This document describes the configuration steps required to integrate a Cisco FireSIGHT Management Center (FMC) or Firepower Managed Device with Cisco Identity Services Engine (ISE) for Remote Authentication Dial In User Service (RADIUS) user authentication.
Cisco recommends that you have knowledge of these topics:
FireSIGHT System and Managed Device initial configuration via GUI and/or shell
Configuring authentication and authorization policies on ISE
Basic RADIUS knowledge
The information in this document is based on these software and hardware versions:
Cisco ASA v9.2.1
ASA FirePOWER module v5.3.1
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Tip: There are multiple ways to configure ISE authentication and authorization policies to support integration with Network Access Devices (NAD) such as Sourcefire. The example below is one way to configure the intregration. The sample configuration is a point of reference and can be adapted to suit the needs of the specific deployment. Note that the authorization configuration is a two step process. One or more authorization policies will be defined on ISE with ISE returning RADIUS attribute value pairs (av-pairs) to the FMC or Managed Device. These av-pairs are then mapped to a local user group defined in the FMC system policy configuration.
Configuring Network Devices and Network Device Groups
From the ISE GUI, navigate to Administration > Network Resources > Network Devices. Click +Add to add a new Network Access Device (NAD). Provide a descriptive name and device IP address. The FMC is defined in the example below.
Under Network Device Group, click on the orange arrow next to All Device Types. Click on the icon and select Create New Network Device Group. In the example screenshot that follows, the Device Type Sourcefire has been configured. This Device Type will be referenced in the authorization policy rule definition in a later step. Click Save.
Click the orange arrow again and select the Network Device Group configured in the step above
Check the box next to Authentication Settings. Enter the RADIUS shared secret key that will be used for this NAD. Note the same shared secret key will be used again later when configuring the RADIUS server on the FireSIGHT MC. To review the plain text key value, click the Show button. Click Save.
Repeat the above steps for all FireSIGHT MCs and Managed Devices that will require RADIUS user authentication/authorization for GUI and/or shell access.
Configuring ISE Authentication Policy:
From the ISE GUI, navigate to Policy > Authentication. If using Policy Sets, navigate to Policy > Policy Sets. The example below is taken from an ISE deployment that uses the default authentication and authorization policy interfaces. The authentication and authorization rule logic is the same regardless of the configuration approach.
The Default Rule (If no match) will be used to authenticate RADIUS requests from NADs where the method in use is not MAC Authentication Bypass (MAB) or 802.1X. As configured by default, this rule will look for user accounts in ISE's local Internal Users identity source. This configuration can be modified to refer to an external identity source such as Active Directory, LDAP, etc as defined under Administration > Identity Management > External Identity Sources. For sake of simplciity, this example will define user accounts locally on ISE so no further modifications to the authentication policy are required.
Adding a Local User to ISE
Navigate to Administration > Identity Management > Identities > Users. Click Add. Enter a meaningful username and password. Under the User Groups selection, select an existing group name or click the green + sign to add a new group. In this example, the user "sfadmin" is assigned to the custom group "Sourcefire Administrator". This user group will be linked to the authorization profile defined in the Configuring ISE Authorization Policy step below. Click Save.
Configuring ISE Authorization Policy
Navigate to Policy > Policy Elements > Results > Authorization > Authorization Profiles. Click the green + sign to add a new authorization profile.
Provide a descriptive Name such as Sourcefire Administrator. Select ACCESS_ACCEPT for the Access Type. Under Common Tasks, scroll to the bottom and check the box next to ASA VPN. Click the orange arrow and select InternalUser:IdentityGroup. Click Save.
Tip: Because this example uses the ISE local user identity store, the InternalUser:IdentityGroup group option is used to simplify the configuration. If using an external identity store, the ASA VPN authorization attribute is still used, however, the value to be returned to the Sourcefire device is manually configured. For example, manually typing Administrator in the ASA VPN drop down box will result in a Class-25 av-pair value of Class = Administrator being sent to the Sourcefire device. This value can then be mapped to a sourcefire user group as part of the system policy configuration. For internal users, either configuration method is acceptable.
Internal User Example
External User Example
Navigate to Policy > Authorization and configure a new authorization policy for the Sourcefire administration sessions. The example below uses the DEVICE:Device Type condition to match the device type configured in the
Configuring Network Devices and Network Device Groups section above. This policy is then associated with the Sourcefire Administrator authorization profile configured above. Click Save.
Sourcefire System Policy Configuration
Login to the FireSIGHT MC and navigate to System > Local > User Management. Click on the Login Authentication tab. Click the + Create Authentication Object button to add a new RADIUS server for user authentication/authorization.
Select RADIUS for the Authentication Method. Enter a descriptive name for the RADIUS server. Enter the Host Name/IP Address and RADIUS Secret Key. The secret key should match the key previously configured on ISE. Optionally enter a backup ISE server Host Name/IP address if one exists.
Under the RADIUS-Specific Parameters section, enter the Class-25 av-pair string in the text box next to the Sourcefire local group name to be matched for GUI access. In this example, the Class=User Identity Groups:Sourcefire Administrator value is mapped to the Sourcefire Administrator group. This is the value that ISE returns as part of the ACCESS-ACCEPT. Optionally, select a Default User Role for authenticated users who do not have Class-25 groups assigned. Click Save to save the configuration or proceed to the Verify section below to test authentication with ISE.
Under Shell Access Filter, enter a comma separated list of users to restrict shell/SSH sessions.
Enable External Authentication
Finally, complete these steps in order to enable external authentication on the FMC:
Navigate to System > Local > System Policy.
Select External Authentication on the left panel.
Change the Status to Enabled (disabled by default).
Enable the added ISE RADIUS server.
Save the policy and reapply the policy on the appliance.
To test user authentication against ISE, scroll down to the Additional Test Parameters section and enter a username and password for the ISE user. Click Test. A successfull test will result in a green Success: Test Complete message at the top of the browser window.
To view the results of the test authentication, go to the Test Output section and click the black arrow next to Show Details. In the example screenshot below, note the "radiusauth - response: |Class=User Identity Groups:Sourcefire Administrator|" value received from ISE. This should match the Class value associated with the local Sourcefire group configured on the FireSIGHT MC above. Click Save.
From the ISE Admin GUI, navigate to Operations > Authentications to verify the success or failure of the user authentication test.
When testing user authentication against ISE, the following error is indicative of a RADIUS Secret Key mismatch or an incorrect username/password.
From the ISE admin GUI, navigate to Operations > Authentications. A red event is indicative of a failure while a green event is indicative of a successful authentication/authorization/Change of Authorization. Click on the icon to review the details of the authentication event.