Skip to main content

 

 

Cisco Defense Orchestrator

Create or Edit a Firepower Threat Defense RADIUS Server Object or Group

About RADIUS Server Objects or Groups

When you create or edit an identity source object such as a RADIUS server object or a group of RADIUS server objects, CDO sends the configuration request to the FTD devices through the SDC. The FTD then communicates with the configured AD realm. 

Create a RADIUS Server Object

Use the following procedure to create an object:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object > FTD > Identity Source
  3. Enter an object name for the object.
  4. Select RADIUS Server as the Identity Source Type. Click Continue.
  5. Edit the Identity Source configuration with the following properties:
  • Server Name or IP Address - The fully-qualified host name (FQDN) or IP address of the server.
  • Authentication Port (Optional) - The port on which RADIUS authentication and authorization are performed. The default is 1812.
  • Timeout - The length of time, 1-300 seconds, that the system waits for a response from the server before sending the request to the next server. The default is 10 seconds.
  • Enter the Server Secret Key(Optional) - The shared secret that is used to encrypt data between the Firepower Threat Defense device and the RADIUS server. The key is a case-sensitive, alphanumeric string of up to 64 characters, with no spaces. The key must start with an alphanumeric character or an underscore, and it can contain the special characters: $ & - _ . + @. The string must match the one configured on the RADIUS server. If you do not configure a secret key, the connection is not encrypted. 
  1. If you have Cisco Identity Services Engine (ISE) already configured for your network and are using the server for remote access VPN Change of Authorization configuration, click the RA VPN Only link and configure the following:
  • Redirect ACL - Select the extended Access Control List (ACL) to use for the RA VPN redirect ACL. If you do not have an extended ACL you must create the required extended ACL object from a Smart CLI template in the FDM console. See Configuring Smart CLI Objects chapter of the Firepower Device Manager Configuration Guide for more information.
    The purpose of the redirect ACL is to send initial traffic to ISE to assess the client posture. The ACL should send HTTPS traffic to ISE, but not traffic that is already destined for ISE, or traffic that is directed to a DNS server for name resolution. See Configure Change of Authorization on the FTD Device for more information. 
  • Diagnostic Interface -Enabling this option allows the system to always use the "Diagnostic" interface to communicate with the server. If you leave this disabled, CDO will default to using the routing table to determine the which interface to use.
  1. Click Add
  2. Deploy Configuration Changes from Defense Orchestrator to FTD

Create a RADIUS Server Group

Use the following procedure to create an object group:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object > FTD > Identity Source
  3. Enter an object name for the object.
  4. Select RADIUS Server Group as the Identity Source Type. Click Continue.
  5. Edit the Identity Source configuration with the following properties:
  • Dead Time - Failed servers are reactivated only after all servers have failed. The dead time is how long to wait after the last server fails before reactivating all servers. 
  • Maximum Failed Attempts - The number of failed requests (that is, requests that do not get a response) sent to a RADIUS server in the group before trying the next server. When the maximum number of failed attempts is exceeded, the system marks the server as Failed.
    For a given feature, if you configured a fallback method using the local database, and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for the duration of the dead time, so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. 
  • Dynamic Authorization/Port (Optional) - If you enable RADIUS dynamic authorization or change of authorization (CoA) services for this RADIUS server group, the group will be registered for CoA notification and listen on the specified port for CoA policy updates from Cisco Identity Services Engine (ISE). Enable dynamic authorization only if you are using this server group in a remote access VPN in conjunction with ISE.
  1. Select an AD realm that supported the RADIUS server from the drop-down menu. If you have not already created an AD realm, click Create from inside the drop-down menu. See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information. 
  2. Click the Add button blue_cross_button.png to add existing RADIUS server objects. Optionally, you can create a new RADIUS server object from this window is necessary. 

Note: Add these objects in priority, as the first server in the list is used until it is unresponsive. FTD then defaults to the next server in the list. 

  1. Deploy Configuration Changes from Defense Orchestrator to FTD

 

Edit a Radius Server Object or Group

Note that you cannot change the Identity Source Type when editing an Identity source object. You must create a new object with the correct type.

  1. From the CDO navigation bar, click Objects.

  2. Locate the object you want to edit by using object filters and search field.
  3. Select the object you want to edit.
  4. Click the edit icon edit.png in the Actions pane of the details panel.
  5. Edit the values in the dialog box in the same fashion that you created them in the procedures above. To edit or test the hostname/IP address or encryption information, expand  the configuration bar. 
  6. Click Save
  7. CDO displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.
  8. Deploy Configuration Changes from Defense Orchestrator to FTD

Related Articles: