Configure FDM External Authentication and Authorization with ISE using RADIUS

Available Languages

Download Options

  • PDF     (2.7 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.8 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.6 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 8, 2021
Document ID:217234

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the procedure to integrate Cisco Firepower Device Manager (FDM) with Identity Services Engine (ISE) for administrator users authentication with RADIUS Protocol for both GUI and CLI access.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Firepower Device Manager (FDM)
    • Identity Services Engine (ISE)
    • RADIUS protocol

    Components Used

     The information in this document is based on these software and hardware versions:

    • Firepower Threat Defense (FTD) Device, all platforms Firepower Device Manager (FDM) version 6.3.0+
    • ISE version 3.0

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Interoperability

    • RADIUS server with users configured with user roles
    • User roles must be configured on RADIUS server with cisco-av-pair
    • Cisco-av-pair = fdm.userrole.authority.admin
    • ISE can be used as a RADIUS server

    Licensing

    No specific license requirement, the base license is sufficient

    Background Information

    This feature allows customers to configure External Authentication with RADIUS and multiple user roles for those users.

    RADIUS support for Management Access with 3 system-defined user roles:

    • READ_ONLY
    • READ_WRITE (cannot perform system critical actions like Upgrade, Restore etc.)
    • ADMIN

    There is the ability to test the RADIUS server’s configuration and to monitor active user sessions and delete a user session.

    The feature was implemented in FDM version 6.3.0. Prior to the 6.3.0 release, FDM had support for one user(admin) only.

    By default, Cisco Firepower Device Manager authenticates and authorizes users locally, in order to have a centralized authentication and authorization method you can use Cisco Identity Service Engine through RADIUS protocol.

    Network Diagram

    The next image provides an example of a network topology

    FDM Diagram

    Process:

    1. Admin User introduces its credentials.
    2. Authentication process triggered and ISE validates the credentials locally or through Active Directory.
    3. Once authentication is successful ISE sends a Permit packet for authentication and authorization information to FDM.
    4. Account performs on ISE and a successful authentication live log happens.

    Configure

    FDM Configuration

    Step 1. Log in into FDM and navigate to Device > System Settings > Management Access tab

    1img

    Step 2. Create New RADIUS Server Group

    2img

    Step 3. Create new RADIUS Server

    3img

    Screen Shot 2021-07-07 at 11.39.53

    Step 4. Add RADIUS Server into the RADIUS Server Group

    5img

    Step 5. Select created group as Server Group for Management

    6img

    fdm

    Step 6. Save the configuration

    7img

    ISE Configuration

    Step 1. Navigate to three lines iconecanogut_0-1625675448492located in the upper left corner and select on Administration > Network Resources > Network Devices

    NDimg

    Step 2. Select the +Add button and define Network Access Device Name and IPAddress, then check the RADIUS checkbox and define a shared secret. Select on Submit

    ipaddress

    radius passwordNAD view

    Step 3. Navigate to three lines iconecanogut_1-1625676207352located in the upper left corner and Select on Administration > Identity Management > Groups

    Identity groups

    Step 4. Select on User Identity Groups and select on +Add button. Define a name and select on Submit

    fdmadmin

    UIG overview

    fdmread

    Note: In this example, FDM_Admin and FDM_ReadOnly Identity groups created, you can repeat Step 4 for each type of Admin Users used on FDM.

    Step 5. Navigate to three lines icon located in the upper left corner and select Administration > Identity Management > Identities. Select on +Add and define the username and password, then select the group where the user belongs to. In this example, fdm_admin and fdm_readonly users were created and assigned to FDM_Admin and FDM_ReadOnly group respectively.

    fdmauser

    fdmadmin2

    FDMoverview

    Step 6. Select the three lines icon located in the upper left corner and navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles, select on +Add, define a name for the Authorization Profile. Select Radius Service-type and select Administrative, then select Cisco-av-pair and paste the role the admin user gets, in this case, the user receives a full admin privilege (fdm.userrole.authority.admin). Select on Submit. Repeat this step for each role, read-only user configured as another example in this document.

    authzprofile

    attributes

    attributes oper

    Note: Ensure the order of the Advance attributes section is as with the images example in order to avoid unexpected result when log in with GUI and CLI.

    Step 8. Select the three lines icon and navigate to Policy > Policy Sets. Select on ecanogut_3-1625677265767 button located below Policy Sets title, define a name and select on the + button in the middle to add a new condition.

    Step 9. Under Condition window, select to add an attribute and then select on Network Device Icon followed by Network access device IP address.  Select Attribute Value and add the FDM IP address. Add a new condition and select on Network Access followed by Protocol option, select on RADIUS and select on Use once done.

    policy set

    Step 10. Under allow protocols section, select Device Default Admin. Select on Save

    default

    Step 11. Select on the right arrow ecanogut_4-1625677518377icon of the Policy Set to Define authentication and authorization policies

    Step 12. Select on ecanogut_5-1625677518378 located below Authentication Policy title, define a name and select on the + in the middle to add a new condition. Under Condition window, select to add an attribute and then select on Network Device Icon followed by Network access device IP address.  Select on Attribute Value and add the FDM IP address. Select on Use once done

    Step 13. Select Internal Users as the Identity Store and select on Save

    authe

    Note: Identity Store can be changed to AD store if ISE is joined to an Active Directory.

