09-22-2021 07:20 AM
I've integrated RADIUS authentication with my FMC deployment. I managed to get the FTD ssh console access to work read-write with administrators and read-only for the lower privilege reporting group by passing "Service-Type = 6" for admins and "Service-Type = 7" for read-only. However I do not have ssh access to the FMC with this system. There is a place to manually enter usernames for ssh access in the External Authentication source on the FMC but doing this breaks the dynamic group membership such that all users now have to be individually managed in the FMC authentication source configuration and there is no Read-only option.
Is there another RADIUS attribute or attributes that the FMC would be looking for to grant ssh access?
09-22-2021 10:04 AM
You define an ISE Authorisation Profile(s) using "RADIUS Class = <define a value>", such as "FMCAdmin" or "FMCRead"
On the FMC, under External Authentication Objects for each RADIUS Specific Parameter role you specify the value sent by RADIUS - "Class=FMCAdmin" under "Administrator" role and "Class=FMCRead" under the "Security Analyst (Read Only)" role.
09-24-2021 02:08 PM
Right, that works just fine for GUI access but it is not working for Console/SSH access to the FMC. It is working just fine for ssh access to the FTD. This leads me to believe that the issue is something specific to the FMC.
01-04-2022 03:19 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: