Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
565
Views
1
Helpful
2
Replies

FMC 7.6.2 - Issues with GUI access after the upgrade - Radius

Go to solution
SeaBeeBee
Level 1
Level 1

‎09-26-2025 07:50 AM - edited ‎09-26-2025 07:52 AM

We can no longer log in to the Administrator-level account after installing software version 7.6.2 (previously 7.4.2). Nothing has changed on the RADIUS server side or in the external RADIUS authentication settings.

User testing confirms that the correct RADIUS attributes are being returned by the server, but users are still receiving Read-Only access.

Is anyone else having similar issues?

SeaBeeBee_0-1758898317512.png

SeaBeeBee_0-1758898056425.png

 

SeaBeeBee_2-1758898142997.png

 

 

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎09-26-2025 08:01 AM

@SeaBeeBee the issue is possibly related to the Message-Authenticator warning you have in your output. From FMC/FTD version 7.6 the message-authenticator attribute can be configured. I would check the setting on the FMC and RADIUS server. 

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/760/threat-defense-release-notes-76.html

Require the Message-Authenticator attribute in all RADIUS responses.

Upgrade impact. After upgrade, enable for existing servers.

You can now require the Message-Authenticator attribute in all RADIUS responses, ensuring that the threat defense VPN gateway securely verifies every response from the RADIUS server, whether for RA VPN or access to the device itself.

The Require Message-Authenticator for all RADIUS Responses option is enabled by default for new RADIUS servers. We also recommend you enable it for existing servers. Disabling it may expose firewalls to potential attacks.

New CLI commands: message-authenticator-required

 

 

 

View solution in original post

2 Replies 2

Go to solution
Rob Ingram
VIP
VIP

‎09-26-2025 08:01 AM

@SeaBeeBee the issue is possibly related to the Message-Authenticator warning you have in your output. From FMC/FTD version 7.6 the message-authenticator attribute can be configured. I would check the setting on the FMC and RADIUS server. 

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/release-notes/threat-defense/760/threat-defense-release-notes-76.html

Require the Message-Authenticator attribute in all RADIUS responses.

Upgrade impact. After upgrade, enable for existing servers.

You can now require the Message-Authenticator attribute in all RADIUS responses, ensuring that the threat defense VPN gateway securely verifies every response from the RADIUS server, whether for RA VPN or access to the device itself.

The Require Message-Authenticator for all RADIUS Responses option is enabled by default for new RADIUS servers. We also recommend you enable it for existing servers. Disabling it may expose firewalls to potential attacks.

New CLI commands: message-authenticator-required

 

 

 

Go to solution
SeaBeeBee
Level 1
Level 1
In response to Rob Ingram

‎09-26-2025 08:27 AM

Thank you, Rob.
That was it. We are getting admin access now, after removing the check mark next to: Message Authenticator - RADIUS Server-Enabled Message Authenticator.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card