Solved: Cisco FMC integration with ISE as a Radius Server

mumbles202 · ‎01-31-2022

Working on a FMC running 6.6.4 w/ ISE running 2.4. I have ISE configured as a Radius server on the FMC and currently using DUO for MFA. This works without any issues for GUI access to the FMC, but I'm not able to get shell access. Under External Authentication I have it pointed to the same Radius server. In the Radius server configuration on the FMC I haven't selected a role but have Radius-Specific attributes set to " Class=Administrator". In ISE I have this for my Authorization Profile:

Access Type = ACCESS_ACCEPT
Class = Administrator

When I try to ssh to the FMC and enter my credentials I see the failed login in the ISE logs so it's sending the request but I'm not sure what I'm missing as to why cli access fails. I can post a snippet of the logs from either the FMC or ISE if it would be helpful.

Greg Gibbs · ‎01-31-2022

Have you configured the usernames in the CLI Access Filter section (step 12) as per the FMC Configuration Guide?

As per the guide "To prevent RADIUS authentication of CLI access, leave the field blank." so this is required for CLI shell auth.

If I try the same with an AD user that is not configured in this filter, I get a misleading Authentication Failed log on ISE stating that "User authentication against Active Directory failed since user has entered the wrong password". I tested the same username/password in the ISE AD Test User tool, and the authC is SUCCESS, so this is definitely something the FMC is causing.

View solution in original post

Arne Bier · ‎01-31-2022

Hi @mumbles202

Please post the failure reason that is shown in the ISE Details pane. That might give rise to further questions. But good to know that the SSH triggers a call to ISE.

mumbles202 · ‎01-31-2022

Here are the details of the event in ISE:

Steps

 	11001	Received RADIUS Access-Request
 	11017	RADIUS created a new session
 	11117	Generated a new session ID
 	15049	Evaluating Policy Group
 	15008	Evaluating Service Selection Policy
 	15048	Queried PIP - DEVICE.Device Type
 	15041	Evaluating Identity Policy
 	15013	Selected Identity Source - Duo_Radius
 	24638	Passcode cache is not enabled in the RADIUS token identity store configuration - Duo_Radius
 	24609	RADIUS token identity store is authenticating against the primary server - Duo_Radius
 	11100	RADIUS-Client about to send request - ( port = 1812 )
 	11101	RADIUS-Client received response
 	24613	Authentication against the RADIUS token server failed
 	22057	The advanced option that is configured for a failed authentication request is used
 	22061	The 'Reject' advanced option is configured in case of a failed authentication request
 	11003	Returned RADIUS Access-Reject
	
	------------------------------
	Authentication Details
Source Timestamp	2022-01-31 13:34:19.073
Received Timestamp	2022-01-31 13:34:19.074
Policy Server	domain-dc1-ise02
Event	5400 Authentication failed
Failure Reason	24613 Authentication against the RADIUS token server failed
Resolution	Check that the authenticated user is present on the RADIUS token server. Verify that the authenticated user is not disabled or locked. Check the user credentials are correct. If using an identity store sequence, check that rejects are treated as expected under Administration > Identity Management > External Identity Sources > RADIUS Token > Authentication.
Root cause	Authentication against the RADIUS token server failed.
Username	domainadmin
Endpoint Id	10.200.1.91
Calling Station Id	10.200.1.91
Authentication Identity Store	Duo_Radius
Authentication Method	PAP_ASCII
Authentication Protocol	PAP_ASCII
Service Type	Authenticate Only
Network Device	dc1brook_FMC
Device Type	All Device Types#Security Devices#Firepower Management Center
Location	All Locations
NAS IPv4 Address	172.27.100.120
NAS Port Type	Virtual
Response Time	40 milliseconds

Other Attributes
ConfigVersionId	125
Device Port	15440
DestinationPort	1812
RadiusPacketType	AccessRequest
Protocol	Radius
NAS-Port	14415
OriginalUserName	domainadmin
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	domain-dc1-ise02/414025076/100256
SelectedAuthenticationIdentityStores	Duo_Radius
IdentityPolicyMatchedRule	Default
CPMSessionID	c0a820a04Fz7yDWCvX5hE3s13B1N_98FRXPsEfBvH_Hc3jldrwI
ISEPolicySetName	FMC Access
IdentitySelectionMatchedRule	Default
DTLSSupport	Unknown
Model Name	Unknown
Software Version	Unknown
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types#Security Devices#Firepower Management Center
IPSEC	IPSEC#Is IPSEC Device#No
RADIUS Username	domainadmin
NAS-Identifier	sshd
Device IP Address	172.27.100.120

Result
RadiusPacketType	AccessReject
AuthenticationResult	Failed

balaji.bandi · ‎01-31-2022

how about try :

Access Type = ACCESS_ACCEPT
Class = Netadmins

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Greg Gibbs · ‎01-31-2022

Have you configured the usernames in the CLI Access Filter section (step 12) as per the FMC Configuration Guide?

As per the guide "To prevent RADIUS authentication of CLI access, leave the field blank." so this is required for CLI shell auth.

If I try the same with an AD user that is not configured in this filter, I get a misleading Authentication Failed log on ISE stating that "User authentication against Active Directory failed since user has entered the wrong password". I tested the same username/password in the ISE AD Test User tool, and the authC is SUCCESS, so this is definitely something the FMC is causing.

mumbles202 · ‎02-01-2022

Thanks for this. That was it. I read the "Required for Threat Defense 6.3 or earlier versions" and thought I was able to skip that.

Aref Alsouqi · ‎02-01-2022

It seems that you didn't define any user(s) in the "Administrator Shell Access User List" under the External Authentication on FMC, take a look please at this post of mine on my blog, hope it will help:

FMC External Authentication with RADIUS (bluenetsec.com)