FMC login authentication method

yesortregaed — Sun, 08 Dec 2024 15:42:25 GMT

Hi all,

We have LDAP and Radius as external authentication methods setup for user login in FMC as one of admin. We see user shows as just external in system > user list. No details on what auth method used.

My question is how to determine in FMC if that admin user is got authenticated throught LDAP or Radius.

Re: FMC login authentication method

vishalbhandari — Sun, 08 Dec 2024 16:27:44 GMT

To determine whether a user authenticated via LDAP or RADIUS in Cisco Firepower Management Center (FMC), follow these steps:

1. Check the User Activity Logs

Cisco FMC logs authentication events, which include details about the authentication method. Here's how you can view these logs:

Navigate to Audit Logs:
- Go to System > Audit > Audit Logs in the FMC GUI.
Filter for Authentication Events:
- Use the search bar or filter options to find logs related to user logins.
- Look for events mentioning "Authentication succeeded" or similar.
Inspect the Details:
- Click on the specific log entry to view details. It should indicate whether the authentication was via LDAP, RADIUS, or another method.

2. Enable Debugging for Authentication

If the logs do not provide sufficient detail, you can enable debugging on the FMC for authentication events:

Access CLI of the FMC:
- Log in to the FMC CLI via SSH.
Enable Debugging for Authentication:

sudo su pmtool disablebyid webui pmtool enablebyid webui --debug tail -f /var/log/messages | grep "auth"
Attempt Login as the User:
- Have the user log in, and monitor the logs to see which authentication server (LDAP or RADIUS) is used.
Disable Debugging:
- Once testing is complete, disable debugging to conserve system resources:
  
  pmtool disablebyid webui --debug pmtool enablebyid webui

3. Use a Packet Capture

If detailed logs are unavailable, you can capture traffic between the FMC and the authentication servers:

Enable Packet Capture on FMC:
- From the CLI, use the following command to capture packets:
  sudo tcpdump -i ethX port 389 or port 1812
- Replace ethX with the appropriate FMC network interface.
Analyze the Capture:
- Look for traffic to the LDAP server (default port 389 or 636 for secure LDAP) or RADIUS server (default port 1812).
Interpret Results:
- The server responding to the authentication request will reveal the method used.

4. Correlate with External Server Logs

Lastly, check the logs on your LDAP and RADIUS servers. Both servers typically log authentication attempts and can confirm whether the user was authenticated through them.

Recommendation

Enable detailed logging or audit settings on FMC for easier monitoring in the future. Let me know if you need specific help with CLI commands or configurations!