09-22-2021 07:20 AM
I've integrated RADIUS authentication with my FMC deployment. I managed to get the FTD ssh console access to work read-write with administrators and read-only for the lower privilege reporting group by passing "Service-Type = 6" for admins and "Service-Type = 7" for read-only. However I do not have ssh access to the FMC with this system. There is a place to manually enter usernames for ssh access in the External Authentication source on the FMC but doing this breaks the dynamic group membership such that all users now have to be individually managed in the FMC authentication source configuration and there is no Read-only option.
Is there another RADIUS attribute or attributes that the FMC would be looking for to grant ssh access?
09-22-2021 10:04 AM
You define an ISE Authorisation Profile(s) using "RADIUS Class = <define a value>", such as "FMCAdmin" or "FMCRead"
On the FMC, under External Authentication Objects for each RADIUS Specific Parameter role you specify the value sent by RADIUS - "Class=FMCAdmin" under "Administrator" role and "Class=FMCRead" under the "Security Analyst (Read Only)" role.
09-24-2021 02:08 PM
Right, that works just fine for GUI access but it is not working for Console/SSH access to the FMC. It is working just fine for ssh access to the FTD. This leads me to believe that the issue is something specific to the FMC.
01-04-2022 03:19 AM
05-29-2024 10:00 AM
Hi Andrew,
Bit late to the party with this but the read only FTD access specifically... Did you define radius service-type=7 on ISE and then define an external authentication object within FMC under the security analysts(read-only) section? I am looking at creating ftd read/write and read only access. I guess I need to implement service type 6 for administrators section on FMC and type 7 in the sec analyst part?
Not seeing much info on this other than the official Cisco documentation which defines class type and one external authentication object for FMC and ftd.
Kind Regards
Marc
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide