FMC login authentication method
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024
07:16 AM
- last edited on
12-08-2024
07:42 AM
by
shaiksh
Hi all,
We have LDAP and Radius as external authentication methods setup for user login in FMC as one of admin. We see user shows as just external in system > user list. No details on what auth method used.
My question is how to determine in FMC if that admin user is got authenticated throught LDAP or Radius.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-08-2024 08:27 AM
To determine whether a user authenticated via LDAP or RADIUS in Cisco Firepower Management Center (FMC), follow these steps:
1. Check the User Activity Logs
Cisco FMC logs authentication events, which include details about the authentication method. Here's how you can view these logs:
Navigate to Audit Logs:
- Go to System > Audit > Audit Logs in the FMC GUI.
Filter for Authentication Events:
- Use the search bar or filter options to find logs related to user logins.
- Look for events mentioning "Authentication succeeded" or similar.
Inspect the Details:
- Click on the specific log entry to view details. It should indicate whether the authentication was via LDAP, RADIUS, or another method.
2. Enable Debugging for Authentication
If the logs do not provide sufficient detail, you can enable debugging on the FMC for authentication events:
Access CLI of the FMC:
- Log in to the FMC CLI via SSH.
Enable Debugging for Authentication:
sudo su pmtool disablebyid webui pmtool enablebyid webui --debug tail -f /var/log/messages | grep "auth"Attempt Login as the User:
- Have the user log in, and monitor the logs to see which authentication server (LDAP or RADIUS) is used.
Disable Debugging:
- Once testing is complete, disable debugging to conserve system resources:pmtool disablebyid webui --debug pmtool enablebyid webui
- Once testing is complete, disable debugging to conserve system resources:
3. Use a Packet Capture
If detailed logs are unavailable, you can capture traffic between the FMC and the authentication servers:
Enable Packet Capture on FMC:
- From the CLI, use the following command to capture packets:sudo tcpdump -i ethX port 389 or port 1812
- Replace ethX with the appropriate FMC network interface.
- From the CLI, use the following command to capture packets:
Analyze the Capture:
- Look for traffic to the LDAP server (default port 389 or 636 for secure LDAP) or RADIUS server (default port 1812).
Interpret Results:
- The server responding to the authentication request will reveal the method used.
4. Correlate with External Server Logs
Lastly, check the logs on your LDAP and RADIUS servers. Both servers typically log authentication attempts and can confirm whether the user was authenticated through them.
Recommendation
Enable detailed logging or audit settings on FMC for easier monitoring in the future. Let me know if you need specific help with CLI commands or configurations!
