator field, and exactly what to use for the corresponding av-pair in the ISE authorization profile.

I have tried User-Category=Administrator on the FMC and Access Type = ACCESS_ACCEPT
cisco-av-pair = User-Category=Administrator in ISE, as well as replacing the = with a :.

Also tried Class=Administrator and cisco-av-pair = Class=Administrator (as well as replacing = with 🙂 but those don't work either.

Authentication is successful, but the user role assignment is NOT working. I always end up with the default role of Security Analyst read-only.

Can someone please clear this up once and for all??? So frustrated!

Thanks very much.

Re: ISE 2.2 FMC user radius authentication

N3t W0rK3r — Fri, 22 Mar 2019 21:00:44 GMT

Of course, right after I made my earlier post I figured it out from this document:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html

Pay close attention to the Tip!

Hopefully this helps someone else!

Re: ISE 2.2 FMC user radius authentication

4qbuddy — Fri, 17 May 2019 11:49:08 GMT

I just got this working. Heres how i did it:

In ISE 2.3:

AuthZ profile in Policy results, call your policy "FMC_Admin". When using the ASA VPN checkbox, clicke the dropdown menu and overwrite it with "Administrator", or whatever you want to call it. Lets say "Paladin" to make a point. Just make sure that name is carried over to FMC later.

The bottom of the attritbute details box should now say:

Access Type: ACCESS_ACCEPT

Class = Administrator (or Paladin)

Add this to your Authz policy as usual.

In the authentication conditions on the same policy, select the AD group that your admins will be a member of. This is local only to ISE and AD. FMC has no sight of this.

Now, in the example on the page, for the Administrator role on FMC, that box is filled with "Class = User Identity Groups: Sourcefire Administrator, overwrite this with "Class=Administrator (or Paladin)", where this is the name you created in your authz profile. Note this is local only to ISE and FMC

And away you go!

Re: ISE 2.2 FMC user radius authentication

Florin Barhala — Fri, 02 Aug 2019 13:34:56 GMT

Hello,

I have configured today Cisco FMC 6.2.3.10 with Aruba Clear Pass with Radius.

All went good until I had to pick the authentication method. I ended up with PAP. Does anyone know how can I "convince" FMC to agree for MSCHAP at least? How can I edit / choose Radius AUTH methold on Firepower Management Center?

Thanks,

Florin.

Re: ISE 2.2 FMC user radius authentication

chad.drier — Fri, 15 Nov 2019 20:14:04 GMT

Hello, I was just wondering if you ever got your "authentication is successful, but the user role assignment is NOT working" working. I can get full access to work but I am trying to get a read-only one working. Seems like they are all logging in as administrators. Thanks!

Re: ISE 2.2 FMC user radius authentication

4qbuddy — Sun, 17 Nov 2019 17:55:53 GMT

?You have your default role set as Admin. Did you create access profiles in ISE to pass role details to FMC?

Re: ISE 2.2 FMC user radius authentication

chad.drier — Mon, 18 Nov 2019 16:50:03 GMT

Yes, you are correct, my default is admin. I have not created access profiles in ISE. I will try that. Thanks for the reply and help.

Re: ISE 2.2 FMC user radius authentication

chad.drier — Mon, 18 Nov 2019 17:07:23 GMT

So I have this as my authorization result and still not working. Is there something else I need to do? Thanks again for the help!

Re: ISE 2.2 FMC user radius authentication

4qbuddy — Tue, 19 Nov 2019 12:36:59 GMT

Good good. Now go to FMC and map that authz profile text to a role in FMC

Re: ISE 2.2 FMC user radius authentication

chad.drier — Thu, 21 Nov 2019 20:08:27 GMT

Thanks for the follow-up and help. I am getting closer but not quite there.

So these are my ISE authorization profiles in ISE.

Created these users on the FMC

Do I set these custom roles as default users or something else? Didn't seem to work as expected but wondering if I can get your help?

Thanks in advance

Re: ISE 2.2 FMC user radius authentication

chad.drier — Mon, 02 Dec 2019 21:22:47 GMT

@4qbuddy Wondering if you can help me with this last step so I can cross this off my to-do list? Thanks in advance.

Re: ISE 2.2 FMC user radius authentication

4qbuddy — Tue, 03 Dec 2019 12:35:08 GMT

I see what you have done. You have created custom user roles on FMC. This is like creating another user on ISE for logging in to the GUI – its only controlled by ISE and not by an external authority like AD, if that makes sense?

Rather than create usernames for the ISE roles being passed, tick the checkboxes for “Administrator” and “Security Analyst (Read Only)” that are on your bottom picture. Its different layout than mine but I would imagine that a box appears where you can add “Class = Cisco_FMC_Admin” and “Class = Cisco_FMC_ReadOnly”.

Try it out, let me know

Re: ISE 2.2 FMC user radius authentication

chad.drier — Tue, 03 Dec 2019 22:18:51 GMT

I got this working today and want to put an update on here to maybe help others.

Create your authorization profile in ISE

Then on FMC side, go to users, external authentication, and add the following.

Now any user part of that AD group will have Admin access. At the bottom, I changed my default user role to read-only. You could create more ISE authorization profiles as needed if you have more roles. Hope this helps!

Thanks for your help also @4qbuddy

Re: ISE 2.2 FMC user radius authentication

Nayan.Patel85 — Thu, 09 Apr 2020 16:36:01 GMT

Thanks your reply was helpful.

I have a question, does setting in RADIUS-Specific Parameter overrides the permissions we have set for users on the FMC itself under System>Users>Users?

I had mixed results

on FMC "USER1" was given role of Intrusion Admin

Through ISE USER1 was set to get the Administrator role.

This worked, when USER1 logged on to FMC it got the full access at the same time Role on FMC got updated to Administrator Automatically

On second test

On FMC USER1 was given rule of Administrator

Through ISE USER1 was set to get the Intrusion Admin role.

But it will still get the Administrator role.

Have you run into similar situation before?

Also is it MUST to configure user as external user on FMC for Radius External Authentication to work?

Also How can I give multiple permission to a single user through Radius

Re: ISE 2.2 FMC user radius authentication

4qbuddy — Mon, 13 Apr 2020 16:15:18 GMT

I would check what the default role is set as on FMC external authentication. It sounds like you have set it to administrator

Re: ISE 2.2 FMC user radius authentication

Nayan.Patel85 — Thu, 21 May 2020 20:46:13 GMT

I have it working except, how can I assign multiple roles to same user. for example I want to assign Security Analyst and Intrusion Admin role to same user, how can I configure the Class attribute, I tried to use comma (did not work) I created separate Authz profiles one for Security Analyst and second for Intrusion Admin, and then assigned both on Authz Rule, but it takes only one.