Firepower extensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS

Similar documents
Configure 802.1x Authentication with PEAP, ISE 2.1 and WLC 8.3

Configuration Example: TACACS Administrator Access to Converged Access Wireless LAN Controllers

Logging into the Firepower System

Working with Cisco UCS Manager

Managing GSS Devices from the GUI

Initial Configuration Steps of FireSIGHT Systems

Using the Command Line Interface (CLI)

Integration of FireSIGHT System with ISE for RADIUS User Authentication

Configuring Role-Based Access Control

RADIUS Route Download

Cisco FXOS Firepower Chassis Manager Configuration Guide, 1.1(2)

Configure MAC authentication SSID on Cisco Catalyst 9800 Wireless Controllers

Cisco Identity Services Engine

Cisco NAC Profiler UI User Administration

Lab 5.6b Configuring AAA and RADIUS

AAA and the Local Database

Managing GSS User Accounts Through a TACACS+ Server

Persistent Data Transfer Procedure

ForeScout CounterACT. Configuration Guide. Version 4.3

Identity Services Engine Guest Portal Local Web Authentication Configuration Example

Forescout. Configuration Guide. Version 4.4

RADIUS for Multiple UDP Ports

CRES: Account Provisioning for Virtual, Hosted, and Hardware ESA Configuration Example

Configuring Secure Shell (SSH)

LAB: Configuring LEAP. Learning Objectives

Working with Cisco UCS Manager

Secure ACS for Windows v3.2 With EAP TLS Machine Authentication

Access Control Rules: Realms and Users

ISE Express Installation Guide. Secure Access How -To Guides Series

Setting Up the Sensor

Understanding Admin Access and RBAC Policies on ISE

ISE with Static Redirect for Isolated Guest Networks Configuration Example

Using the Web Graphical User Interface

Cisco FXOS Firepower Chassis Manager Configuration Guide, 2.0(1)

RSA SecurID Ready with Wireless LAN Controllers and Cisco Secure ACS Configuration Example

User and System Administration

Verify Radius Server Connectivity with Test AAA Radius Command

Getting Started. About the ASA for Firepower How the ASA Works with the Firepower 2100

Configuring Secure Shell (SSH)

Configuring Communication Services

Getting Started. Task Flow. Initial Configuration. Task Flow, on page 1 Initial Configuration, on page 1 Accessing the FXOS CLI, on page 4

Grant Minimum Permission to an Active Directory User Account Used by the Sourcefire User Agent

Cisco Firepower Troubleshoot File Generation Procedures

ACS 5.x: LDAP Server Configuration Example

Configuring Secure Shell (SSH)

Managing Certificates

ASACAMP - ASA Lab Camp (5316)

Forescout. Configuration Guide. Version 4.2

Packet Tracer - Configure Cisco Routers for Syslog, NTP, and SSH Operations (Instructor Version)

Lab Configure Basic AP security through GUI

Overview. ACE Appliance Device Manager Overview CHAPTER

Manage Administrators and Admin Access Policies

ActivIdentity ActivID Card Management System and Juniper Secure Access. Integration Handbook

Configuring Secure Shell (SSH)

Migrate Data from Cisco Secure ACS to Cisco ISE

User Identity Sources

Prerequisites for Controlling Switch Access with Terminal Access Controller Access Control System Plus (TACACS+)

Configuring Client Profiling

User Accounts for Management Access

Configuring TACACS+ About TACACS+

Image Management. About Image Management

UCS Direct Attached Storage and FC Zoning Configuration Example

Configuring Secure Shell

Configuring Secure Shell (SSH)

Realms and Identity Policies

Authentication of Wireless LAN Controller's Lobby Administrator via RADIUS Server

IEEE 802.1X Open Authentication

About Chassis Manager

Secure External Phone Services Configuration Example

Realms and Identity Policies

Managing GSS User Accounts Through a TACACS+ Server

User Identity Sources

Configuring Role-Based Access Control

Configuring Secure Shell (SSH)

Configure Site Network Settings

Using the Web Graphical User Interface

Configuring TACACS+ Finding Feature Information. Prerequisites for TACACS+

ISE TACACS+ Configuration Guide for Cisco ASA. Secure Access How-to User Series

TACACS+ on an Aironet Access Point for Login Authentication Configuration Example

Post-Installation and Maintenance Tasks

Cisco Secure ACS for Windows v3.2 With PEAP MS CHAPv2 Machine Authentication

Configure the Cisco VPN 3000 Series Concentrators to Support the NT Password Expiration Feature with the RADIUS Server

IEEE 802.1X with ACL Assignments

Role-Based Access Configuration

Configure 802.1x - PEAP with FreeRadius and WLC 8.3

Configuring the Management Access List

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

CounterACT 802.1X Plugin

ISE 2.3+ TACACS+ IPv6 Configuration Guide for Cisco IOS Based Network Devices with new Policy UI. Secure Access How-to User Series

Introduction to ISE-PIC

Obtain the hostname or IP address of Cisco UCS Central. Obtain the shared secret that was configured when Cisco UCS Central was deployed.

