Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1858
Views
0
Helpful
2
Replies

Radius Attributes for Cisco FMC and FTD with ACS authentication

Srinivasan Nagarajan
Level 1
Level 1

‎11-23-2020 02:57 AM - edited ‎11-23-2020 03:21 AM

Hi Experts,

 

We've ACS 5.8 and would like to integrate it with the FMC and FTD for Radius based Authentication. Can you please suggest the Radius attributes for Read-Write and Read-Only to be pushed from the ACS?

 

Also, please let me know if the below Radius attributes needs to be configured on ACS and give me a overview of steps which needs to be followed?

 

ips-role=administrator, ips-role=operator, ips-role=viewer, or ips-role=service.

 

 

Though this is helpful, but it doesn't specify the RO/RW Radius attributes

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/200204-Integration-of-FireSIGHT-System-with-ACS.html

 

Thanks in advance.

 

Cheers,

Srinivasan

1 person had this problem
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎11-23-2020 04:47 AM

It work like same as below for FMC, if your ACS integrated with AD Groups, make sure they belong to same Group admin and readonly, if the Local users make adjust as per the requirement. - I do not have FMC screen shot, I will try later if I get chance, may be some confidential client information required to remove - that will be not so soon. but basically it works.

 

Cisco Ironport - External Authentication with Cisco ACS

 
1. Settings on Cisco ACS 5.8
 
- Add WSA as AAA client, RADIUS protocol
 
- Create Authorization Profile, add RADIUS Attribute - Class 25 with username in it.
 
 
 

image.png

 

 
You can create two profiles - one for administrators, the other with Read-Only rights.
Each user must be added to this profile.
 
-Create a rule in Access Policy
image.png
 

 

 
This completes the settings on the ACS. In this case, Identity in ACS is mapped to specific groups in AD. 
 
2. Settings in Cisco WSA, For ESA the same.
 
The settings are shown in the screenshot:
Sustem Administration - Users - External Authentication.
 
 

 

 
This completes the settings.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Srinivasan Nagarajan
Level 1
Level 1
In response to balaji.bandi

‎11-23-2020 06:18 AM

Hi Balaji,

 

Thanks for the reply. Image is too small or not visible. Can you please paste in little big font size?

 

Cheers,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents