topic I may have been mistaken in Network Security

Tacacs / FirePOWER module

GRANT3779 — Sun, 10 Mar 2019 13:46:43 GMT

Is it possible to configure the actual FirePOWER software on an SSD for TACACs AAA or can local credentials only be configured / used for access?

The FirePOWER Services module

Marvin Rhoads — Wed, 22 Feb 2017 11:12:25 GMT

The FirePOWER Services module on an ASA can only use local authentication.

FirePOWER Management Center can use external authentication from either an LDAP or RADIUS server.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_system_user_management.html?bookSearch=true#ID-2263-00000006

Hi Marvin,

GRANT3779 — Wed, 22 Feb 2017 11:15:38 GMT

Hi Marvin,

Noted, thanks. Confirms what I suspected so good to know for sure.

Hi Marvin

dam0c0nr0y — Wed, 19 Jul 2017 16:14:11 GMT

Hi Marvin

I have been researching the subject of getting external authentication working with FirePOWER Services (SFR) modules in an ASA 5500-X and see reference here to it working:

https://supportforums.cisco.com/discussion/13118331/firepower-shell-authentication-radius

In your post above you have provided a link to documentation but I cannot find where it specifically states that "The FirePOWER Services module on an ASA can only use local authentication".

Can you please confirm where it is documented that local authentication only works with FirePOWER Services modules?

Thanks

Damian

I may have been mistaken

Marvin Rhoads — Thu, 20 Jul 2017 01:01:44 GMT

I may have been mistaken earlier or remembering earlier versions. The documentaiton does seem to indicate external authentication can be used even for the sfr modules. I have not tried it myself as of yet.

Do note that there is a bug (as of 6.2.0.2) with the RADIUS implementation.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve60272/?referring_site=bugquickviewredir

From the bug notes it appears that only applies to 6.2.

Thanks Marvin - much

dam0c0nr0y — Thu, 20 Jul 2017 11:43:34 GMT

Thanks Marvin - much appreciate the additional info.

Having read the details of that bug CSCve60272 the symptoms we are experiencing with Firepower SFR software modules running 6.1.0.3 (which are managed by Firepower Management Centre 2000 appliances also running 6.1.0.3) look the same.

I have raised a case with Cisco TAC asking them to check and confirm if bug CSCve60272 also affects 6.1.0.3 and if is to get 6.1.0.3 added to the list of "Known Affected Releases" for bug CSCve60272 which currently only has releases 6.2.0 and 6.2.1 listed.

Interestingly, we have RADIUS authentication to the Firepower Management Centre 2000 appliances working fine with Cisco ACS.

Is it RADIUS authentication to the Firepower SFR software modules which is not working with Cisco ACS.

Cheers

Damian

Thanks for the update. Please

Marvin Rhoads — Thu, 20 Jul 2017 13:56:57 GMT

Thanks for the update. Please let us know what the TAC finds out.

If you want to do some testing yourself you should be able to do a packet capture of the RADIUS authenticaiton attempts and see what is happening at the protocol level.

Re: I may have been mistaken

Charisdian Salim — Thu, 01 Nov 2018 02:53:43 GMT

Hi Marvin,

Is FMC support TACACS+ for AAA Authentication ? And Is it Radius support for AAA Authentication to make sure Because in this Article i this support for the Radius.

thanks,
Charis