Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2893
Views
21
Helpful
4
Replies

ISE RADIUS ssh access to both FMC and FTD using groups

Andrew White
Level 1
Level 1

‎09-22-2021 07:20 AM

I've integrated RADIUS authentication with my FMC deployment. I managed to get the FTD ssh console access to work read-write with administrators and read-only for the lower privilege reporting group by passing "Service-Type = 6" for admins and "Service-Type = 7" for read-only. However I do not have ssh access to the FMC with this system. There is a place to manually enter usernames for ssh access in the External Authentication source on the FMC but doing this breaks the dynamic group membership such that all users now have to be individually managed in the FMC authentication source configuration and there is no Read-only option.

 

Is there another RADIUS attribute or attributes that the FMC would be looking for to grant ssh access?

4 Replies 4

Rob Ingram
VIP
VIP

‎09-22-2021 10:04 AM

@Andrew White 

You define an ISE Authorisation Profile(s) using "RADIUS Class = <define a value>", such as "FMCAdmin" or "FMCRead"

 

On the FMC, under External Authentication Objects for each RADIUS Specific Parameter role you specify the value sent by RADIUS -  "Class=FMCAdmin" under "Administrator" role and "Class=FMCRead" under the "Security Analyst (Read Only)" role.

Andrew White
Level 1
Level 1
In response to Rob Ingram

‎09-24-2021 02:08 PM

Right, that works just fine for GUI access but it is not working for Console/SSH access to the FMC. It is working just fine for ssh access to the FTD. This leads me to believe that the issue is something specific to the FMC.

marcbinns1987
Level 1
Level 1

‎05-29-2024 10:00 AM

Hi Andrew,

Bit late to the party with this but the read only FTD access specifically... Did you define radius service-type=7 on ISE and then define an external authentication object within FMC under the security analysts(read-only) section? I am looking at creating ftd read/write and read only access. I guess I need to implement service type 6 for administrators section on FMC and type 7 in the sec analyst part?

Not seeing much info on this other than the official Cisco documentation which defines class type and one external authentication object for FMC and ftd. 

Kind Regards

Marc

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card