The guide is talking about devices, not the FMC, and says this explicitly: For the Firepower Threat Defense, NGIPSv, and ASA FirePOWER, you must add internal users at the CLI. You cannot add users at the CLI on the Firepower Management Center and 7000 and 8000 Series. To configure the FirePower and FMC IP address (and key) use the command configure network and configure manager respectively. To add a sensor in FMC, go to Devices Device Management Add Add Device. Type the Host IP address, optionally change the Display Name, type the Registration Key (same key used on the sensor), skip Group, choose. The FMC APIs were introduced in recent Firepower 6.1 release. As shown in the picture below, FMC APIs allow you to program all the types of devices that FMC can manage. Before we get into how to use APIs, let me quickly summarize what is available in the first release.
Add the Radius Server details. Add the username in the shell access filter which will be used to access FTD Sensor (Firewall appliance) 4. Save the settings and apply the changes. Default shell profile is administrator and shell authentication is enabled. This setting is only valid for FMC. ASA 5505-X / 5508-X Setup FirePOWER Services (for ASDM) But if you have got more than one, and you can manage them centrally with the FirePOWER Management Center, (formally SourceFIRE Defence Center). WARNING: If you are going to use FMC DON'T register your licences in the ASDM, they all need to be registered in the FMC.
Add Asa Firepower To Fmc
You have FirePOWER Management Center all fired up and configured and you are getting lots of information but rather then seeing what user is doing what, you are just getting source computer IP addresses. You can tie FirePOWER into Active Directory to report on actual users as well as being able to create policies based on AD users. This lets you get much more granular with your approach.
There are two ways to accomplish this, active authentication and passive authentication. This post will deal with passive authentication through the FirePOWER user agent. The user agent is a piece of software that you install on a member server. It polls the security event logs, watching for log on and log off events. When it sees these it picks up the IP address of the event (being the computer the user logged on or off of) and the corresponding Active Directory user. It then relays this information back to your FirePOWER Management Center.
This post assumes you have your FirePOWER Management Center (v6) all up and running and fully functional.
First you need to create a domain user with a complex password that doesn't expire. This can be a regular domain user, no special permissions required. Please, do yourself a favor and don't cheat and just use the administrator account here.
Next you have to find the software on Cisco's web site. This is no small feat since it's not where you would expect it to logically show up. Browse to Products > Security > Firewalls > FirePOWER Virtual Appliance > Firesight system tools & API's
Once you have the software downloaded, let's prepare the FMC. Navigate to System > Integration > Identity Sources > User Agent and click New Agent
Enter the IP address of the server that will have the FirePOWER User Agent installed on it and click Add then click Save
On the Domain Controllers that the agent will read from, make sure WMI-In is opened on the firewall.
Next make sure the agent user you setup can access WMI. Run wmimgmt.msc. Right click on WMI Control and choose Properties and click on Security.
Browse to CIMv2, click on it and click Security. Add your service account and make sure Remote Enable is enabled.
On the Domain Controllers that the agent will read from run comexp.msc. Expand Component Services > Computers. Right click on My Computer and choose Properties.
Goto the COM Security tab, click Edit Limits under Launch and Activation Permissions. Grant your service account Local Launch, Remote Launch and Remote Activation permissions.
Edit the Default Domain Controllers Group Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignment > Manage Auditing and Security Log. Add your service account user here.
Either wait until the policy applies and propagates, or if you are impatient like me run gpupdate /force to push it immediately.
On the server you are installing the agent, run setup.exe. If you run the MSI only the agent is installed, you will get an error at the end and have to remove it, reboot and start again.
Once it's installed open the agent and add in your domain controllers
Wait a bit for the service to show green and available.
Click on the Firepower Management Center tab
Add the IP of the Management console
Click Save and walk away for a few minutes, it takes a few minutes for everything to turn green.
After everything is green and linked head back over to FirePOWER Management Center and navigate to Policies > Network Discovery and edit your policy.
Enable the Users option and click Save and Deploy
Realm & Identity Policy
A realm is one or more LDAP or MS Active Directory servers that share the same set of credentials. You need to configure a realm if you want to perform user and user group queries, user control or an authoritative identity source. Once the realm is setup you can configure the identity policy.
In FirePOWER Management Center navigate to System > Integration > Realms and click on New realm
Enter the information required. If you don't know things like the base DN I suggest you use a directory browser such as LDP.EXE to obtain the correct AD attributes.
Check out this post for help with this. Figuring out an Active Directory Objects DN Path
When you click OK it brings you to the directory entry screen. Click Create Add Directory. Enter an AD server IP address and click OK
Save your settings. Once saved scroll to the right of the new screen displayed and enable the directory.
Next we create an Identity Policy
Navigate to Policies > Identity Policy
Click New Policy, give it a name and click Save
Click Add Rule, give it a name and click on Realms to select your realm and click Add and Save.
Navigate to Policies > Access Control and edit your policy. Click next to Identity and add the policy you created and click Save.
NOTE: With some browsers you can't navigate to None to click next to Identity Policy, if you run into this try another browser.
Make sure to Save and Deploy your changes when your done!
Basic Authentication using external Radius server
- Log on to the Firepower Management Server using Local Admin credentials and click on users.
2. Add the Radius Server details
3. Add the username in the shell access filter which will be used to access FTD Sensor (Firewall appliance)
4. Save the settings and apply the changes
Default shell profile is administrator and shell authentication is enabled. This setting is only valid for FMC.
Radius attributes are possible and privilege difference according to groups is possible. However, we are not doing that here.
5. Go to Devices and platform settings ..Choose the sensor where you want authentication applied
6. Choose the external Authentication and switch on the toggle to enable Radius Authentication and save the settings
7. Deploy the config to the appliance
9. Verify the deployment transcript. If no other changes are done,there should be no config. FMC hides fxos config from the user.
10. Logon to the FTD Appliance and verify the username list. The username 'fmcuser' should now be there as a local account
Cisco Firepower Add To Fmc
11. Configure your Radius Server for both FMC and FTD using management IPs . In my setup
FMC =192.168.2.10, FTD=192.168.2.70
create the user
Use the same radius shared key that was used for FMC , key should be same for both devices. FMC will push this key to the FTD during deployment.
12. Test your access on FTD appliance
Add Firepower To Fmcg
13. Test your login on FMC.
Add Firepower Device To Fmc
Local usernames are still valid and will be checked first.
