Solved: Firepower Local Auth

ChristopherCraddock66504 · ‎10-05-2021

Community,

I have configured my Firepower FTD's (2140s and 4140's) for Radius Auth and my FMC for LDAP authentication. However, I am noticing that I am still able to log in to these devices using the local admin account. Is this by design? Is there a way to force only the Radius/LDAP auth until the External Authentication method is no longer available, similar to a local fallback mechanism on a router or switch?

Thank you.

Rob Ingram · ‎10-05-2021

Hi @ChristopherCraddock66504

Unfortunately you cannot configure the FMC like fallback on a switch or router. The documentation states "If the user is not present in the local database, the system queries an external LDAP or RADIUS authentication server".

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/user_accounts_fmc.html?bookSearch=true#id_63531

So the local admin user will always have access.

View solution in original post

Rob Ingram · ‎10-05-2021

Hi @ChristopherCraddock66504

Unfortunately you cannot configure the FMC like fallback on a switch or router. The documentation states "If the user is not present in the local database, the system queries an external LDAP or RADIUS authentication server".

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/configuration/guide/fpmc-config-guide-v67/user_accounts_fmc.html?bookSearch=true#id_63531

So the local admin user will always have access.