Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
167
Views
1
Helpful
5
Replies

Firepower FTD - Radius on Multi Instance not working

Marcus Eickhoff
Level 1
Level 1

‎09-02-2025 12:38 AM

Hi,

we're actually running several types of FPR 1010, 1120, 1150, 3110 (in Multi Instance mode) with FTD v7.2 up to v7.4- all managed by FMC 7.6

In FMC Platform Settings different policies are assigned for the Regions (EMEA, APAC, Americas) with individual region settings i.e. for logging, authentication etc. assigned to single FTD or the Instances.

Authentication is set using Radius authenticated by regional ISEs to access them by CLI. No special characters are used in the secret. It's working well with all single FTDs, we can see the requests in the log of the ISE, packets will be routed using the FXOS environment. On Multi-Instance it's not working, we do not see any radius packets on the ISE coming from an Instance.

I believe that all Radius requests from an Instance are routed using the Chassis FXOS (same as for logging). Individual Radius configuration on the Chassis is not possible (cannot commit any changes cause it's managed by FMC).

Any idea how it may be possible getting the Radius Authentication running on the Multi-Instance ?

Best, Marcus

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎09-02-2025 04:08 AM

You can define in the Platform settings Management Policy different Radius Servers and attach the each management policy to FTD instance - is that works ?

reference guide :

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/221009-configure-fmc-and-ftd-external-authentic.html#toc-hId--2083687507

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marcus Eickhoff
Level 1
Level 1
In response to balaji.bandi

‎09-02-2025 05:00 AM

We implement Classes Administrator, Maintenance, ReadUser in ISE which will be returned to the FTD successful to be used as Radius specific parameter. Additionally user are set in the CLI section to be allowed accessing the FTD by Console or SSH. The Radius request will be sent out on the single FTD using the Management Interface.  This works fine.

Same policy assigned to the Instances doesn't work, we do not see packets from these Instances, their Management Interface nor the Chassis Management Interface arriving at the ISE. No IP will shown in the ISE Log.

Marcus

0 Helpful

Marcus Eickhoff
Level 1
Level 1

‎09-02-2025 05:03 AM

 Single FTDs request arrives ...

MarcusEickhoff_0-1756814573973.png

 

0 Helpful

MHM Cisco World
VIP
VIP

‎09-02-2025 05:45 AM

You need radius for admin authc ?

MHM

0 Helpful

Marcus Eickhoff
Level 1
Level 1

‎09-02-2025 06:03 AM

Hi,

we like to have access to CLI authenticated by Radius so an Admin authenticate with his own Pwd for troubleshooting etc. As I wrote, this is working well with a single FTD 1010, 1120, 1150. But it doesn't work unfortunately with an Instance as there will be no request send to the ISE, not from the instance, nor the Chassis.

SSO is no solution as we like to have Radius (with MFA).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card