Firepower eXtensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS
Available Languages
Contents
Introduction
This document describes how to configure RADIUS Authentication and Authorization for the Firepower eXtensible Operating System (FXOS) chassis via Access Control Server (ACS).
The FXOS chassis includes the following User Roles:
- Administrator - Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
- Read-Only - Read-only access to system configuration with no privileges to modify the system state.
- Operations - Read-and-write access to NTP configuration, Smart Call Home configuration for Smart Licensing, and system logs, including syslog servers and faults. Read access to the rest of the system.
- AAA - Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.
Via CLI this can be seen as follows:
fpr4120-TAC-A /security* # show role
Role:
Role Name Priv
---------- ----
aaa aaa
admin admin
operations operations
read-only read-only
Contributed by Tony Remirez, Jose Soto, Cisco TAC Engineers.
Prerequisites
Requirements
Cisco recommends that you have knowledge of these topics:
- Knowledge of Firepower eXtensible Operating System (FXOS)
- Knowledge of ACS configuration
Components Used
The information in this document is based on these software and hardware versions:
- Cisco Firepower 4120 Security Appliance version 2.2
- Virtual Cisco Access Control Server version 5.8.0.32
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Configure
The goal of the configuration is to:
- Authenticate users logging into the FXOS’s Web-based GUI and SSH by means of ACS.
- Authorize users logging into the FXOS’s Web-based GUI and SSH according to their respective User Role by means of ACS.
- Verify the proper operation of authentication and authorization on the FXOS by means of ACS.
Network Diagram
Configurations
Configuring the FXOS Chassis
Creating a RADIUS Provider using Chassis Manager
Step 1. Navigate to Platform Settings > AAA.
Step 2. Click the RADIUS tab.
Step 3. For each RADIUS provider that you want to add (Up to 16 providers).
3.1. In the RADIUS Providers area, click Add.
3.2. In the Add RADIUS Provider dialog box, enter the required values.
3.3. Click OK to close the Add RADIUS Provider dialog box.
Step 4. Click Save.
Step 5. Navigate to System > User Management > Settings.
Step 6. Under Default Authentication choose RADIUS.
Creating a RADIUS Provider using CLI
Step 1. In order to enable RADIUS authentication, run the following commands.
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # scope default-auth
fpr4120-TAC-A /security/default-auth # set realm radius
Step 2. Use the show detail command to display the results.
fpr4120-TAC-A /security/default-auth # show detail
Default authentication:
Admin Realm: Radius
Operational Realm: Radius
Web session refresh period(in secs): 600
Session timeout(in secs) for web, ssh, telnet sessions: 600
Absolute Session timeout(in secs) for web, ssh, telnet sessions: 3600
Serial Console Session timeout(in secs): 600
Serial Console Absolute Session timeout(in secs): 3600
Admin Authentication server group:
Operational Authentication server group:
Use of 2nd factor: No
Step 3. In order to configure RADIUS server parameters run the following commands.
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # scope radius
fpr4120-TAC-A /security/radius # enter server 10.88.244.16
fpr4120-TAC-A /security/radius/server # set descr "ISE Server"
fpr4120-TAC-A /security/radius/server* # set key
Enter the key: ******
Confirm the key: ******
Step 4. Use the show detail command to display the results.
fpr4120-TAC-A /security/radius/server* # show detail
RADIUS server:
Hostname, FQDN or IP address: 10.88.244.16
Descr:
Order: 1
Auth Port: 1812
Key: ****
Timeout: 5
Configuring the ACS server
Adding the FXOS as a network resource
Step 1. Navigate to Network Resources > Network Devices and AAA Clients.
Step 2. Click Create.
Step 3. Enter the required values (Name, IP Address, Device Type and Enable RADIUS and add the KEY).
Step 4. Click Submit.
Creating the Identity groups and Users
Step 1. Navigate to Users and Identity Stores > Identity Groups.
Step 2. Click Create.
Step 3. Enter the value for Name and click Submit.
Step 4. Repeat stes 2 and 3 for all the required User Roles.
Step 5. Navigate to Users and Identity Stores > Internal Identity Stores > Users.
Step 6. Click Create.
Step 7. Enter the required values (Name, Identity Group, Password).
Step 8. Repeat steps 6 and 7 for all required users.
Creating the Authorization Profile for each User Role
Step 1. Navigate to Policy Elements > Authorization and Permissions > Network Access > Authorization Profiles > Click Create.
Step 2. Fill all the attributes for the Authorization Profile.
2.1. Configure the profile Name in the General Tab.
2.2. In RADIUS Attributes tab configure the following CISCO-AV-PAIR
cisco-av-pair=shell:roles="aaa"
2.3. Click ADD /\ and then Submit.
Step 3. Repeat steps 1 and 2 for the remaining User Roles using the following Cisco-AV-Pairs
cisco-av-pair=shell:roles="admin"
cisco-av-pair=shell:roles="operations"
cisco-av-pair=shell:roles="read-only"
Creating the Network Access Policy
Step 1. Navigate to Access Policies > Access Services > Default Network Access > Authorization > Click Create.
Step 2. Fill the required parameters (Identity Group, Device Type and Authorization Profile) and click OK.
Step 3. Repeat steps 1and 2 for all User Roles.
Step 4. Click Save Changes at the bottom of the page.
Verify
You may now test each user and verify the assigned User Role.
FXOS Chassis verification
- Telnet or SSH to the FXOS Chassis and login using any of the created users on the ISE.
Username: fxosadmin
Password:
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # show remote-user detail
Remote User fxosaaa:
Description:
User Roles:
Name: aaa
Name: read-only
Remote User fxosadmin:
Description:
User Roles:
Name: admin
Name: read-only
Remote User fxosoper:
Description:
User Roles:
Name: operations
Name: read-only
Remote User fxosro:
Description:
User Roles:
Name: read-only
Depending on the username entered the FXOS chassis cli will only display the commands authorized for the User Role assigned.
Admin User Role.
fpr4120-TAC-A /security # ?
acknowledge Acknowledge
clear-user-sessions Clear User Sessions
create Create managed objects
delete Delete managed objects
disable Disables services
enable Enables services
enter Enters a managed object
scope Changes the current mode
set Set property values
show Show system information
terminate Active cimc sessions
fpr4120-TAC-A# connect fxos
fpr4120-TAC-A (fxos)# debug aaa aaa-requests
fpr4120-TAC-A (fxos)#
Read-Only User Role.
fpr4120-TAC-A /security # ?
scope Changes the current mode
set Set property values
show Show system information
fpr4120-TAC-A# connect fxos
fpr4120-TAC-A (fxos)# debug aaa aaa-requests
% Permission denied for the role
- Browse to the FXOS Chassis IP address and login using any of the created users on the ISE.
Admin User Role.
Read only User:
ACS Verification
- Navigate to Monitoring and Reports > Launch Monitoring and Report viewer > Reports > AAA Protocol > Radius Authentication > Click Run. You should be able to see successful and failed attempts.
Troubleshoot
In order to debug AAA authentication and authorization run the following commands in the FXOS cli.
fpr4120-TAC-A# connect fxos
fpr4120-TAC-A (fxos)# debug aaa aaa-requests
fpr4120-TAC-A (fxos)# debug aaa event
fpr4120-TAC-A (fxos)# debug aaa errors
fpr4120-TAC-A (fxos)# term mon
After a successful authentication attempt, you will see the following output.
2018 Feb 5 14:21:30.017289 aaa: aaa_req_process for authentication. session no 0
2018 Feb 5 14:21:30.017330 aaa: aaa_req_process: General AAA request from appln: login appln_subtype: default
2018 Feb 5 14:21:30.017360 aaa: try_next_aaa_method
2018 Feb 5 14:21:30.017395 aaa: total methods configured is 1, current index to be tried is 0
2018 Feb 5 14:21:30.017425 aaa: handle_req_using_method
2018 Feb 5 14:21:30.017451 aaa: AAA_METHOD_SERVER_GROUP
2018 Feb 5 14:21:30.017479 aaa: aaa_sg_method_handler group = radius
2018 Feb 5 14:21:30.017506 aaa: Using sg_protocol which is passed to this function
2018 Feb 5 14:21:30.017537 aaa: Sending request to RADIUS service
2018 Feb 5 14:21:30.017707 aaa: Configured method group Succeeded
2018 Feb 5 14:21:30.123584 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:21:30.123625 aaa: mts_message_response_handler: an mts response
2018 Feb 5 14:21:30.123654 aaa: prot_daemon_reponse_handler
2018 Feb 5 14:21:30.123713 aaa: is_aaa_resp_status_success status = 1
2018 Feb 5 14:21:30.123741 aaa: is_aaa_resp_status_success is TRUE
2018 Feb 5 14:21:30.123768 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0.
2018 Feb 5 14:21:30.123795 aaa: AAA_REQ_FLAG_NORMAL
2018 Feb 5 14:21:30.123880 aaa: mts_send_response Successful
2018 Feb 5 14:21:30.290059 aaa: OLD OPCODE: accounting_interim_update
2018 Feb 5 14:21:30.290087 aaa: aaa_create_local_acct_req: user=, session_id=, log=added user fxosro
2018 Feb 5 14:21:30.290122 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:21:30.290148 aaa: MTS request reference is NULL. LOCAL request
2018 Feb 5 14:21:30.290174 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:21:30.290202 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:21:30.290230 aaa: try_next_aaa_method
2018 Feb 5 14:21:30.290270 aaa: no methods configured for default default
2018 Feb 5 14:21:30.290299 aaa: no configuration available for this request
2018 Feb 5 14:21:30.290333 aaa: try_fallback_method
2018 Feb 5 14:21:30.290364 aaa: handle_req_using_method
2018 Feb 5 14:21:30.290391 aaa: local_method_handler
2018 Feb 5 14:21:30.290419 aaa: aaa_local_accounting_msg
2018 Feb 5 14:21:30.290448 aaa: update:::added user fxosro
2018 Feb 5 14:21:30.290475 aaa: av list is null. No vsan id
2018 Feb 5 14:21:30.290607 aaa: aaa_send_client_response for accounting. session->flags=254. aaa_resp->flags=0.
2018 Feb 5 14:21:30.290635 aaa: response for accounting request of old library will be sent as SUCCESS
2018 Feb 5 14:21:30.290659 aaa: response not needed for this request
2018 Feb 5 14:21:30.290684 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:21:30.290708 aaa: aaa_cleanup_session
2018 Feb 5 14:21:30.290732 aaa: aaa_req should be freed.
2018 Feb 5 14:21:30.290757 aaa: Fall back method local succeeded
2018 Feb 5 14:21:30.312898 aaa: aaa_process_fd_set
2018 Feb 5 14:21:30.312932 aaa: aaa_process_fd_set: mtscallback on aaa_accounting_q
2018 Feb 5 14:21:30.312977 aaa: OLD OPCODE: accounting_interim_update
2018 Feb 5 14:21:30.313007 aaa: aaa_create_local_acct_req: user=, session_id=, log=added user:fxosro to the role:read-only
2018 Feb 5 14:21:30.313044 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:21:30.313071 aaa: MTS request reference is NULL. LOCAL request
2018 Feb 5 14:21:30.313099 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:21:30.313125 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:21:30.313149 aaa: try_next_aaa_method
