cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
15818
Views
20
Helpful
23
Replies

ISE 2.2 FMC user radius authentication

Erik Svendsen
Level 1
Level 1

Hello everyone,

 

I'm working to have the user FMC user authentication through cisco ISE (with AD), but I cannot find a proper documentation, just some old stuff like https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html .

 

Does anyone has a proper example about how this must be done?

ISE is on version 2.2 (already integrated with AD0, FMC on 6.2.3.1.

 

Thank you!

Best regards.

 

23 Replies 23

Hello,  I was just wondering if you ever got your "authentication is successful, but the user role assignment is NOT working" working.   I can get full access to work but I am trying to get a read-only one working.   Seems like they are all logging in as administrators.  Thanks! 

?You have your default role set as Admin. Did you create access profiles in ISE to pass role details to FMC?

Yes, you are correct, my default is admin.  I have not created access profiles in ISE.  I will try that.  Thanks for the reply and help.  

So I have this as my authorization result and still not working.  Is there something else I need to do?  Thanks again for the help!

 

Screen Shot 2019-11-18 at 11.05.16 AM.png

Good good. Now go to FMC and map that authz profile text to a role in FMC

 

Thanks for the follow-up and help.  I am getting closer but not quite there.  

 

So these are my ISE authorization profiles in ISE.

 

Screen Shot 2019-11-21 at 1.59.59 PM.png

Created these users on the FMC

 

Screen Shot 2019-11-21 at 2.04.21 PM.png

Do I set these custom roles as default users or something else?   Didn't seem to work as expected but wondering if I can get your help?

 

Screen Shot 2019-11-21 at 2.07.25 PM.png

Thanks in advance

@4qbuddy   Wondering if you can help me with this last step so I can cross this off my to-do list?  Thanks in advance.  

 

 

I see what you have done. You have created custom user roles on FMC. This is like creating another user on ISE for logging in to the GUI – its only controlled by ISE and not by an external authority like AD, if that makes sense?

 

Rather than create usernames for the ISE roles being passed, tick the checkboxes for “Administrator” and “Security Analyst (Read Only)” that are on your bottom picture. Its different layout than mine but I would imagine that a box appears where you can add “Class = Cisco_FMC_Admin” and “Class = Cisco_FMC_ReadOnly”.

 

Try it out, let me know

I got this working today and want to put an update on here to maybe help others.

Create your authorization profile in ISE

Screen Shot 2019-12-03 at 4.10.56 PM.png

 

Then on FMC side, go to users, external authentication, and add the following.

Screen Shot 2019-12-03 at 4.11.24 PM.png

 

Now any user part of that AD group will have Admin access. At the bottom, I changed my default user role to read-only.   You could create more ISE authorization profiles as needed if you have more roles.  Hope this helps!

 

Thanks for your help also @4qbuddy