Cisco Firepower Chassis Manager Radius Configuration

There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).
In this document, you can read the following comment:

Remote User Role Policy Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information:

  • Assign Default Role—The user is allowed to log in with a read-only user role.
  • No-Login—The user is not allowed to log in to the system, even if the username and password are correct.

But… it’s very hard to find what attributes are needed to assign a user the administrator role.

The solution isn’t that hard, you can use the following RADIUS attributes (these should also work with TACACS+):
cisco-av-pair=shell:roles=“admin”
Attribute name is cisco-av-pair
Attribute value is shell:roles=“admin”
You can easily verify if the role is correct, when you logged in with a user:

FPR9K# scope security
FPR9K/security # sh remote-user detail
Remote User <user name>:
    Description:
    User Roles:
        Name: admin
        Name: read-only

When attributes are not configured you will see below – and user will have read only access

FPR9K/security # sh remote-user detail
Remote User <user name >:
    Description:
    User Roles:
        Name: read-only

My Thought
This is basic configuration and I cannot understand that this is so hard te find on the Cisco website. Cisco TAC is very helpfull with these kind of questions, but adding this into the configuration guides would help a lot. Almost everyone wants to to radius authentication for these kind of devices and use some kind of authorization (as far as radius can do this), these kind of configurations should be widely available.

Leave a Reply

Your email address will not be published.