The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to configure TACACS+ Authentication and Authorization for the Firepower eXtensible Operating System (FXOS) chassis via Access Control Server (ACS).
The FXOS chassis includes the following User Roles:
Administrator - Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed.
Read-Only - Read-only access to system configuration with no privileges to modify the system state.
Operations - Read-and-write access to NTP configuration, Smart Call Home configuration for Smart Licensing, and system logs, including syslog servers and faults. Read access to the rest of the system.
AAA - Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system.
Via CLI this can be seen as follows:
fpr4120-TAC-A /security* # show role
Role Name Priv
Contributed by Tony Remirez, Jose Soto, Cisco TAC Engineers.
Cisco recommends that you have knowledge of these topics:
Knowledge of Firepower eXtensible Operating System (FXOS)
Knowledge of ACS configuration
The information in this document is based on these software and hardware versions:
Cisco Firepower 4120 Security Appliance version 2.2
Virtual Cisco Access Control Server version 220.127.116.11
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
The goal of the configuration is to:
Authenticate users logging into the FXOS’s Web-based GUI and SSH by means of ACS.
Authorize users logging into the FXOS’s Web-based GUI and SSH according to their respective User Role by means of ACS.
Verify the proper operation of authentication and authorization on the FXOS by means of ACS.
Configuring the FXOS Chassis
Creating a TACACS Provider using Chassis Manager
Step 1. Navigate to Platform Settings > AAA.
Step 2. Click the TACACS tab.
Step 3. For each TACACS+ provider that you want to add (Up to 16 providers).
3.1. In the TACACS Providers area, click Add.
3.2. In the Add TACACS Provider dialog box, enter the required values.
3.3. Click OK to close the Add TACACS Provider dialog box.
Step 4. Click Save.
Step 5. Navigate to System > User Management > Settings.
Step 6. Under Default Authentication choose TACACS.
Creating a TACACS+ Provider using CLI
Step 1. In order to enable TACACS authentication run the following commands.
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # scope default-auth
fpr4120-TAC-A /security/default-auth # set realm tacacs
Step 2. Use the show detail command to display the results.
fpr4120-TAC-A /security/default-auth # show detail
Admin Realm: Tacacs
Operational Realm: Tacacs
Web session refresh period(in secs): 600
Session timeout(in secs) for web, ssh, telnet sessions: 600
Absolute Session timeout(in secs) for web, ssh, telnet sessions: 3600
Serial Console Session timeout(in secs): 600
Serial Console Absolute Session timeout(in secs): 3600
Admin Authentication server group:
Operational Authentication server group:
Use of 2nd factor: No
Step 3. In order to configure TACACS server parameters run the following commands.
fpr4120-TAC-A# scope security
fpr4120-TAC-A /security # scope tacacs
fpr4120-TAC-A /security/tacacs # enter server 10.88.244.50
fpr4120-TAC-A /security/tacacs/server # set descr "ACS Server"
fpr4120-TAC-A /security/tacacs/server* # set key
Enter the key: ******
Confirm the key: ******
Step 4. Use the show detail command to display the results.
fpr4120-TAC-A /security/tacacs/server* # show detail
Hostname, FQDN or IP address: 10.88.244.50
Configuring the ACS server
Adding the FXOS as a network resource
Step 1. Navigate to Network Resources > Network Devices and AAA Clients.
Step 2. Click Create.
Step 3. Enter the required values (Name, IP Address, Device Type and Enable TACACS+ and add the KEY).
Step 4. Click Submit.
Creating the Identity groups and Users
Step 1. Navigate to Users and Identity Stores > Identity Groups.
Step 2. Click Create.
Step 3. Enter the value for Name and click Submit.
Step 4. Repeat steps 2 and 3 for all the required User Roles.
Step 5. Navigate to Users and Identity Stores > Internal Identity Stores > Users.
Step 6. Click Create.
Step 7. Enter the required values (Name, Identity Group, Password).
Step 8. Repeat steps 6 and 7 for all required users.
Creating the Shell Profile for each User Role
Step 1. Navigate to Policy Elements > Authorization and Permissions > Device Administration > Shell Profiles > Click Create.
Step 2. Fill all the attributes for the Authorization Profile.
2.1. Configure the profile Name in the General Tab.
2.2. In Custom Attributes Tab configure the following CISCO-AV-PAIR
2.3. Click ADD /\ and then Submit.
Step 3. Repeat steps 1 and 2 for the remaining User Roles using the following Cisco-AV-Pairs