2018 Feb 5 14:21:30.313185 aaa: no methods configured for default default
2018 Feb 5 14:21:30.313213 aaa: no configuration available for this request
2018 Feb 5 14:21:30.313240 aaa: try_fallback_method
2018 Feb 5 14:21:30.313267 aaa: handle_req_using_method
2018 Feb 5 14:21:30.313294 aaa: local_method_handler
2018 Feb 5 14:21:30.313321 aaa: aaa_local_accounting_msg
2018 Feb 5 14:21:30.313493 aaa: update:::added user:fxosro to the role:read-only
2018 Feb 5 14:21:30.313520 aaa: av list is null. No vsan id
2018 Feb 5 14:21:30.313670 aaa: aaa_send_client_response for accounting. session->flags=254. aaa_resp->flags=0.
2018 Feb 5 14:21:30.313698 aaa: response for accounting request of old library will be sent as SUCCESS
2018 Feb 5 14:21:30.313722 aaa: response not needed for this request
2018 Feb 5 14:21:30.313747 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:21:30.313770 aaa: aaa_cleanup_session
2018 Feb 5 14:21:30.313793 aaa: aaa_req should be freed.
2018 Feb 5 14:21:30.313818 aaa: Fall back method local succeeded
2018 Feb 5 14:21:30.313865 aaa: aaa_process_fd_set
2018 Feb 5 14:21:30.313890 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:21:32.339136 aaa: aaa_process_fd_set
2018 Feb 5 14:21:32.339177 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:21:32.339218 aaa: mts_aaa_req_process
2018 Feb 5 14:21:32.339252 aaa: aaa_req_process for accounting. session no 0
2018 Feb 5 14:21:32.339280 aaa: Setting AAA_REQ_RESPONSE_NOT_NEEDED
2018 Feb 5 14:21:32.339307 aaa: aaa_req_process: General AAA request from appln: default appln_subtype: default
2018 Feb 5 14:21:32.339335 aaa: try_next_aaa_method
2018 Feb 5 14:21:32.339374 aaa: no methods configured for default default
2018 Feb 5 14:21:32.339401 aaa: no configuration available for this request
2018 Feb 5 14:21:32.339429 aaa: try_fallback_method
2018 Feb 5 14:21:32.339456 aaa: handle_req_using_method
2018 Feb 5 14:21:32.339482 aaa: local_method_handler
2018 Feb 5 14:21:32.339506 aaa: aaa_local_accounting_msg
2018 Feb 5 14:21:32.339533 aaa: update:::enabled (null)
2018 Feb 5 14:21:32.339558 aaa: av list is null. No vsan id
2018 Feb 5 14:21:32.339680 aaa: aaa_send_client_response for accounting. session->flags=211. aaa_resp->flags=0.
2018 Feb 5 14:21:32.339707 aaa: response not needed for this request
2018 Feb 5 14:21:32.339732 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 Feb 5 14:21:32.339756 aaa: aaa_cleanup_session
2018 Feb 5 14:21:32.339780 aaa: mts_drop of request msg
2018 Feb 5 14:21:32.339821 aaa: Fall back method local succeeded
After a failed authentication attempt, you will see the following output.
2018 Feb 5 14:16:13.899605 aaa: mts_aaa_req_process
2018 Feb 5 14:16:13.899625 aaa: aaa_req_process for authentication. session no 0
2018 Feb 5 14:16:13.899645 aaa: aaa_enable_info_config: GET_REQ for radius server directed request
2018 Feb 5 14:16:13.899666 aaa: got back the return value of configuration operation:unknown security item
2018 Feb 5 14:16:13.899685 aaa: aaa_enable_info_config: GET_REQ for tacacs+ server directed request
2018 Feb 5 14:16:13.899712 aaa: got back the return value of configuration operation:unknown security item
2018 Feb 5 14:16:13.899736 aaa: aaa_req_process: General AAA request from appln: login appln_subtype: default
2018 Feb 5 14:16:13.899755 aaa: try_next_aaa_method
2018 Feb 5 14:16:13.899776 aaa: aaa_method_config: GET request for authentication login default
2018 Feb 5 14:16:13.899798 aaa: aaa_method_config: GET methods group radius
2018 Feb 5 14:16:13.899817 aaa: got back the return value of aaa method configuration operation:SUCCESS
2018 Feb 5 14:16:13.899841 aaa: total methods configured is 1, current index to be tried is 0
2018 Feb 5 14:16:13.899862 aaa: handle_req_using_method
2018 Feb 5 14:16:13.909905 aaa: AAA_METHOD_SERVER_GROUP
2018 Feb 5 14:16:13.909937 aaa: aaa_sg_method_handler group = radius
2018 Feb 5 14:16:13.909967 aaa: Using sg_protocol which is passed to this function
2018 Feb 5 14:16:13.909998 aaa: Sending request to RADIUS service
2018 Feb 5 14:16:13.910085 aaa: mts_send_msg_to_prot_daemon: Payload Length = 368
2018 Feb 5 14:16:13.910142 aaa: session: 0x85c1c54 added to the session table 1
2018 Feb 5 14:16:13.910174 aaa: Configured method group Succeeded
2018 Feb 5 14:16:13.995770 aaa: aaa_process_fd_set
2018 Feb 5 14:16:13.995809 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:16:13.995848 aaa: mts_message_response_handler: an mts response
2018 Feb 5 14:16:13.997143 aaa: prot_daemon_reponse_handler
2018 Feb 5 14:16:13.997171 aaa: session: 0x85c1c54 removed from the session table 0
2018 Feb 5 14:16:13.997201 aaa: is_aaa_resp_status_success status = 2
2018 Feb 5 14:16:13.997229 aaa: is_aaa_resp_status_success is TRUE
2018 Feb 5 14:16:13.997256 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0.
2018 Feb 5 14:16:13.997283 aaa: AAA_REQ_FLAG_NORMAL
2018 Feb 5 14:16:13.997369 aaa: mts_send_response Successful
2018 Feb 5 14:16:13.998845 aaa: aaa_cleanup_session
2018 Feb 5 14:16:13.998875 aaa: mts_drop of request msg
2018 Feb 5 14:16:13.998921 aaa: aaa_req should be freed.
2018 Feb 5 14:16:13.998974 aaa: aaa_process_fd_set
2018 Feb 5 14:16:13.999003 aaa: aaa_process_fd_set: mtscallback on aaa_q
2018 Feb 5 14:16:13.999341 aaa: aaa_enable_info_config: GET_REQ for aaa login error message
2018 Feb 5 14:16:13.999378 aaa: got back the return value of configuration operation:unknown security item
Related Information
Ethanalyzer command on FX-OS cli will prompt for a password when TACACS/RADIUS authentication is enabled. This behavior is caused by a bug.
Bug id: CSCvg87518
Revision History
| Revision | Publish Date | Comments |
|---|---|---|
1.0 |
05-Feb-2018 |
Initial Release |
FeedbackContact Cisco
- Open a Support Case
- (Requires a Cisco Service Contract)