cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1911
Views
20
Helpful
7
Replies
Beginner

ISE 2.2 FMC user radius authentication

Hello everyone,

 

I'm working to have the user FMC user authentication through cisco ISE (with AD), but I cannot find a proper documentation, just some old stuff like https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html .

 

Does anyone has a proper example about how this must be done?

ISE is on version 2.2 (already integrated with AD0, FMC on 6.2.3.1.

 

Thank you!

Best regards.

 

Everyone's tags (4)
3 ACCEPTED SOLUTIONS

Accepted Solutions
Beginner

Re: ISE 2.2 FMC user radius authentication

I've just configured this on FMC version 6.2.3.8 following this guide: https://goo.gl/pm1e4G

 

Just a note: under the RADIUS-Specific Parameters section, instead of "Class=User Identity Groups:Sourcefire Administrator" I've set it to "Class=Administrator".

 

Best regards,

Matteo

 

 

Participant

Re: ISE 2.2 FMC user radius authentication

Of course, right after I made my earlier post I figured it out from this document:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html

Pay close attention to the Tip!

Hopefully this helps someone else!

Capture.PNG

 

Beginner

Re: ISE 2.2 FMC user radius authentication

I just got this working. Heres how i did it:

 

In ISE 2.3:

AuthZ profile in Policy results, call your policy "FMC_Admin". When using the ASA VPN checkbox, clicke the dropdown menu and overwrite it with "Administrator", or whatever you want to call it. Lets say "Paladin" to make a point. Just make sure that name is carried over to FMC later.

The bottom of the attritbute details box should now say:

 

Access Type: ACCESS_ACCEPT

Class = Administrator (or Paladin)

 

Add this to your Authz policy as usual.

In the authentication conditions on the same policy, select the AD group that your admins will be a member of. This is local only to ISE and AD. FMC has no sight of this.

 

Now, in the example on the page, for the Administrator role on FMC, that box is filled with "Class = User Identity Groups: Sourcefire Administrator, overwrite this with "Class=Administrator (or Paladin)", where this is the name you created in your authz profile. Note this is local only to ISE and FMC

 

And away you go!

 

7 REPLIES 7
Hall of Fame Master

Re: ISE 2.2 FMC user radius authentication

Even though it's several years old the basics of using ISE (or any other external RADIUS server) for FMC use authentication haven't changed.

 

I use the method described in the article you mentioned with my  installation (ISE 2.4 and FMC 6.2.3.2) just fine.

Beginner

Re: ISE 2.2 FMC user radius authentication

Hello Marvin,

 

Thanks for the reply.

The problem I have is the authorization through AD.

 

check_auth_radius: szUser: XXX
RADIUS config file: /var/tmp/fF3Rri8AVH/radiusclient_0.conf
radiusauth - response: |User-Name=xxx|
radiusauth - response: |State=ReauthSession:0ac7c82cbjeyc4zZNkNstxPVbwVeRV79i9a1aaxK74wxv27M7rQ|
radiusauth - response: |Class=[x.x.x/S-1-5-32-545, S-1-5-21-588942262-2422670607-1746572812-94476]|
radiusauth - response: |Class=CACS:0ac7c82cbjeyc4zZNkNstxPVbwVeRV79i9a1aaxK74wxv27M7rQ:DKIX09INF-ISE-1/313846743/128638|
"xxx" RADIUS Authentication OK
No Access

 

The authentication is working, though, I'm not able to authorized myself.

 

Not sure how the Class and Groups needs to be setup in the FMC or what attribute the ASA VPN should have in ISE.

 

Still working on this.

 

Best regards.

Beginner

Re: ISE 2.2 FMC user radius authentication

I've just configured this on FMC version 6.2.3.8 following this guide: https://goo.gl/pm1e4G

 

Just a note: under the RADIUS-Specific Parameters section, instead of "Class=User Identity Groups:Sourcefire Administrator" I've set it to "Class=Administrator".

 

Best regards,

Matteo

 

 

Highlighted
Participant

Re: ISE 2.2 FMC user radius authentication

For what it's worth, I am having the very same problem/frustration.

I'd like to know the exact strings to enter into the FMC's RADIUS-Specific Parameters Administrator field, and exactly what to use for the corresponding av-pair in the ISE authorization profile.

 

I have tried User-Category=Administrator on the FMC and Access Type = ACCESS_ACCEPT
cisco-av-pair = User-Category=Administrator in ISE, as well as replacing the = with a :.

Also tried Class=Administrator and cisco-av-pair = Class=Administrator (as well as replacing = with :) but those don't work either.

Authentication is successful, but the user role assignment is NOT working.  I always end up with the default role of Security Analyst read-only.

 

Can someone please clear this up once and for all??? So frustrated!

 

Thanks very much.

Participant

Re: ISE 2.2 FMC user radius authentication

Of course, right after I made my earlier post I figured it out from this document:

https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118541-configure-firesight-00.html

Pay close attention to the Tip!

Hopefully this helps someone else!

Capture.PNG

 

Beginner

Re: ISE 2.2 FMC user radius authentication

I just got this working. Heres how i did it:

 

In ISE 2.3:

AuthZ profile in Policy results, call your policy "FMC_Admin". When using the ASA VPN checkbox, clicke the dropdown menu and overwrite it with "Administrator", or whatever you want to call it. Lets say "Paladin" to make a point. Just make sure that name is carried over to FMC later.

The bottom of the attritbute details box should now say:

 

Access Type: ACCESS_ACCEPT

Class = Administrator (or Paladin)

 

Add this to your Authz policy as usual.

In the authentication conditions on the same policy, select the AD group that your admins will be a member of. This is local only to ISE and AD. FMC has no sight of this.

 

Now, in the example on the page, for the Administrator role on FMC, that box is filled with "Class = User Identity Groups: Sourcefire Administrator, overwrite this with "Class=Administrator (or Paladin)", where this is the name you created in your authz profile. Note this is local only to ISE and FMC

 

And away you go!

 

Frequent Contributor

Re: ISE 2.2 FMC user radius authentication

Hello,

I have configured today Cisco FMC 6.2.3.10 with Aruba Clear Pass with Radius.

All went good until I had to pick the authentication method. I ended up with PAP. Does anyone know how can I "convince" FMC to agree for MSCHAP at least? How can I edit / choose Radius AUTH methold on Firepower Management Center?

 

Thanks,

Florin.