ISE RADIUS ssh access to both FMC and FTD using groups

Andrew White · ‎09-22-2021

I've integrated RADIUS authentication with my FMC deployment. I managed to get the FTD ssh console access to work read-write with administrators and read-only for the lower privilege reporting group by passing "Service-Type = 6" for admins and "Service-Type = 7" for read-only. However I do not have ssh access to the FMC with this system. There is a place to manually enter usernames for ssh access in the External Authentication source on the FMC but doing this breaks the dynamic group membership such that all users now have to be individually managed in the FMC authentication source configuration and there is no Read-only option.

Is there another RADIUS attribute or attributes that the FMC would be looking for to grant ssh access?

Rob Ingram · ‎09-22-2021

@Andrew White

You define an ISE Authorisation Profile(s) using "RADIUS Class = <define a value>", such as "FMCAdmin" or "FMCRead"

On the FMC, under External Authentication Objects for each RADIUS Specific Parameter role you specify the value sent by RADIUS - "Class=FMCAdmin" under "Administrator" role and "Class=FMCRead" under the "Security Analyst (Read Only)" role.

Andrew White · ‎09-24-2021

Right, that works just fine for GUI access but it is not working for Console/SSH access to the FMC. It is working just fine for ssh access to the FTD. This leads me to believe that the issue is something specific to the FMC.

M.Aslam Usmani · ‎01-04-2022

try this : translate the page is required.

https://community.cisco.com/t5/%E3%82%BB%E3%82%AD%E3%83%A5%E3%83%AA%E3%83%86%E3%82%A3-%E3%83%89%E3%82%AD%E3%83%A5%E3%83%A1%E3%83%B3%E3%83%88/fmc-radius%E8%AA%8D%E8%A8%BC%E3%81%AB%E3%82%88%E3%82%8B%E7%AE%A1%E7%90%86%E3%83%A6%E3%83%BC%E3%82%B6%E3%81%AE...