Solved: Connect FMC to ISE with Radius over DLTS

GilR · ‎07-14-2025

We are currently using FMC and ISE to manage admins who can log into FMC and the firewalls in our environment. We were considering how we can better secure our management connections, specifically the communications between our firewalls and ISE. Currently, the ISE logs show that credentials from users logging into either FMC or the firewalls is sent over PAP-ASCII from the firewall or FMC to the ISE server. We looked into enabling FIPS, but FIPS states that PAP will only be supported over DTLS tunnels if enabled.

We do not have an issue enabling DTLS tunnels with the rest of our network devices, however, I cannot find a way to enable Radius over DTLS for FMC, and since FMC configures the firewalls with the radius server configured on it under platform settings, I am sure that the DTLS configuration has to happen on FMC and not the firewalls themselves. In the FMC GUI, there is no option under Radius server settings for DTLS. I cannot find any documentation to support RADIUS over DTLS for FMC either.

If this is not the correct way to better secure our management connections, what is another way I can go about doing it?

wajidhassan · ‎07-14-2025

You're right that FMC and FTD currently do not support RADIUS over DTLS natively, and there’s no option in the FMC GUI or CLI to enable DTLS for RADIUS. Cisco ISE supports RADIUS over DTLS, but that requires the network device (in this case, FMC or FTD) to initiate the DTLS tunnel—which they simply don’t do at this point.

If you're trying to harden the security of FMC/FTD-to-ISE communication, here are practical alternatives:

Use TACACS+ instead of RADIUS for admin authentication. TACACS+ encrypts the entire payload (not just the password like RADIUS) and is supported by both ISE and FMC. This is a much more secure option compared to PAP over RADIUS.
Place FMC and ISE in a secure, isolated management VLAN or VRF, ideally with restricted access and monitored traffic.
If FIPS compliance is a must, then re-evaluate how admin access is configured. You may need to move entirely to TACACS+ or implement certificate-based auth for CLI/SSH access to devices if available.

Currently, the inability to enable DTLS for RADIUS on FMC is a limitation. Until Cisco adds support (if ever), switching to TACACS+ is your best option.

View solution in original post

wajidhassan · ‎07-14-2025

You're right that FMC and FTD currently do not support RADIUS over DTLS natively, and there’s no option in the FMC GUI or CLI to enable DTLS for RADIUS. Cisco ISE supports RADIUS over DTLS, but that requires the network device (in this case, FMC or FTD) to initiate the DTLS tunnel—which they simply don’t do at this point.

If you're trying to harden the security of FMC/FTD-to-ISE communication, here are practical alternatives:

Use TACACS+ instead of RADIUS for admin authentication. TACACS+ encrypts the entire payload (not just the password like RADIUS) and is supported by both ISE and FMC. This is a much more secure option compared to PAP over RADIUS.
Place FMC and ISE in a secure, isolated management VLAN or VRF, ideally with restricted access and monitored traffic.
If FIPS compliance is a must, then re-evaluate how admin access is configured. You may need to move entirely to TACACS+ or implement certificate-based auth for CLI/SSH access to devices if available.

Currently, the inability to enable DTLS for RADIUS on FMC is a limitation. Until Cisco adds support (if ever), switching to TACACS+ is your best option.

Michal Janowski · ‎08-29-2025

FMC does not support TACACS+

MHM Cisco World · ‎07-14-2025

I check a lot there is no way
you need to add VPN GW (connect ISE to it) so build IPsec VPN between FTD and VPN GW

18/07 update I found video to run radius over dtls between ise and ios xe router I will check more if we can run that between ISE abd FMC

MHM