Integration of FireSIGHT System with ISE for RADIUS User Authentication

Available Languages

Download Options

  • PDF     (724.3 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (637.3 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (656.9 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:August 14, 2015
Document ID:118541

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Introduction

This document describes the configuration steps required to integrate a Cisco FireSIGHT Management Center (FMC) or Firepower Managed Device with Cisco Identity Services Engine (ISE) for Remote Authentication Dial In User Service (RADIUS) user authentication.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • FireSIGHT System and Managed Device initial configuration via GUI and/or shell
  • Configuring authentication and authorization policies on ISE
  • Basic RADIUS knowledge

Components Used

The information in this document is based on these software and hardware versions:

  • Cisco ASA v9.2.1
  • ASA FirePOWER module v5.3.1
  • ISE 1.2

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Configure

ISE Configuration

Tip: There are multiple ways to configure ISE authentication and authorization policies to support integration with Network Access Devices (NAD) such as Sourcefire.  The example below is one way to configure the intregration.  The sample configuration is a point of reference and can be adapted to suit the needs of the specific deployment.  Note that the authorization configuration is a two step process.  One or more authorization policies will be defined on ISE with ISE returning RADIUS attribute value pairs (av-pairs) to the FMC or Managed Device.  These av-pairs are then mapped to a local user group defined in the FMC system policy configuration.

Configuring Network Devices and Network Device Groups

  • From the ISE GUI, navigate to Administration > Network Resources > Network Devices.  Click +Add to add a new Network Access Device (NAD).  Provide a descriptive name and device IP address.  The FMC is defined in the example below.

  • Under Network Device Group, click on the orange arrow next to All Device Types.  Click on the icon and select Create New Network Device Group.  In the example screenshot that follows, the Device Type Sourcefire has been configured.  This Device Type will be referenced in the authorization policy rule definition in a later step.  Click Save.

  • Click the orange arrow again and select the Network Device Group configured in the step above

  • Check the box next to Authentication Settings.  Enter the RADIUS shared secret key that will be used for this NAD.  Note the same shared secret key will be used again later when configuring the RADIUS server on the FireSIGHT MC.  To review the plain text key value, click the Show button.  Click Save.

  •  Repeat the above steps for all FireSIGHT MCs and Managed Devices that will require RADIUS user authentication/authorization for GUI and/or shell access.

Configuring ISE Authentication Policy:

  • From the ISE GUI, navigate to Policy > Authentication.  If using Policy Sets, navigate to Policy > Policy Sets.  The example below is taken from an ISE deployment that uses the default authentication and authorization policy interfaces.  The authentication and authorization rule logic is the same regardless of the configuration approach.
  • The Default Rule (If no match) will be used to authenticate RADIUS requests from NADs where the method in use is not MAC Authentication Bypass (MAB) or 802.1X.  As configured by default, this rule will look for user accounts in ISE's local Internal Users identity source.  This configuration can be modified to refer to an external identity source such as Active Directory, LDAP, etc as defined under Administration > Identity Management > External Identity Sources.  For sake of simplciity, this example will define user accounts locally on ISE so no further modifications to the authentication policy are required.  

Adding a Local User to ISE

  • Navigate to Administration > Identity Management > Identities > Users.  Click Add.  Enter a meaningful username and password. Under the User Groups selection, select an existing group name or click the green + sign to add a new group.  In this example, the user "sfadmin" is assigned to the custom group "Sourcefire Administrator".  This user group will be linked to the authorization profile defined in the Configuring ISE Authorization Policy step below.  Click Save

Configuring ISE Authorization Policy

  • Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles.  Click the green + sign to add a new authorization profile.
  • Provide a descriptive Name such as Sourcefire Administrator.  Select ACCESS_ACCEPT for the Access Type.  Under Common Tasks, scroll to the bottom and check the box next to ASA VPN.  Click the orange arrow and select InternalUser:IdentityGroup.  Click Save.

Tip: Because this example uses the ISE local user identity store, the InternalUser:IdentityGroup group option is used to simplify the configuration.  If using an external identity store, the ASA VPN authorization attribute is still used, however, the value to be returned to the Sourcefire device is manually configured.  For example, manually typing Administrator in the ASA VPN drop down box will result in a Class-25 av-pair value of Class = Administrator being sent to the Sourcefire device.  This value can then be mapped to a sourcefire user group as part of the system policy configuration.  For internal users, either configuration method is acceptable.

Internal User Example

External User Example

  • Navigate to Policy > Authorization and configure a new authorization policy for the Sourcefire administration sessions.  The example below uses the DEVICE:Device Type condition to match the device type configured in the

    Configuring Network Devices and Network Device Groups section above.  This policy is then associated with the Sourcefire Administrator authorization profile configured above.  Click Save.

Sourcefire System Policy Configuration

  • Login to the FireSIGHT MC and navigate to System > Local > User Management.  Click on the Login Authentication tab.  Click the + Create Authentication Object button to add a new RADIUS server for user authentication/authorization.
  • Select RADIUS for the Authentication Method.  Enter a descriptive name for the RADIUS server.  Enter the Host Name/IP Address and RADIUS Secret Key.  The secret key should match the key previously configured on ISE.  Optionally enter a backup ISE server Host Name/IP address if one exists.

  • Under the RADIUS-Specific Parameters section, enter the Class-25 av-pair string in the text box next to the Sourcefire local group name to be matched for GUI access.  In this example, the Class=User Identity Groups:Sourcefire Administrator value is mapped to the Sourcefire Administrator group.  This is the value that ISE returns as part of the ACCESS-ACCEPT.  Optionally, select a Default User Role for authenticated users who do not have Class-25 groups assigned.  Click Save to save the configuration or proceed to the Verify section below to test authentication with ISE. 

  • Under Shell Access Filter, enter a comma separated list of users to restrict shell/SSH sessions.

Enable External Authentication

Finally, complete these steps in order to enable external authentication on the FMC:

  1. Navigate to System > Local > System Policy.
  2. Select External Authentication on the left panel.
  3. Change the Status to Enabled (disabled by default).
  4. Enable the added ISE RADIUS server.
  5. Save the policy and reapply the policy on the appliance.

Verify

  • To test user authentication against ISE, scroll down to the Additional Test Parameters section and enter a username and password for the ISE user.  Click Test.  A successfull test will result in a green Success:  Test Complete message at the top of the browser window.

  • To view the results of the test authentication, go to the Test Output section and click the black arrow next to Show Details.  In the example screenshot below, note the "radiusauth - response: |Class=User Identity Groups:Sourcefire Administrator|" value received from ISE.  This should match the Class value associated with the local Sourcefire group configured on the FireSIGHT MC above.  Click Save.

  • From the ISE Admin GUI, navigate to Operations > Authentications to verify the success or failure of the user authentication test.

Troubleshoot

  • When testing user authentication against ISE, the following error is indicative of a RADIUS Secret Key mismatch or an incorrect username/password. 

  • From the ISE admin GUI, navigate to Operations > Authentications.  A red event is indicative of a failure while a green event is indicative of a successful authentication/authorization/Change of Authorization.  Click on the icon to review the details of the authentication event.

Related Information

Technical Support & Documentation - Cisco Systems

TAC Authored

Contributed by Cisco Engineers

  • Todd Pula
    Cisco TAC Engineer
  • Nazmul Rajib
    Cisco TAC Engineer

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products