Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2367
Views
0
Helpful
3
Replies

Firepower 1010 FDM and Windows RADIUS

RANT
Level 1
Level 1

‎06-02-2022 02:50 PM

Been working on ASA for a long time, and I have my first firepower 1010 appliance that I'm running the Firepower image on. Can't seem to get the RADIUS authentication for logging into web GUI working.

I've configured the RADIUS server group and RADIUS server. Tested access to the server OK. However, when I try to utilize my AD credentials, it keeps failing with "unable to authorize access". The windows NPS logs appears to show a successful authentication:

 

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
Security ID: ADMINS\jdoe
Account Name: jdoe
Account Domain: ADMINS
Fully Qualified Account Name: xxxx.com/Users/John Doe

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -

NAS:
NAS IPv4 Address: 192.168.2.18
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: RT-OFFICE-FW01
Client IP Address: 192.168.2.18

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco admin auth network policy
Authentication Provider: Windows
Authentication Server: RADIUS-SERV.xxxx.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -

Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-04-2022 04:33 AM

You need to grant a specific role to the user when they are authenticated via a RADIUS server. For admin access, it's the cisco-av-pair (attribute-value) fdm.userrole.authority.admin.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-mgmt.html#id_73793

0 Helpful

jrharmdx
Level 1
Level 1
In response to Marvin Rhoads

‎04-18-2025 02:26 PM

Hello Marvin, Thanks for your contributions. It has been several years since the original posting but here is where I am at:

Powershell SSH
When I use powershell to log into the FPR running FDM, I use RADIUS credentials that work. The error I get is:

"Successful login attempts for user 'Username-1' : 10
! ! ! Your username is not defined with a service type that is valid for this system. You are not authorized to access the system. ! ! !"
FDM WEB GUI
When checking my objects for Authentication, I run a RADIUS test and it returns SUCCESS.

In the NPS Server:
NPS Policy is configured with Service-Type: Administrator and the Cisco-AV-Pair configured with "fdm.userrole.authority.admin".
The Event logs for the NPS and have a similar message as RANT's post above.

This issue has been observed on multiple FDM versions. We have verified RADIUS secret keys, multiple known working usernames, and reviewed Event logs for confirmation.


0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎06-05-2022 11:18 PM

Its seems due to the administrator role disabled

 

Please follow the below document if its help you..

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html

 

Thanks,

Jitendra 

Thanks,
Jitendra
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card