Cisco Firepower Chassis Manager Radius Configuration
There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).
In this document, you can read the following comment:
Remote User Role Policy | Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information: |
But… it’s very hard to find what attributes are needed to assign a user the administrator role.
The solution isn’t that hard, you can use the following RADIUS attributes (these should also work with TACACS+):
cisco-av-pair=shell:roles=“admin”
Attribute name is cisco-av-pair
Attribute value is shell:roles=“admin”
You can easily verify if the role is correct, when you logged in with a user:
FPR9K# scope security FPR9K/security # sh remote-user detail Remote User <user name>: Description: User Roles: Name: admin Name: read-only
When attributes are not configured you will see below – and user will have read only access
FPR9K/security # sh remote-user detail Remote User <user name >: Description: User Roles: Name: read-only
My Thought
This is basic configuration and I cannot understand that this is so hard te find on the Cisco website. Cisco TAC is very helpfull with these kind of questions, but adding this into the configuration guides would help a lot. Almost everyone wants to to radius authentication for these kind of devices and use some kind of authorization (as far as radius can do this), these kind of configurations should be widely available.