Solved: FTD Shell Restrictions with RADIUS

stephan.l.martin1 · ‎11-25-2024

Model: FPR1120
Version: 7.4.2

I am in the process of attempting to lock down shell access to basic so that our ACAS system can safely access the FTD per our scan policy.

We have configured RADIUS to work with both the FMC and FTD and can successfully login. When accessing the FTD shell my account is returning config level permissions.

RADIUS Attributes configured on ISE:

Access Type = ACCESS_ACCEPT

Class = ReadUser (This is for FMC access specifically)

cisco-av-pair = shell:level=0

I suspect that my AV pair is wrong but the documentation seems to be elusive. I cannot configure the account type manually via the local admin or my standard (admin) RADIUS account.

Any and all assistance is greatly appreciated.

stephan.l.martin1 · ‎11-26-2024

Solution:

Configuring administrative CLI user access list under external authorization servers overrides RADIUS attributes that are sent. I removed all users from the list and configured Service-Type:Administrative for my RW group and NAS Prompt for the RO group. I will work with Cisco to update the documentation so that this behavior is identified/documented.

View solution in original post

balaji.bandi · ‎11-26-2024

is this radius server ISE or any other vendor

you can create a different profile and use it as admin or read-only check this guide :

https://www.cisco.com/c/en/us/support/docs/security-vpn/remote-authentication-dial-user-service-radius/221009-configure-fmc-and-ftd-external-authentic.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

stephan.l.martin1 · ‎11-26-2024

Greetings!

We are using ISE as the RADIUS server and have it fully operational/configured for RADIUS authentication with the FMC and FTD. The current issue that I am running into (and will review the document you provided) is that even when forcing the profile to use the ReadOnly authorization profile I still have expert level access which I am looking to lock down. The RADIUS attributes above are configured on the ReadOnly profile.

I will review the document and come back with any results.

MHM Cisco World · ‎11-26-2024

friend FMC dont use privilege level it use role

MHM

stephan.l.martin1 · ‎11-26-2024

Unfortunately the document provided is almost explicitly for GUI access. I followed this guide to configure RADIUS authentication initially.

This guide:https://www.cisco.com/c/en/us/td/docs/security/firepower/710/fdm/fptd-fdm-config-guide-710/fptd-fdm-mgmt.html does reference a separate AV-Pair (service-type:NAS Prompt) which I am digging into.

MHM Cisco World · ‎11-26-2024

above was for FMC GUI

for FTD Yes you need NAS prompt

MHM

stephan.l.martin1 · ‎11-26-2024

Solution:

Configuring administrative CLI user access list under external authorization servers overrides RADIUS attributes that are sent. I removed all users from the list and configured Service-Type:Administrative for my RW group and NAS Prompt for the RO group. I will work with Cisco to update the documentation so that this behavior is identified/documented.