topic Re: FTD External Authentication in Network Security

FTD External Authentication

Isaiah — Tue, 12 Mar 2019 09:09:05 GMT

I cannot find a way to get external authentication methods to work for the management interface of a Firepower Threat Defense system. In an FMC Platform Settings policy for device type "Firepower" there is an option to enable external authentication generally and for the shell specifically. However, there is no corresponding option in the policy settings for a device type "Threat Defense". In the manual (Firepower Management Center Configuration Guide, Version 6.2), I found this stated:

• SSH local users can only be configured at the CLI using the configure user add command. By default,
there is an admin user for which you configured the password during initial setup.

Does this mean that externally authenticated users cannot use an FTD CLI, or am I missing something?

As far as I know, that

Marvin Rhoads — Thu, 30 Mar 2017 07:47:58 GMT

As far as I know, that feature is not currently available on the FTD devices.

I've heard talk of adding it but no committed time frame or release at this point.

Re: FTD External Authentication

toddlammle — Thu, 21 Jun 2018 19:14:28 GMT

supposedly 6.2.3 code fixed this and it even says "only available for 6.2.3 devices" in the platform external configuration tab

Re: FTD External Authentication

tmoore — Wed, 08 Aug 2018 11:08:40 GMT

Is this now available? I'm running 6.2.3.3 on a 2110 and trying to get external (ldap) authentication work for cli access to the ftd which is managed via fmc.

Re: FTD External Authentication

Rob Ingram — Wed, 08 Aug 2018 11:11:43 GMT

Hi, Yes, you can use LDAP(s) authentication on the CLI of FTD 6.2.3.3
HTH

Re: FTD External Authentication

tmoore — Wed, 08 Aug 2018 12:07:10 GMT

I can't seem to get this working. I setup and tested the External Auth Server under Platform Settings > Platform Policy > External Authentication > Manage External Authentication Server, which is using LDAP as Auth Method and Encryption is SSL set under Advanced Options. Testing with my account is successful.

After the external auth server is setup, back under Platform Settings > Platform Policy > External Authentication > you are suppose to hit refesh button and I guess you are suppose to see the external auth server object you just created listed but I don't, still show not records to display.

The document states "For LDAP when you specify SSL or TLS encryption, you must upload a certificate for the connection; otherwise, the server will not be listed on this tab."

The document states

"For LDAP when you specify SSL or TLS encryption, you must upload a certificate for the connection; otherwise, the server will not be listed on this tab."

Not sure where this certificate needs to uploaded for the FTD device. I have a cert uploaded for the FMC for HTTPS access.

What do I need to do to get this working?

Thanks!

Re: FTD External Authentication

Aref Alsouqi — Thu, 08 Nov 2018 23:34:24 GMT

On the External Authentication Object page, go to Show Advanced Options and you will find the above button to upload the LDAPS CA certificate.

Re: FTD External Authentication

WillDudeGuy — Tue, 20 Jun 2023 04:21:01 GMT

I actually dont think i've ever got it to work in multiple deployments, ive set it up exactly as you have above, i however get the server listed, its enabled but when i try SSH into the device i get "permission denied".

FTD logs:

2023-06-20T03:45:59.154931+00:00 <hostname>.dcp.local : Jun 20 03:45:59 UTC: %FTD-sys-5-199017: sshd[38665]: Invalid user <user-name> from <mgmt_host_ip> port 37758#012
2023-06-20T03:46:02.835086+00:00 <hostname>.dcp.local : Jun 20 03:46:02 UTC: %FTD-sys-5-199017: sshd[38665]: pam_tally(sshd:auth): pam_get_uid; no such user#012
2023-06-20T03:46:02.835367+00:00 <hostname>.dcp.local : Jun 20 03:46:02 UTC: %FTD-sys-5-199017: sshd[38665]: pam_unix(sshd:auth): check pass; user unknown#012
2023-06-20T03:46:02.835470+00:00 <hostname>.dcp.local : Jun 20 03:46:02 UTC: %FTD-sys-5-199017: sshd[38665]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=<mgmt_host_ip> #012
2023-06-20T03:46:02.843674+00:00 <hostname>.dcp.local : Jun 20 03:46:02 UTC: %FTD-sys-5-199017: sshd[38665]: pam_ldap: error trying to bind as user "uid=<user-name>,cn=users,cn=accounts,dc=dcp,dc=local" (Invalid credentials)#012
2023-06-20T03:46:05.089077+00:00 <hostname>.dcp.local : Jun 20 03:46:05 UTC: %FTD-sys-5-199017: sshd[38665]: Failed password for invalid user <user-name> from <mgmt_host_ip> port 37758 ssh2#012

i can log in to the FMC, membership group is the same for FTD and FMC. not sure what im missing here.

Re: FTD External Authentication

Aref Alsouqi — Tue, 20 Jun 2023 14:00:50 GMT

Please use this post of mine as a reference guide and see if it helps:

https://bluenetsec.com/fmc-external-authentication-with-radius/

Re: FTD External Authentication

WillDudeGuy — Wed, 21 Jun 2023 06:10:12 GMT

Hi Aref,

Whilst I appreciate you trying to assist me, the reference guide you've linked doesn't in any way replicate the environment we have and also doesn't touch on the main issue of not being able to authenticate to the FTDs

Will

Re: FTD External Authentication

Aref Alsouqi — Wed, 21 Jun 2023 09:53:28 GMT

Hi Will, apologies if I am missing anything. If you are getting the permission denies when you are trying to SSH into the FTDs, then that potentially would be due to incorrect settings in the external authentication object. In the link I shared it is showing how the FTD CLI would need to be configured to allow some of the admins to log into the FTDs CLI. Could you please share the configs you applied and elaborate a little bit more about the issues you are experiencing with these accesses?