cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16222
Views
20
Helpful
23
Replies

ISE 2.2 FMC user radius authentication

Erik Svendsen
Level 1
Level 1

Hello everyone,

 

I'm working to have the user FMC user authentication through cisco ISE (with AD), but I cannot find a proper documentation, just some old stuff like https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html .

 

Does anyone has a proper example about how this must be done?

ISE is on version 2.2 (already integrated with AD0, FMC on 6.2.3.1.

 

Thank you!

Best regards.

 

3 Accepted Solutions

Accepted Solutions

Matteo Comisso
Level 1
Level 1

I've just configured this on FMC version 6.2.3.8 following this guide: https://goo.gl/pm1e4G

 

Just a note: under the RADIUS-Specific Parameters section, instead of "Class=User Identity Groups:Sourcefire Administrator" I've set it to "Class=Administrator".

 

Best regards,

Matteo

 

 

View solution in original post

Of course, right after I made my earlier post I figured it out from this document:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html

Pay close attention to the Tip!

Hopefully this helps someone else!

Capture.PNG

 

View solution in original post

I just got this working. Heres how i did it:

 

In ISE 2.3:

AuthZ profile in Policy results, call your policy "FMC_Admin". When using the ASA VPN checkbox, clicke the dropdown menu and overwrite it with "Administrator", or whatever you want to call it. Lets say "Paladin" to make a point. Just make sure that name is carried over to FMC later.

The bottom of the attritbute details box should now say:

 

Access Type: ACCESS_ACCEPT

Class = Administrator (or Paladin)

 

Add this to your Authz policy as usual.

In the authentication conditions on the same policy, select the AD group that your admins will be a member of. This is local only to ISE and AD. FMC has no sight of this.

 

Now, in the example on the page, for the Administrator role on FMC, that box is filled with "Class = User Identity Groups: Sourcefire Administrator, overwrite this with "Class=Administrator (or Paladin)", where this is the name you created in your authz profile. Note this is local only to ISE and FMC

 

And away you go!

 

View solution in original post

23 Replies 23

Marvin Rhoads
Hall of Fame
Hall of Fame

Even though it's several years old the basics of using ISE (or any other external RADIUS server) for FMC use authentication haven't changed.

 

I use the method described in the article you mentioned with my  installation (ISE 2.4 and FMC 6.2.3.2) just fine.

Hello Marvin,

 

Thanks for the reply.

The problem I have is the authorization through AD.

 

check_auth_radius: szUser: XXX
RADIUS config file: /var/tmp/fF3Rri8AVH/radiusclient_0.conf
radiusauth - response: |User-Name=xxx|
radiusauth - response: |State=ReauthSession:0ac7c82cbjeyc4zZNkNstxPVbwVeRV79i9a1aaxK74wxv27M7rQ|
radiusauth - response: |Class=[x.x.x/S-1-5-32-545, S-1-5-21-588942262-2422670607-1746572812-94476]|
radiusauth - response: |Class=CACS:0ac7c82cbjeyc4zZNkNstxPVbwVeRV79i9a1aaxK74wxv27M7rQ:DKIX09INF-ISE-1/313846743/128638|
"xxx" RADIUS Authentication OK
No Access

 

The authentication is working, though, I'm not able to authorized myself.

 

Not sure how the Class and Groups needs to be setup in the FMC or what attribute the ASA VPN should have in ISE.

 

Still working on this.

 

Best regards.

@stomoroga 

Not sure if you have found the solution or not but this is how I have set it up.

Apart from setting up ASA VPN attribute to desired role on ISE side.

On FMC under System > Users > External Authentication for Radius-Specific Parameters I have entered the Class=Administrator in the box next to Administrator and so forth.

Matteo Comisso
Level 1
Level 1

I've just configured this on FMC version 6.2.3.8 following this guide: https://goo.gl/pm1e4G

 

Just a note: under the RADIUS-Specific Parameters section, instead of "Class=User Identity Groups:Sourcefire Administrator" I've set it to "Class=Administrator".