    Step 14. Select on ecanogut_6-1625677601286located below Authorization Policy title, define a name and select on the + in the middle to add a new condition. Under Condition window, select to add an attribute and then select on Identity Group icon followed by Internal User:Identity Group. Select the FDM_Admin Group, Select the AND along with NEW option to add a new condition, select on port icon followed by RADIUS NAS-Port-Type:Virtual  and select on Use.

    authori

    Step 15. Under Profiles, select the profile created in Step 6 and then select on Save

    Repeat Step 14 and 15 for FDM_ReadOnly group

    authorization2

    Step 16 (Optional).  Navigate to three lines icon located in the upper left corner and select on Administration > System > Maintenance > Repository and select on +Add to add a repository  used to store TCP Dump file for troubleshoot purposes.

    Step 17 (Optional). Define a repository Name, protocol, Server Name, path and Credentials. Select on Submit once done.

    backup

    Verify

    Step 1.Navigate to Objects > Identity Sources tab and verify RADIUS Server and Group Server configuration

    10img

    Step 2. Navigate to Device > System Settings > Management Access tab and select the TEST button

    8img

    Step 3.Insert user credentials and select the TEST button

    9img

    Step 4. Open a new window browser and type https.//FDM_ip_Address, use fdm_admin username and password created on step 5 under ISE configuration section.

    FDMGUI

    Successful log in attempt can be verified on ISE RADIUS live logs

    Logs

    Admin User can also be reviewed on FDM on the upper right corner

    FDMG

    Cisco Firepower Device Manager CLI (Admin User)

    CLI1

    CLI2

    Troubleshoot

    This section provides the information you can use to troubleshoot your configuration.

    Communication validation with TCP Dump tool on ISE

    Step 1. Log in on ISE and select the three lines icon located in the upper left corner and navigate to Operations > Troubleshoot > Diagnostic Tools.

    Step 2. Under General tools select on TCP Dumps and then select on Add+. Select Hostname, Network Interface File Name, Repository, and optionally a filter to gather only FDM IP address communication flow. Select on Save and Run

    TCP tump

    Step 3. Log in on FDM UI and type the admin credentials.

    Step 4. On ISE, select on Stop button and verify the pcap file has been sent to the defined repository. 

    TCP2

    TCP3

    TCP4

    Step 5. Open the pcap file to validate the successful communication between FDM and ISE.

    pcap

    If no entries are shown on pcap file validate the next options:

    1. Right ISE IP address has been added on FDM configuration
    2. In case of a firewall is in the middle verify port 1812-1813 is permitted.
    3. Check communication between ISE and FDM

    Communication validation with FDM generated file.

    In troubleshoot file generated from FDM Device page look for keywords:

    • FdmPasswordLoginHelper
    • NGFWDefaultUserMgmt
    • AAAIdentitySourceStatusManager
    • RadiusIdentitySourceManager

    All the logs related to this feature can be found in /var/log/cisco/ngfw-onbox.log

    References:

    https://www.cisco.com/c/en/us/td/docs/security/firepower/640/fdm/fptd-fdm-config-guide-640/fptd-fdm-mgmt.html#id_73793

    Common Issues

    Case 1 - External Auth not working

    • Check secretKey, port, or hostname
    • Misconfiguration of AVPs on RADIUS
    • Server can be in ‘Dead Time’

    Case 2 -Test IdentitySource fails

    • Make sure the changes to object are saved
    • Make sure the credentials are correct

    Limitations

    • FDM allows max of 5 active FDM sessions.
    • Creation of 6th session results in the 1st session revoked
    • Name of RadiusIdentitySourceGroup cannot be “LocalIdentitySource”
    • Max of 16 RadiusIdentitySources to a RadiusIdentitySourceGroup
    • Misconfiguration of AVPs on RADIUS result in Denying access to FDM

    Q&A

    Q:   Does this feature work in Evaluation mode?

    A: Yes

    Q:  If two read-only users log in, where have access to read-only user 1, and they log in from two diff browsers.  How will it show?  What will happen?

    A: Both user's sessions are shown in the active user sessions page with the same name.  Each entry shows an individual value for the time stamp.

    Q:  What is the behavior is the external radius server provides an access reject vs. "no response" if you have local auth configured 2nd?

    A:  You can try LOCAL auth even if you get Access reject or no response if you have local auth configured 2nd.

    Q:  How ISE differentiates a RADIUS request for admin log in vs. RADIUS request to authenticate an RA VPN user

    A:  ISE doesn’t differentiate a RADIUS request for Admin Vs RAVPN users. FDM looks at cisco-avpair attribute to figure out Authorization for Admin access. ISE sends all the attributes configured for the user in both the cases.

    Q:  That means ISE logs is not be able to differentiate between an FDM admin log in and that same user accessing remote access VPN on same device.  Is there any RADIUS attribute passed to ISE in the access request that ISE can key on?

    A:  Following are the upstream RADIUS attributes that are sent from the FTD to ISE during RADIUS authentication for RAVPN. These are not sent as part of External Auth Management Access Request and can be used to differentiate a FDM administration log in Vs RAVPN user log in.

            146 - Tunnel Group Name or Connection Profile Name.

            150 – Client Type (Applicable values: 2 = AnyConnect Client SSL VPN, 6 = AnyConnect Client IPsec VPN (IKEv2).

            151 – Session Type (Applicable values: 1 = AnyConnect Client SSL VPN, 2 = AnyConnect Client IPSec VPN (IKEv2).

    Revision History

    Revision Publish Date Comments
    1.0
    07-Jul-2021
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Anita Pietrzyk
      Customer Success Specialist
    • Emmanuel Cano
      Cisco Professional Services
    • Horacio Arroyo
      Cisco Professional Services

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco