topic Re: Firepower 1010 FDM and Windows RADIUS in Network Security

Firepower 1010 FDM and Windows RADIUS

RANT — Thu, 02 Jun 2022 21:50:21 GMT

Been working on ASA for a long time, and I have my first firepower 1010 appliance that I'm running the Firepower image on. Can't seem to get the RADIUS authentication for logging into web GUI working.

I've configured the RADIUS server group and RADIUS server. Tested access to the server OK. However, when I try to utilize my AD credentials, it keeps failing with "unable to authorize access". The windows NPS logs appears to show a successful authentication:

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
Security ID: ADMINS\jdoe
Account Name: jdoe
Account Domain: ADMINS
Fully Qualified Account Name: xxxx.com/Users/John Doe

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -

NAS:
NAS IPv4 Address: 192.168.2.18
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: RT-OFFICE-FW01
Client IP Address: 192.168.2.18

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco admin auth network policy
Authentication Provider: Windows
Authentication Server: RADIUS-SERV.xxxx.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -

Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -

Re: Firepower 1010 FDM and Windows RADIUS

Marvin Rhoads — Sat, 04 Jun 2022 11:33:53 GMT

You need to grant a specific role to the user when they are authenticated via a RADIUS server. For admin access, it's the cisco-av-pair (attribute-value) fdm.userrole.authority.admin.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-mgmt.html#id_73793

Re: Firepower 1010 FDM and Windows RADIUS

Jitendra Kumar — Mon, 06 Jun 2022 06:18:13 GMT

Its seems due to the administrator role disabled

Please follow the below document if its help you..

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html

Thanks,

Jitendra

Re: Firepower 1010 FDM and Windows RADIUS

jrharmdx — Fri, 18 Apr 2025 21:26:44 GMT

Hello Marvin, Thanks for your contributions. It has been several years since the original posting but here is where I am at:

Powershell SSH
When I use powershell to log into the FPR running FDM, I use RADIUS credentials that work. The error I get is:

"Successful login attempts for user 'Username-1' : 10
! ! ! Your username is not defined with a service type that is valid for this system. You are not authorized to access the system. ! ! !"
FDM WEB GUI
When checking my objects for Authentication, I run a RADIUS test and it returns SUCCESS.

In the NPS Server:
NPS Policy is configured with Service-Type: Administrator and the Cisco-AV-Pair configured with "fdm.userrole.authority.admin".
The Event logs for the NPS and have a similar message as RANT's post above.

This issue has been observed on multiple FDM versions. We have verified RADIUS secret keys, multiple known working usernames, and reviewed Event logs for confirmation.