FTD External Authentication Bugged???

WillDudeGuy · ‎03-26-2024

Hi Community,

I'm have an issue getting external authentication working on my FMC managed FTDs(firepower 2100s). I have configured the remote authentication server under in the FMC settings and then navigated over to platform settings to enable it on the FTD. I deployed the config to the FTD but it doesn't actually make any changes to the FTD, i can tell this because i login to the FTD directly and can see that none of the LDAP settings are populated, and that the "set authentication default" command is still set to local rather then LDAP.

Anyone had any success with this?

MHM Cisco World · ‎03-27-2024

This for admin or for RA VPN?

MHM

WillDudeGuy · ‎03-27-2024

For admin

MHM Cisco World · ‎03-27-2024

Can I see

Devics>Platfrom Settings>External Authentication

MHM

WillDudeGuy · ‎03-27-2024

Also, watched the deployment of the firepower after i enabled the ldap in platform settings and wasn't able to see the creation of the server.

I would expect to see the following but i dont:
2024-03-27T04:23:56+00:00 firewall : %FTD-6-199018: FPRM: <<%FPRM-6-AUDIT>> [admin][clish][modification][clish][11199498][sys/ldap-ext][attribute(Old:, New:uid), basedn(Old:, New:cn=accounts,dc=ccc,dc=local), filter(Old:, New:&(|(objectclass=person))(|(memberOf=cn=fwladmin,cn=groups,cn=accounts,dc=ccc,dc=local))), name(Old:, New:AUTHSERVER), retries(Old:1, New:3), shellaccessuserlist(Old:, New:user1,user2,user3,user4), tlscacertificate(Old:, New:-----BEGIN CERTIFICATE-----#015
2024-03-27T04:23:56+00:00 firewall : %FTD-6-199018: FPRM: <<%FPRM-6-AUDIT>> [admin][clish][creation][clish][11199499][sys/ldap-ext/provider-authserver.ccc.local][enableSSL:on, key:****, name:firewall.ccc.local, order:1, port:636, retries:1, rootdn:uid=ldapbind,cn=sysaccounts,cn=etc,dc=ccc,dc=local, timeout:30, vendor:Other][] LDAP server authserver.ccc.local created
2024-03-27T04:23:57+00:00 firewall : %FTD-6-199018: FPRM: <<%FPRM-6-AUDIT>> [admin][clish][modification][clish][11199503][sys/auth-realm][defLogin(Old:local, New:ldap)][] Authentication realm modified
2024-03-27T04:23:57+00:00 firewall : %FTD-6-199018: FPRM: <<%FPRM-6-AUDIT>> [admin][clish][modification][clish][11199504][sys/auth-realm/default-auth][realm(Old:local, New:ldap)][] Default authentication configuration modified

MHM Cisco World · ‎03-28-2024

First we talk about admin FTD not FMC

The config you share

1- you enable external

2- you need to select ssh and http when you add external authentication

3-you use ssl with ldap' this can be issue if ftd dont have CA and identity cert. Then it can not connect to ladp using ssl

Do above and try access using ssh to ftd

MHM

Pulkit Mittal · ‎03-27-2024

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/user_accounts_for_management_access.html#id_63679

https://www.cisco.com/c/en/us/td/docs/security/firepower/623/configuration/guide/fpmc-config-guide-v623/user_accounts_for_management_access.html#id_63678

WillDudeGuy · ‎03-27-2024

??? whilst i appreciate you trying to help me out, posting configuration guides do nothing to help resolve the issue.

Pulkit Mittal · ‎03-27-2024

If you have followed the steps right, then I suggest open a TAC case mate.

Netadmins Brightsolid · ‎12-11-2024

I am also having a similar problem, FPR2100 series FTDs. The external authentication settings are configured under the platform settings but the FMC doesnt seem to push them out to the FTDs.

It works with ASAs running FTD code and strangely with a pair of FPR1140s but I'm able to see user accounts under "show users" on the FTD CLI.

Seems to be related to this bug - https://quickview.cloudapps.cisco.com/quickview/bug/CSCvr27850