 

Best regards,

Matteo

 

 

Thanks your reply was helpful.

 

I have a question, does setting in RADIUS-Specific Parameter overrides the permissions we have set for users on the FMC itself under System>Users>Users?

 

I had mixed results

on FMC "USER1" was given role of Intrusion Admin

Through ISE USER1 was set to get the Administrator role.

 

This worked, when USER1 logged on to FMC it got the full access at the same time Role on FMC got updated to Administrator Automatically

 

On second test

On FMC USER1 was given rule of Administrator

Through ISE USER1 was set to get the Intrusion Admin role.

 

But it will still get the Administrator role.

 

Have you run into similar situation before?

 

Also is it MUST to configure user as external user on FMC for Radius External Authentication to work?

 

 

Also How can I give multiple permission to a single user through Radius

 

I would check what the default role is set as on FMC external authentication. It sounds like you have set it to administrator

I have it working except, how can I assign multiple roles to same user. for example I want to assign Security Analyst and Intrusion Admin role to same user, how can I configure the Class attribute, I tried to use comma (did not work) I created separate Authz profiles one for Security Analyst and second for Intrusion Admin, and then assigned both on Authz Rule, but it takes only one.

As far as I know, a given username can only be one role or another. They would have to have unique usernames if you want different roles to be assigned.

@Marvin Rhoads , Thanks for your response.

 

I found the workaround, on the FMC I created the custom role which has permission for both Security Analyst and Intrusion Admin, and used that to assign permission to users via Authz profile Cisco VPN attribute.

Ah - good idea. I answered your question literally and hadn't considered the approach you used.

Thanks for sharing your solution.

N3t W0rK3r
Level 3
Level 3

For what it's worth, I am having the very same problem/frustration.

I'd like to know the exact strings to enter into the FMC's RADIUS-Specific Parameters Administrator field, and exactly what to use for the corresponding av-pair in the ISE authorization profile.

 

I have tried User-Category=Administrator on the FMC and Access Type = ACCESS_ACCEPT
cisco-av-pair = User-Category=Administrator in ISE, as well as replacing the = with a :.

Also tried Class=Administrator and cisco-av-pair = Class=Administrator (as well as replacing = with :) but those don't work either.

Authentication is successful, but the user role assignment is NOT working.  I always end up with the default role of Security Analyst read-only.

 

Can someone please clear this up once and for all??? So frustrated!

 

Thanks very much.

Of course, right after I made my earlier post I figured it out from this document:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html

Pay close attention to the Tip!

Hopefully this helps someone else!

Capture.PNG

 

I just got this working. Heres how i did it:

 

In ISE 2.3:

AuthZ profile in Policy results, call your policy "FMC_Admin". When using the ASA VPN checkbox, clicke the dropdown menu and overwrite it with "Administrator", or whatever you want to call it. Lets say "Paladin" to make a point. Just make sure that name is carried over to FMC later.

The bottom of the attritbute details box should now say:

 

Access Type: ACCESS_ACCEPT

Class = Administrator (or Paladin)

 

Add this to your Authz policy as usual.

In the authentication conditions on the same policy, select the AD group that your admins will be a member of. This is local only to ISE and AD. FMC has no sight of this.

 

Now, in the example on the page, for the Administrator role on FMC, that box is filled with "Class = User Identity Groups: Sourcefire Administrator, overwrite this with "Class=Administrator (or Paladin)", where this is the name you created in your authz profile. Note this is local only to ISE and FMC

 

And away you go!

 

Hello,

I have configured today Cisco FMC 6.2.3.10 with Aruba Clear Pass with Radius.

All went good until I had to pick the authentication method. I ended up with PAP. Does anyone know how can I "convince" FMC to agree for MSCHAP at least? How can I edit / choose Radius AUTH methold on Firepower Management Center?

 

Thanks,

Florin.