Introduction
This document describes the process of how to configure Radius Authorization/Authentication access for Secure Firewall Chasiss Manager with ISE.
Prerequisites
Requirements
Cisco recommends having knowledge of the following topics:
- Secure Firewall Chassis Manager (FCM)
- Cisco Identity Services Engine (ISE)
- Radius Authentication
Components Used
- Cisco Firepower 4110 Security Appliance FXOS v2.12
- Cisco Identity Services Engine (ISE) v3.2 patch 4
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.
Configure
Configurations
Secure Firewall Chasiss Manager
Step 1. Log into the Firepower Chassis Manager GUI.
Step 2. Navigate to Platform Settings
![Screenshot 2024-02-01 at 4.28.18 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-00.png)
Step 3. From the left menu click over AAA. Select Radius and Add a new RADIUS provider.
![Screenshot 2024-02-01 at 4.30.28 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-01.png)
Step 4. Fill the prompt menu with the requested information of the Radius Provider. Click OK.
![Screenshot 2024-02-01 at 4.41.17 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-02.png)
Step 5. Navigate to System > User Management
![Screenshot 2024-02-01 at 4.46.57 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-03.png)
Step 6. Click on Settings tab and set Default Authentication from the drop down menu to Radius, then, scroll down and Save the configuration.
![Screenshot 2024-02-01 at 4.52.58 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-04.png)
Note: FCM configuration has finish at this point.
Identity Service Engine
Step 1. Add a new Network Device.
Navigate to the burger icon ≡ located in the upper left corner > Administration > Network Resources > Network Devices > +Add.
![Screenshot 2024-02-01 at 5.04.06 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-05.png)
Step 2. Fill the paramaters requested about the new Network Devices information.
2.1 Check the RADIUS checkbox
2.2 Configure the same Shared Secret key as in the FCM Radius Configuration.
2.1 Scroll down and click Submit.
![Screenshot 2024-02-01 at 5.13.23 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-06.png)
Step 3. Validate the new device is shown under Network Devices.
![Screenshot 2024-02-01 at 5.19.28 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-07.png)
Step 4. Create the required User Identity Groups. Navigate to the burger icon ≡ located in the upper left corner > Administration > Identity Management > Groups > User Identity Groups > + Add
![Screenshot 2024-02-01 at 5.21.59 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-08.png)
Step 5. Set a name for the Admin User Identity Group and click Submit in order to save the configuration.
![Screenshot 2024-02-01 at 5.32.07 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-09.png)
5.1 Repeat the same process for ReadOnly users.
![Screenshot 2024-02-01 at 5.34.56 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-10.png)
Step 6. Validate the new Users Groups are showing under User Identity Groups.
![Screenshot 2024-02-01 at 5.37.12 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-11.png)
Step 7. Create the local users and add them to their correspondent group. Navigate to the burger icon ≡ > Administration > Identity Management > Identities > + Add.
![Screenshot 2024-02-01 at 5.39.06 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-12.png)
7.1 Add the user with Administrator rights. Set a name, password, and assign it to FPR-4110-Admin, scroll down and click Submit to save the changes.
![Screenshot 2024-02-01 at 5.42.41 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-13.png)
7.2 Add the user with ReadOnly rights. Set a name, password and assign it to FPR-4110-ReadOnly, scroll down and click Submit to save the changes.
![Screenshot 2024-02-01 at 5.46.28 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-14.png)
7.3 Validate the users are under Network Access Users.
![Screenshot 2024-02-01 at 5.50.43 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-15.png)
Step 8.Create the Authorization Profile for the Admin user.
The FXOS chassis includes the these User Roles:
- Administrator - Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
- Read-Only - Read-only access to system configuration with no privileges to modify the system state.
- Operations - Read-and-write access to NTP configuration, Smart Call Home configuration for Smart Licensing, and system logs, including syslog servers and faults. Read access to the rest of the system.
- AAA - Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system
Attribuites for each role:
cisco-av-pair=shell:roles="admin"
cisco-av-pair=shell:roles="aaa"
cisco-av-pair=shell:roles="operations"
cisco-av-pair=shell:roles="read-only"
Note: This documentation only defines admin and read-only attributes.
Navigate to burger icon ≡ > Policy > Policy Elements > Results > Authorization > Authorization Profiles > +Add.