Two factor authentication for Cisco ASA SSL VPN

Managing GSS User Accounts Through a TACACS+ Server

Chapter 10 Configure Clientless Remote Access SSL VPNs Using ASDM

Configure Firepower Threat Defense (FTD) Management Interface

UniNets CCNA Security LAB MANUAL UNiNets CCNA Cisco Certified Network Associate Security LAB MANUAL UniNets CCNA LAB MANUAL

Active Directory as a Probe and a Provider

Registering Cisco UCS Domains with Cisco UCS Central

Platform Settings for Classic Devices

Configuring Secure Shell (SSH)

Transcription:

Firepower extensible Operating System (FXOS) 2.2: Chassis Authentication and Authorization for remote management with ACS using RADIUS Contents Introduction Prerequisites Requirements Components Used Configure Network Diagram Configurations Configuring the FXOS Chassis Configuring the ACS server Verify FXOS Chassis verification ACS Verification Troubleshoot Related Information Introduction This document describes how to configure RADIUS Authentication and Authorization for the Firepower extensible Operating System (FXOS) chassis via Access Control Server (ACS). The FXOS chassis includes the following User Roles: Administrator - Complete read-and-write access to the entire system. The default admin account is assigned this role by default and it cannot be changed. Read-Only - Read-only access to system configuration with no privileges to modify the system state. Operations - Read-and-write access to NTP configuration, Smart Call Home configuration for Smart Licensing, and system logs, including syslog servers and faults. Read access to the rest of the system. AAA - Read-and-write access to users, roles, and AAA configuration. Read access to the rest of the system. Via CLI this can be seen as follows: fpr4120-tac-a /security* # show role Role:

Role Name Priv ---------- ---- aaa admin operations read-only aaa admin operations read-only Contributed by Tony Remirez, Jose Soto, Cisco TAC Engineers. Prerequisites Requirements Cisco recommends that you have knowledge of these topics: Knowledge of Firepower extensible Operating System (FXOS) Knowledge of ACS configuration Components Used The information in this document is based on these software and hardware versions: Cisco Firepower 4120 Security Appliance version 2.2 Virtual Cisco Access Control Server version 5.8.0.32 The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command. Configure The goal of the configuration is to: Authenticate users logging into the FXOS s Web-based GUI and SSH by means of ACS. Authorize users logging into the FXOS s Web-based GUI and SSH according to their respective User Role by means of ACS. Verify the proper operation of authentication and authorization on the FXOS by means of ACS. Network Diagram

Configurations Configuring the FXOS Chassis Creating a RADIUS Provider using Chassis Manager Step 1. Navigate to Platform Settings > AAA. Step 2. Click the RADIUS tab. Step 3. For each RADIUS provider that you want to add (Up to 16 providers). 3.1. In the RADIUS Providers area, click Add. 3.2. In the Add RADIUS Provider dialog box, enter the required values. 3.3. Click OK to close the Add RADIUS Provider dialog box.

Step 4. Click Save. Step 5. Navigate to System > User Management > Settings. Step 6. Under Default Authentication choose RADIUS. Creating a RADIUS Provider using CLI

Step 1. In order to enable RADIUS authentication, run the following commands. fpr4120-tac-a# scope security fpr4120-tac-a /security # scope default-auth fpr4120-tac-a /security/default-auth # set realm radius Step 2. Use the show detail command to display the results. fpr4120-tac-a /security/default-auth # show detail Default authentication: Admin Realm: Radius Operational Realm: Radius Web session refresh period(in secs): 600 Session timeout(in secs) for web, ssh, telnet sessions: 600 Absolute Session timeout(in secs) for web, ssh, telnet sessions: 3600 Serial Console Session timeout(in secs): 600 Serial Console Absolute Session timeout(in secs): 3600 Admin Authentication server group: Operational Authentication server group: Use of 2nd factor: No Step 3. In order to configure RADIUS server parameters run the following commands. fpr4120-tac-a# scope security fpr4120-tac-a /security # scope radius fpr4120-tac-a /security/radius # enter server 10.88.244.16 fpr4120-tac-a /security/radius/server # set descr "ISE Server" fpr4120-tac-a /security/radius/server* # set key Enter the key: ****** Confirm the key: ****** Step 4. Use the show detail command to display the results. fpr4120-tac-a /security/radius/server* # show detail

RADIUS server: Hostname, FQDN or IP address: 10.88.244.16 Descr: Order: 1 Auth Port: 1812 Key: **** Timeout: 5 Configuring the ACS server Adding the FXOS as a network resource Step 1. Navigate to Network Resources > Network Devices and AAA Clients. Step 2. Click Create.

Step 3. Enter the required values (Name, IP Address, Device Type and Enable RADIUS and add the KEY).

Step 4. Click Submit.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback