Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1618
Views
0
Helpful
2
Replies

Firepower 1010 FDM and Windows RADIUS

RANT
Level 1
Level 1

‎06-02-2022 02:50 PM

Been working on ASA for a long time, and I have my first firepower 1010 appliance that I'm running the Firepower image on. Can't seem to get the RADIUS authentication for logging into web GUI working.

I've configured the RADIUS server group and RADIUS server. Tested access to the server OK. However, when I try to utilize my AD credentials, it keeps failing with "unable to authorize access". The windows NPS logs appears to show a successful authentication:

 

Network Policy Server granted full access to a user because the host met the defined health policy.

User:
Security ID: ADMINS\jdoe
Account Name: jdoe
Account Domain: ADMINS
Fully Qualified Account Name: xxxx.com/Users/John Doe

Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: -
Calling Station Identifier: -

NAS:
NAS IPv4 Address: 192.168.2.18
NAS IPv6 Address: -
NAS Identifier: -
NAS Port-Type: Virtual
NAS Port: -

RADIUS Client:
Client Friendly Name: RT-OFFICE-FW01
Client IP Address: 192.168.2.18

Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Cisco admin auth network policy
Authentication Provider: Windows
Authentication Server: RADIUS-SERV.xxxx.com
Authentication Type: PAP
EAP Type: -
Account Session Identifier: -

Quarantine Information:
Result: Full Access
Extended-Result: -
Session Identifier: -
Help URL: -
System Health Validator Result(s): -

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-04-2022 04:33 AM

You need to grant a specific role to the user when they are authenticated via a RADIUS server. For admin access, it's the cisco-av-pair (attribute-value) fdm.userrole.authority.admin.

Reference: https://www.cisco.com/c/en/us/td/docs/security/firepower/70/fdm/fptd-fdm-config-guide-700/fptd-fdm-mgmt.html#id_73793

0 Helpful

Jitendra Kumar
Spotlight
Spotlight

‎06-05-2022 11:18 PM

Its seems due to the administrator role disabled

 

Please follow the below document if its help you..

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_radius.html

 

Thanks,

Jitendra 

Thanks,
Jitendra
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card