cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

827
Views
25
Helpful
7
Replies
laurathaqi
Beginner

Does FMC/FTD support ISE Tacacs+ device administration

Hi all,

 

Do you know if FMC and FTD support ISE Tacacs+ device administration integration? So far, I did the router/switch and ASA integrations, but not able to find resources for the noted FTD and FMC ones!

 

Looking forward to hearing any thoughts or suggestions. 

 

Thank you,

Laura 

5 ACCEPTED SOLUTIONS

Accepted Solutions
balaji.bandi
VIP Expert

how about using Radius ? as of i have tested 6.2

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200204-Integration-of-FireSIGHT-System-with-ACS.html

 

May be need to read what 6.7 (any update on that)

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

Rob Ingram
VIP Mentor

@laurathaqi 

No TACACS+ is still not supported on the FMC, you can use RADIUS.

Use the "class" RADIUS attributes in AuthZ profiles.

 

Class=Administrator

or

Class=SecAnalyst

 

And map these to roles in the FMC (System > Users > External Authentication).

So for example on the FMC if you want to configure the Security Analyst role then define Class=SecAnalyst or for administrator role define Class=Administrator.

HTH

View solution in original post

Its for both, you can use Radius only with Attributes mentioned also provided link have all the information

 

any issue please let us know, happy to assists further.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

The RADIUS attributes values previously provided where for FMC. Use the following in AuthZ profile for FTDs

 

"Radius:Service-Type = Administrative (6)" << for Administrator
"Radius:Service-Type = Login (1)" << for non-administrator

View solution in original post

Marvin Rhoads
VIP Community Legend

As the others have noted - plus make sure you tick the box to include shell authentication to make the setting apply to the cli logins on FMC and FTD. That's not selected by default.

View solution in original post

7 REPLIES 7
balaji.bandi
VIP Expert

how about using Radius ? as of i have tested 6.2

 

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200204-Integration-of-FireSIGHT-System-with-ACS.html

 

May be need to read what 6.7 (any update on that)

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

Rob Ingram
VIP Mentor

@laurathaqi 

No TACACS+ is still not supported on the FMC, you can use RADIUS.

Use the "class" RADIUS attributes in AuthZ profiles.

 

Class=Administrator

or

Class=SecAnalyst

 

And map these to roles in the FMC (System > Users > External Authentication).

So for example on the FMC if you want to configure the Security Analyst role then define Class=SecAnalyst or for administrator role define Class=Administrator.

HTH

View solution in original post

laurathaqi
Beginner

Hi @Rob Ingram @balaji.bandi 

 

Thank you for your feedback! Highly appreciated. Due to limited testing resources, I need to ask you if this is valid for only FMC or also FTD's?!

 

The solution you described, I found it on portals, as a solution to be enabling FMC GUI Authentication. My intentions are to do that for the CLI access of both FMC and also two FTDs 

 

Looking forward to hearing from you. 

 

Thank you,

Laura 

Its for both, you can use Radius only with Attributes mentioned also provided link have all the information

 

any issue please let us know, happy to assists further.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Community for Help

View solution in original post

The RADIUS attributes values previously provided where for FMC. Use the following in AuthZ profile for FTDs

 

"Radius:Service-Type = Administrative (6)" << for Administrator
"Radius:Service-Type = Login (1)" << for non-administrator

View solution in original post

Marvin Rhoads
VIP Community Legend

As the others have noted - plus make sure you tick the box to include shell authentication to make the setting apply to the cli logins on FMC and FTD. That's not selected by default.

View solution in original post

laurathaqi
Beginner

Dear community, 

 

Thank you very much for the support provided. I have followed your advices and resulted in a successful integration. 

 

This community is awesome. 

 

Thank you,

Laura 

Content for Community-Ad