Define a name for the Authorization Profile, leave Access Type as ACCESS_ACCEPT and under Advanced Attributes Settings add cisco-av-pair=shell:roles="admin" with and click Submit.
![Screenshot 2024-02-02 at 10.57.21 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-16.png)
![Screenshot 2024-02-02 at 11.01.23 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-17.png)
8.1 Repeat the previous step to create the Authorization Profile for the ReadOnly User. Create the Radius Class with the value read-onlyinstead Administrator this time.
![Screenshot 2024-02-01 at 6.01.34 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-18.png)
![Screenshot 2024-02-02 at 11.03.22 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-19.png)
Step 9.Create a Policy Set matching the FMC IP address. This is to prevent other devices from granting access to the users.
Navigate to ≡ > Policy > Policy Sets >Add icon sign at the upper left corner.
![Screenshot 2024-02-02 at 11.07.53 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-20.png)
9.1 A new line is placed at the top of your Policy Sets. Click the Add icon to configure a new condition.
![Screenshot 2024-02-02 at 11.09.41 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-21.png)
9.2 Add a top condition forRADIUS NAS-IP-Addressattribute matching the FCM IP address, then click Use.
![Screenshot 2024-02-02 at 11.12.33 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-22.png)
![Screenshot 2024-02-02 at 11.13.25 a.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-23.png)
9.3 Once completed, click Save.
![Screenshot 2024-02-02 at 12.09.04 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-24.png)
Tip: For this exercise we have allowed the Default Network Access Protocols list. You can create a new list and narrow it down as needed.
Step 10. View the new Policy Set by hitting the >icon placed at the end of the row.
![Screenshot 2024-02-02 at 12.13.33 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-25.png)
10.1 Expand the Authorization Policy menu and click in (+) to add a new condition.
![Screenshot 2024-02-02 at 12.18.59 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-26.png)
10.2 Set the conditions to match the DictionaryIdentity Groupwith AttributeName Equals User Identity Groups: FPR-4110-Admins(the group name created in Step 7) and clickUse.
![Screenshot 2024-02-02 at 12.20.20 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-27.png)
![Screenshot 2024-02-02 at 12.21.29 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-28.png)
Step 10.3 Validate the new condition is configured in the Authorization policy, then add a User profile under Profiles.
![Screenshot 2024-02-02 at 12.26.51 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-29.png)
Step 11. Repeat the same process in step 9 for Read-only Users and click Save.
Verify
1. Attempt to log into the FCM GUI using the new Radius credentials
2. Navigate to burger icon ≡ > Operations > Radius > Live logs.
3. The information displayed shows if a user logged successfully.
![Screenshot 2024-02-02 at 12.53.45 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-30.png)
4. Validate Logged users role from Secure Firewall Chassis CLI.
![Screenshot 2024-02-02 at 1.00.09 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-31.png)
Troubleshoot
1. Over ISE GUI , Navigate to burger icon ≡ > Operations > Radius > Live logs.
1.1 Validate if the log session request is reaching to the ISE node.
1.2 For failed status review the details of the session.
![Screenshot 2024-02-01 at 6.33.04 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-32.png)
2. For requests not showing in Radius Live logs , review if UDP request is reaching the ISE node through a packet capture.
Navigate to burger icon ≡ > Operations > Troubleshoot > Diagnostic Tools > TCP dump. Add a new capture and download the file to your local machine in order to review if the UDP packets are arriving to the ISE node.
2.1 Fill the requested information, scroll down and click Save.
![Screenshot 2024-02-02 at 1.12.14 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-33.png)
2.2 Select and Start the capture.
![Screenshot 2024-02-02 at 1.22.19 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-34.png)
2.3 Attempt to log to the Secure Firewall Chassis while the ISE capture is running
2.4 Stop the TCP Dump in ISE and download the file to a local machine.
2.5 Review traffic output.
Expected output:
Packet No1. Request from the Secure Firewall to the ISE server through Port 1812 (RADIUS)
Packet No2. ISE server reply accepting the inital request.
![Screenshot 2024-02-02 at 1.25.04 p.m.](/c/dam/en/us/support/docs/security/firepower-4100-series/221646-configure-ise-radius-authentication-for-35.png)