Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3146
Views
0
Helpful
4
Replies

AAA Authentication Order for FTD SSH CLI Access

Go to solution
Serpens66
Level 1
Level 1

‎01-09-2019 09:01 AM - edited ‎02-21-2020 08:38 AM

I am thinking I need to settle with the fact the FTD-CLI seems to authenticate in this order: LOCAL then External

 

Anyone know if there is way to get a similar result to this command in a FTD?

 

aaa authentication ssh console ISE-RAD LOCAL

 

Or is it just not possible at the moment? 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Serpens66

‎01-09-2019 02:14 PM

Your understanding is correct. Local users will always be able to login, radius users will only be able to log in when the server is available. 

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎01-09-2019 12:26 PM

I am assuming you have the same username for both Local and External authentication?  In either case as of now, the Local user database is checked first.

Internal and External Users

Firepower devices support two types of users:

  • Internal user—The device checks a local database for user authentication. For more information about internal users, see Add an Internal User Account.

  • External user—If the user is not present in the local database, the system queries an external LDAP or RADIUS authentication server. For more information about external users, see Configure External Authentication.

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/user_accounts_for_management_access.html

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Serpens66
Level 1
Level 1
In response to Marius Gunnerud

‎01-09-2019 01:36 PM

Thanks for the response!  So, I have three AD users and then the default admin local user on the FTD, I want it to work where the local admin account simply won't work unless the external authentication fails, but your explanation just reinforces all the info I can find.

This doesn't work:

 

RADIUS Server up and working

 

External Users - Can log in

Internal (LOCAL) Users - Can't log in

 

RADIUS Server Down 

 

External Users - Cannot log in

Internal (LOCAL) Users - Can log in

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Serpens66

‎01-09-2019 02:14 PM

Your understanding is correct. Local users will always be able to login, radius users will only be able to log in when the server is available. 

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Serpens66
Level 1
Level 1
In response to Marius Gunnerud

‎01-10-2019 06:37 AM

Disappointing! I just wanted to be sure and have a topic for anyone else looking for a definitive answer. Thanks! 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card