- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2019 09:01 AM - edited 02-21-2020 08:38 AM
I am thinking I need to settle with the fact the FTD-CLI seems to authenticate in this order: LOCAL then External
Anyone know if there is way to get a similar result to this command in a FTD?
aaa authentication ssh console ISE-RAD LOCAL
Or is it just not possible at the moment?
Solved! Go to Solution.
- Labels:
-
Firepower Threat Defense (FTD)
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2019 02:14 PM
Your understanding is correct. Local users will always be able to login, radius users will only be able to log in when the server is available.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2019 12:26 PM
I am assuming you have the same username for both Local and External authentication? In either case as of now, the Local user database is checked first.
Internal and External Users
Firepower devices support two types of users:
-
Internal user—The device checks a local database for user authentication. For more information about internal users, see Add an Internal User Account.
-
External user—If the user is not present in the local database, the system queries an external LDAP or RADIUS authentication server. For more information about external users, see Configure External Authentication.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2019 01:36 PM
Thanks for the response! So, I have three AD users and then the default admin local user on the FTD, I want it to work where the local admin account simply won't work unless the external authentication fails, but your explanation just reinforces all the info I can find.
This doesn't work:
RADIUS Server up and working
External Users - Can log in
Internal (LOCAL) Users - Can't log in
RADIUS Server Down
External Users - Cannot log in
Internal (LOCAL) Users - Can log in
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-09-2019 02:14 PM
Your understanding is correct. Local users will always be able to login, radius users will only be able to log in when the server is available.
Please remember to select a correct answer and rate helpful posts
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-10-2019 06:37 AM
Disappointing! I just wanted to be sure and have a topic for anyone else looking for a definitive answer. Thanks!
