Solved: Re: I may have been mistaken

GRANT3779 · ‎02-22-2017

Is it possible to configure the actual FirePOWER software on an SSD for TACACs AAA or can local credentials only be configured / used for access?

Marvin Rhoads · ‎02-22-2017

The FirePOWER Services module on an ASA can only use local authentication.

FirePOWER Management Center can use external authentication from either an LDAP or RADIUS server.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_system_user_management.html?bookSearch=true#ID-2263-00000006

View solution in original post

Marvin Rhoads · ‎02-22-2017

The FirePOWER Services module on an ASA can only use local authentication.

FirePOWER Management Center can use external authentication from either an LDAP or RADIUS server.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/firepower_system_user_management.html?bookSearch=true#ID-2263-00000006

GRANT3779 · ‎02-22-2017

Hi Marvin,

Noted, thanks. Confirms what I suspected so good to know for sure.

dam0c0nr0y · ‎07-19-2017

Hi Marvin

I have been researching the subject of getting external authentication working with FirePOWER Services (SFR) modules in an ASA 5500-X and see reference here to it working:

https://supportforums.cisco.com/discussion/13118331/firepower-shell-authentication-radius

In your post above you have provided a link to documentation but I cannot find where it specifically states that "The FirePOWER Services module on an ASA can only use local authentication".

Can you please confirm where it is documented that local authentication only works with FirePOWER Services modules?

Thanks

Damian

Marvin Rhoads · ‎07-19-2017

I may have been mistaken earlier or remembering earlier versions. The documentaiton does seem to indicate external authentication can be used even for the sfr modules. I have not tried it myself as of yet.

Do note that there is a bug (as of 6.2.0.2) with the RADIUS implementation.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCve60272/?referring_site=bugquickviewredir

From the bug notes it appears that only applies to 6.2.

dam0c0nr0y · ‎07-20-2017

Thanks Marvin - much appreciate the additional info.

Having read the details of that bug CSCve60272 the symptoms we are experiencing with Firepower SFR software modules running 6.1.0.3 (which are managed by Firepower Management Centre 2000 appliances also running 6.1.0.3) look the same.

I have raised a case with Cisco TAC asking them to check and confirm if bug CSCve60272 also affects 6.1.0.3 and if is to get 6.1.0.3 added to the list of "Known Affected Releases" for bug CSCve60272 which currently only has releases 6.2.0 and 6.2.1 listed.

Interestingly, we have RADIUS authentication to the Firepower Management Centre 2000 appliances working fine with Cisco ACS.

Is it RADIUS authentication to the Firepower SFR software modules which is not working with Cisco ACS.

Cheers

Damian

Marvin Rhoads · ‎07-20-2017

Thanks for the update. Please let us know what the TAC finds out.

If you want to do some testing yourself you should be able to do a packet capture of the RADIUS authenticaiton attempts and see what is happening at the protocol level.

Charisdian Salim · ‎10-31-2018

Hi Marvin,

Is FMC support TACACS+ for AAA Authentication ? And Is it Radius support for AAA Authentication to make sure Because in this Article i this support for the Radius.

thanks,
Charis

Tacacs / FirePOWER module