topic Re: FTD Shell Restrictions with RADIUS in Network Security

FTD Shell Restrictions with RADIUS

stephan.l.martin1 — Mon, 25 Nov 2024 22:32:03 GMT

Model: FPR1120
Version: 7.4.2

I am in the process of attempting to lock down shell access to basic so that our ACAS system can safely access the FTD per our scan policy.

We have configured RADIUS to work with both the FMC and FTD and can successfully login. When accessing the FTD shell my account is returning config level permissions.

RADIUS Attributes configured on ISE:

Access Type = ACCESS_ACCEPT

Class = ReadUser (This is for FMC access specifically)

cisco-av-pair = shell:level=0

I suspect that my AV pair is wrong but the documentation seems to be elusive. I cannot configure the account type manually via the local admin or my standard (admin) RADIUS account.

Any and all assistance is greatly appreciated.

Re: FTD Shell Restrictions with RADIUS

balaji.bandi — Tue, 26 Nov 2024 08:10:03 GMT

is this radius server ISE or any other vendor

you can create a different profile and use it as admin or read-only check this guide :

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/221009-configure-fmc-and-ftd-external-authentic.html

Re: FTD Shell Restrictions with RADIUS

stephan.l.martin1 — Tue, 26 Nov 2024 14:59:46 GMT

Greetings!

We are using ISE as the RADIUS server and have it fully operational/configured for RADIUS authentication with the FMC and FTD. The current issue that I am running into (and will review the document you provided) is that even when forcing the profile to use the ReadOnly authorization profile I still have expert level access which I am looking to lock down. The RADIUS attributes above are configured on the ReadOnly profile.

I will review the document and come back with any results.

Re: FTD Shell Restrictions with RADIUS

MHM Cisco World — Tue, 26 Nov 2024 15:02:49 GMT

friend FMC dont use privilege level it use role

MHM

Re: FTD Shell Restrictions with RADIUS

stephan.l.martin1 — Tue, 26 Nov 2024 15:21:08 GMT

Unfortunately the document provided is almost explicitly for GUI access. I followed this guide to configure RADIUS authentication initially.

This guide:https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-mgmt.html does reference a separate AV-Pair (service-type:NAS Prompt) which I am digging into.

Re: FTD Shell Restrictions with RADIUS

MHM Cisco World — Tue, 26 Nov 2024 15:28:07 GMT

above was for FMC GUI

for FTD Yes you need NAS prompt

MHM

Re: FTD Shell Restrictions with RADIUS

stephan.l.martin1 — Tue, 26 Nov 2024 15:50:05 GMT

Solution:

Configuring administrative CLI user access list under external authorization servers overrides RADIUS attributes that are sent. I removed all users from the list and configured Service-Type:Administrative for my RW group and NAS Prompt for the RO group. I will work with Cisco to update the documentation so that this behavior is identified/documented.