Solved: Re: FMC with CAC Authentication and Authorization

Shrimpy · ‎02-15-2022

Hello,

I'm trying to set up FMC to allow users to login with their CAC certificate. I have the same ssl cert for FMC signed by the root CA that signed the client certs. LDAP is configured and using userPrincipleName with the %s@mil name template. I've follwed the guide to the letter, however when i go to the web gui, it ask for my client cert, then takes me to the login page, i click login which uses my cac cert and it keeps failing. I'm able to use username and password but not dice with using the cac cert. Of course the audit loggin just says invalid user. Is there a way to dig deeper or anything one else have any luck with this??

Guide: https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/user_accounts_fmc.html#task_klz_y3p_qcb

Eric R. Jones · ‎02-15-2022

Hello Shrimpy, you are going to be in for a frustrating ride.

We have ours working but there are many steps we had to go through to get it to work.

1. Are you using tokens along with the CAC/PIV? (e.g. rjones.ctr.na or rjones.civ.sa)

if you do then you will need to create a short regex that searches for the last to positions see attached.

2. Are your using ISE for AAA and RBAC for groups? (e.g. see the attached screen shot)

3. Having CAC/PIV/Token access is great however I have a TAC case open with Cisco because of the somewhat uselessness of how it's configured. If you login today at 0800 and tomorrow at 0810 your account will revert back to whatever your default role is. If like me you set it to a least privilege account then you will log in with read only permissions. You then have to login with username password, raise your privilege level and then login with your CAC or token. There is a way to setup privilege escalation but I haven't gotten that to work as I think it should.

If you find that this is an issue for you, the inability to login with full permissions, please open a TAC case yourself with this observation. Maybe if more people ask about it there will be more attention paid to it.

ej

View solution in original post

Eric R. Jones · ‎02-15-2022

Hello Shrimpy, you are going to be in for a frustrating ride.

We have ours working but there are many steps we had to go through to get it to work.

1. Are you using tokens along with the CAC/PIV? (e.g. rjones.ctr.na or rjones.civ.sa)

if you do then you will need to create a short regex that searches for the last to positions see attached.

2. Are your using ISE for AAA and RBAC for groups? (e.g. see the attached screen shot)

3. Having CAC/PIV/Token access is great however I have a TAC case open with Cisco because of the somewhat uselessness of how it's configured. If you login today at 0800 and tomorrow at 0810 your account will revert back to whatever your default role is. If like me you set it to a least privilege account then you will log in with read only permissions. You then have to login with username password, raise your privilege level and then login with your CAC or token. There is a way to setup privilege escalation but I haven't gotten that to work as I think it should.

If you find that this is an issue for you, the inability to login with full permissions, please open a TAC case yourself with this observation. Maybe if more people ask about it there will be more attention paid to it.

ej

Shrimpy · ‎02-15-2022

THANK YOU FOR THE INFO.

I was actually thinking it HAD to be something about it not passing the User Principal name. I'll try this first thing tomorrow morning.

Eric R. Jones · ‎02-15-2022

I forgot one more item. If you select this option to run and get locked out
you can do this to turn it off.

Fix a the pki login

/etc/httpd/ssl_certificates.conf and set it back to SSLVerifyClient none or
optional

Then restart httpsd using pmtool restartbyid httpsd.

Shrimpy · ‎02-15-2022

"Fix a the pki login"

I've been so scared about that!!!! you are amazing! I've been going crazy!

Eric R. Jones · ‎02-15-2022

I just got an answer from Cisco to my question on whether they are going to complete working this.

"

It took a while to hear back, but I finally did get an answer.

For the moment, it looks like this enhancement is not being prioritized.

There has been no steps toward fixing this issue since it was initially filed, which is why you haven’t seen any updates yet.

Current projections are it will be at least a few more months if we start working on it.

Though I have little authority to set bug/enhancement priorities, your account team may have more weight to throw around if you consider this to be a significant issue."

If you can contact your account team this may get more eyes on this issue.

Also your welcome, I hadn't seen anyone else ask about CAC/Token access. Yours is the first post, besides my own, that I have seen on this topic.

ej

elcid98-1a6 · ‎03-23-2022

Eric, thank you for your help so far.

I am stuck too. Please post updates to your TAC case here. I'll get our account rep to try to prioritize this.

ss

elcid98-1a6 · ‎04-08-2022

I was able to get CAC authentication working through the FTD. The high level steps are below. TAC was a huge help on this ticket. You must have the proper cert chain which issued the user certificates installed in Devices-Certificates. For example, if user1 has a cert issued by CA3-SubCA50 both certs are required. If user2 has a cert issued by CA3-SubCA51, load the CA51 cert into the store. The full cert chain must be in the store for it to work.

Create an LDAPS connection from the FTD to the directory (System-Integration-Realms-Add Realm): use the FQDN as the hostname and make sure you have the proper cert selected for the connection from the FTD to the directory.
Devices-VPN-Remote Access: Connection Profile-AAA-Authentication Method should be set to Client certificate and the Map Specific field should be set to the field you want to use to identify your users. We used UPN.
Devices-VPN-Remote Access: Connection Profile-AAA-Authorization-Authorization Server is the LDAPS server configured in step 1. The attribute map needs to be configured for your unique environment. Ours is using the LDAP Attribute Name: memberOf field to map to Cisco Attribute Name: Group Policy. Then we added value maps to map the AD groups we want the firewall to search to the proper group policy. For example, our LDAP Attribute Map value is CN=VPN_Mgmt,OU=bbb,OU=aaa,OU=zzz,DC=fbu,DC=yyy,DC=xxx and our Cisco Attribute Value is the group policy name.
Next we added a separate flex config of deployment: everytime and type: append as follows for each AD server in our environment.

aaa-server <Realm Name> host <FQDN from Realm Config>

ldap-naming-attribute UserPrincipalName

Save and deploy the settings. The TAC engineer also showed us how to debug the connections on the FTD CLI. Below are some commands that proved helpful.

debug vpn-sessiondb

debug aaa shim

debug ldap 255