topic Re: ISE RADIUS ssh access to both FMC and FTD using groups in Network Security

ISE RADIUS ssh access to both FMC and FTD using groups

Andrew White — Wed, 22 Sep 2021 14:20:54 GMT

I've integrated RADIUS authentication with my FMC deployment. I managed to get the FTD ssh console access to work read-write with administrators and read-only for the lower privilege reporting group by passing "Service-Type = 6" for admins and "Service-Type = 7" for read-only. However I do not have ssh access to the FMC with this system. There is a place to manually enter usernames for ssh access in the External Authentication source on the FMC but doing this breaks the dynamic group membership such that all users now have to be individually managed in the FMC authentication source configuration and there is no Read-only option.

Is there another RADIUS attribute or attributes that the FMC would be looking for to grant ssh access?

Re: ISE RADIUS ssh access to both FMC and FTD using groups

Rob Ingram — Wed, 22 Sep 2021 17:04:45 GMT

@Andrew White

You define an ISE Authorisation Profile(s) using "RADIUS Class = <define a value>", such as "FMCAdmin" or "FMCRead"

On the FMC, under External Authentication Objects for each RADIUS Specific Parameter role you specify the value sent by RADIUS - "Class=FMCAdmin" under "Administrator" role and "Class=FMCRead" under the "Security Analyst (Read Only)" role.

Re: ISE RADIUS ssh access to both FMC and FTD using groups

Andrew White — Fri, 24 Sep 2021 21:08:28 GMT

Right, that works just fine for GUI access but it is not working for Console/SSH access to the FMC. It is working just fine for ssh access to the FTD. This leads me to believe that the issue is something specific to the FMC.

Re: ISE RADIUS ssh access to both FMC and FTD using groups

M.Aslam Usmani — Tue, 04 Jan 2022 11:19:51 GMT

try this : translate the page is required.

https://community.cisco.com/t5/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3-%E3%83%89%E3%82%AD%E3%83%A5%E3%83%A1%E3%83%B3%E3%83%88/fmc-radius%E8%AA%8D%E8%A8%BC%E3%81%AB%E3%82%88%E3%82%8B%E7%AE%A1%E7%90%86%E3%83%A6%E3%83%BC%E3%82%B6%E3%81%AE%E8%BF%BD%E5%8A%A0/ta-p/3956036

Re: ISE RADIUS ssh access to both FMC and FTD using groups

marcbinns1987 — Wed, 29 May 2024 17:00:57 GMT

Hi Andrew,

Bit late to the party with this but the read only FTD access specifically... Did you define radius service-type=7 on ISE and then define an external authentication object within FMC under the security analysts(read-only) section? I am looking at creating ftd read/write and read only access. I guess I need to implement service type 6 for administrators section on FMC and type 7 in the sec analyst part?

Not seeing much info on this other than the official Cisco documentation which defines class type and one external authentication object for FMC and ftd.

Kind Regards

Marc