cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5139
Views
40
Helpful
11
Replies

Does FMC/FTD support ISE Tacacs+ device administration

laurathaqi
Participant
Participant

Hi all,

 

Do you know if FMC and FTD support ISE Tacacs+ device administration integration? So far, I did the router/switch and ASA integrations, but not able to find resources for the noted FTD and FMC ones!

 

Looking forward to hearing any thoughts or suggestions. 

 

Thank you,

Laura 

5 Accepted Solutions

Accepted Solutions

balaji.bandi
VIP Guru VIP Guru
VIP Guru

how about using Radius ? as of i have tested 6.2

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200204-Integration-of-FireSIGHT-System-with-ACS.html

 

May be need to read what 6.7 (any update on that)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@laurathaqi 

No TACACS+ is still not supported on the FMC, you can use RADIUS.

Use the "class" RADIUS attributes in AuthZ profiles.

 

Class=Administrator

or

Class=SecAnalyst

 

And map these to roles in the FMC (System > Users > External Authentication).

So for example on the FMC if you want to configure the Security Analyst role then define Class=SecAnalyst or for administrator role define Class=Administrator.

HTH

View solution in original post

Its for both, you can use Radius only with Attributes mentioned also provided link have all the information

 

any issue please let us know, happy to assists further.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

The RADIUS attributes values previously provided where for FMC. Use the following in AuthZ profile for FTDs

 

"Radius:Service-Type = Administrative (6)" << for Administrator
"Radius:Service-Type = Login (1)" << for non-administrator

View solution in original post

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

As the others have noted - plus make sure you tick the box to include shell authentication to make the setting apply to the cli logins on FMC and FTD. That's not selected by default.

View solution in original post

11 Replies 11

balaji.bandi
VIP Guru VIP Guru
VIP Guru

how about using Radius ? as of i have tested 6.2

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200204-Integration-of-FireSIGHT-System-with-ACS.html

 

May be need to read what 6.7 (any update on that)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@laurathaqi 

No TACACS+ is still not supported on the FMC, you can use RADIUS.

Use the "class" RADIUS attributes in AuthZ profiles.

 

Class=Administrator

or

Class=SecAnalyst

 

And map these to roles in the FMC (System > Users > External Authentication).

So for example on the FMC if you want to configure the Security Analyst role then define Class=SecAnalyst or for administrator role define Class=Administrator.

HTH

laurathaqi
Participant
Participant

Hi @Rob Ingram @balaji.bandi 

 

Thank you for your feedback! Highly appreciated. Due to limited testing resources, I need to ask you if this is valid for only FMC or also FTD's?!

 

The solution you described, I found it on portals, as a solution to be enabling FMC GUI Authentication. My intentions are to do that for the CLI access of both FMC and also two FTDs 

 

Looking forward to hearing from you. 

 

Thank you,

Laura 

Its for both, you can use Radius only with Attributes mentioned also provided link have all the information

 

any issue please let us know, happy to assists further.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

The RADIUS attributes values previously provided where for FMC. Use the following in AuthZ profile for FTDs

 

"Radius:Service-Type = Administrative (6)" << for Administrator
"Radius:Service-Type = Login (1)" << for non-administrator

Marvin Rhoads
VIP Community Legend VIP Community Legend
VIP Community Legend

As the others have noted - plus make sure you tick the box to include shell authentication to make the setting apply to the cli logins on FMC and FTD. That's not selected by default.

laurathaqi
Participant
Participant

Dear community, 

 

Thank you very much for the support provided. I have followed your advices and resulted in a successful integration. 

 

This community is awesome. 

 

Thank you,

Laura 

samarthashetty
Beginner
Beginner

Hi Experts,

Is this supported in ver 6.7?

 

-Samarth

No it's not supported in any version - even in the latest version 7.2.

as per @laurathaqi input that works.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

@balaji.bandi  was that not for Radius?

 

-samarth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers