In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+.
At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me.
Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized.
- A ‘Device Administration’ license is required in order to use TACACS+ within ISE
Firepower 4150 FXOS
Virtual Cisco Identity Services Engine (ISE) 2.3
The information presented in this document was created within a lab environment. All devices used within this document started with default configurations. If you intend on using this document to configure devices in a live environment, ensure you understand the potential impact of any commands used.
Add Network Device in Identity Services Engine (ISE)
Access Identity Services Engines (ISE) and perform the following steps in order to add the FXOS device.
- Navigate to Administration > Network Resources > Network Devices and click ‘Add’
- Configure FXOS device settings and TACACS+ shared secret key
Configure TACACS+ Shell Profiles
- Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles and click ‘Add’
- In the TACACS Profile add the two following admin and read-only av-pairs in Raw View
For a list of user roles please refer to the Cisco documentation: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/user_management.html?bookSearch=true#concept_2770BFB3259042F5A4420595A0A6946C
Create Device Administration Policy Set
- Navigate to Work Centers > Device Administration > Device Admin Policy Sets and create an authentication and authorization policy that matches against the FXOS device
Configure TACACS+ Provider for FXOS
Configuration can be achieved by using the Firepower Chassis Manager graphical user interface (GUI) or by using the command line interface (CLI). This example will demonstrate both ways.
Enter FXOS Security Mode
Enter TACACS+ Mode
IP Address or FQDN of TACACS+ server
#create server 192.168.1.5
Set TACACS+ Shared Key (This is the same key that was configured in ISE)
#set key (press enter)
Enter the desired key
Commit configuration to the system configuration
(Optional TACACS+ commands are available but not covered in this example)
Change Default Authentication Method (CLI)
Enter FXOS Security Mode
Change default authentication to TACACS
#set authentication default tacacs
(Other authentication methods are available but not covered in this example)
- Log into the Firepower Chassis Manager and navigate to Platform Settings > AAA > TACACS and click ‘Add’
- Enter TACACS Provider settings ensuring you have entered the matching key configured in the Identity Services Engine (ISE)
Change Default Authentication Method (GUI)
- Navigate to System > User Management > Settings and change ‘Default Authentication’ to ‘TACACS’. Local fallback authentication will be used once changes have been saved.
You should now be able to access the Firepower Chassis Manager (FCM) and the FXOS Command Line Interface (CLI) using credentials from your TACACS Provider. The Admin shell profile created within ISE should return back Read-Write (RW) access whereas the Read-Only (RO) shell profile should return back Read-Only (RO) access. You can verify this by viewing the ISE logs or logging into FCM.
I hope you have found this article useful.