Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
676
Views
4
Helpful
7
Replies

FTD can be accessed through local user after ISE-RADIUS is configured

Go to solution
oscardenizjensen
Level 1
Level 1

‎10-23-2024 03:48 AM

Hej
We have just configured FTD and FMC to be accessed through ISE-RADIUS. I can acces FTD and FMC through Radius users.

However, I can also still access FTD and FMC using local user. We would like to force using only ISE-RADIUS defined users to login as long as Radius is reachable and use local user in case radius goes down. 

I can not figure out how to do it on FMC, help appreciated

0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎10-23-2024 05:05 AM

@oscardenizjensen the FMC/FTD does not work the same as IOS devices, the FMC/FTD device checks a local database for user authentication and if the user is not present in the local database, the system information from an external LDAP or RADIUS authentication server.

View solution in original post

Go to solution
Aref Alsouqi
VIP
VIP

‎10-23-2024 06:42 AM

As mentioned by @Rob Ingram, the local database will get checked first and if the user is not found the external authentication server is queried:

ArefAlsouqi_1-1729690807060.png

Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 - Users [Cisco Secure Firewall Management Center] - Cisco

With regard to the "admin" account, yes I would say it is a special account because you can't delete it and you can't even create an equivalent on through the external authentication server. 

 

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-23-2024 04:38 AM

yes that is intention of using external authenticiation like ISE and AD if that fails locally.

i have not come across any issue as long as ISE reachable - Local users not work. check the below document and verify all settings :

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/221009-configure-fmc-and-ftd-external-authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
oscardenizjensen
Level 1
Level 1
In response to balaji.bandi

‎10-23-2024 04:57 AM

That is the guide i followed. 
I would expect local user to not work as well, but I can still login using the "admin" user. The thing is the admin user does not exist in running-config all. So is it counted as a special user?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to oscardenizjensen

‎10-23-2024 05:05 AM

@oscardenizjensen the FMC/FTD does not work the same as IOS devices, the FMC/FTD device checks a local database for user authentication and if the user is not present in the local database, the system information from an external LDAP or RADIUS authentication server.

Go to solution
oscardenizjensen
Level 1
Level 1
In response to Rob Ingram

‎10-25-2024 03:09 AM

2-factor-auth works for local users as well right? Just not a general big fan of local user access on devices unless for emergencies

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎10-23-2024 06:42 AM

As mentioned by @Rob Ingram, the local database will get checked first and if the user is not found the external authentication server is queried:

ArefAlsouqi_1-1729690807060.png

Cisco Secure Firewall Management Center Device Configuration Guide, 7.2 - Users [Cisco Secure Firewall Management Center] - Cisco

With regard to the "admin" account, yes I would say it is a special account because you can't delete it and you can't even create an equivalent on through the external authentication server. 

 

Go to solution
oscardenizjensen
Level 1
Level 1
In response to Aref Alsouqi

‎10-25-2024 03:06 AM

That makes it abit weird because technically I would have my fw internet facing, and local user on the device would be open the real world. 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to oscardenizjensen

‎10-25-2024 03:23 AM

The firewall won't allow any management traffic on any of its data interfaces by default, so I don't believe there is any worry unless you configure management on the outside interface.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card