Cisco Firepower Chassis Manager Radius Configuration

There are many configuration guides on the Cisco website with details about configuring RADIUS and TACACS+ on a Cisco Firepower Chassis Manager. See this link for the configuration guide for 2.0(1).

In this document, you can read the following comment:

Remote User Role Policy Controls what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information:

  • Assign Default Role—The user is allowed to log in with a read-only user role.
  • No-Login—The user is not allowed to log in to the system, even if the username and password are correct.

But… it’s very hard to find what attributes are needed to assign a user the administrator role.

(more…)

Cisco ISE Part 4: High availability

This is a Cisco ISE blog post series with some how-to’s for configuring the ISE deployment, This blog post series exists of 10 parts.

The blogpost Agenda:

Part 1: introduction
Part 2: installation
Part 3: Active Directory
Part 4: High Availability
Part 5: Configuring wired network devices
Part 6: Policy enforcement and MAB
Part 7: Configuring wireless network devices
Part 8: Inline posture and VPN
Part 9: Guest and web authentication
Part 10: Profiling and posture

This week, a short part post, part 4: High Availability

The admin and monitoring nodes are only available in Active/Standby

All configuration is done on the primary Admin node. All other nodes are managed by this node. In case  of a failure, the secondary admin node has the be manually promoted to primary (ISE 1.X).

Policy nodes can be clustered. Switches can use the cluster IP as radius server. The cluster will act like a load balancer.

Switches (NADs) can sent syslog messages (UDP 20514) to the monitor nodes. All logging is sent / replicated to both HA monitoring nodes.

First, a nodes has to get registered with the admin node. Requirement for this is a useraccount on the new node and prepared the trust list. Changing the secondary administration role is only possible by deregistering.

Registering of a node is certificate based:

  • Self signed
  • CA signed

(more…)