Skip to main content

 

 

Cisco Defense Orchestrator

Create or Edit an FTD RADIUS Server Object or Group

About RADIUS Server Objects or Groups

When you create or edit an identity source object such as a RADIUS server object or a group of RADIUS server objects, CDO sends the configuration request to the FTD devices through the SDC. The FTD device then communicates with the configured AD realm. 

Create a RADIUS Server Object

Use the following procedure to create an object:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object > FTD > Identity Source
  3. Enter an object name for the object.
  4. Select RADIUS Server as the Identity Source Type. Click Continue.
  5. Edit the Identity Source configuration with the following properties:
  • Server Name or IP Address - The fully-qualified host name (FQDN) or IP address of the server.
  • Authentication Port (Optional) - The port on which RADIUS authentication and authorization are performed. The default is 1812.
  • Timeout - The length of time, 1-300 seconds, that the system waits for a response from the server before sending the request to the next server. The default is 10 seconds.
  • Enter the Server Secret Key(Optional) - The shared secret that is used to encrypt data between the Firepower Threat Defense device and the RADIUS server. The key is a case-sensitive, alphanumeric string of up to 64 characters, with no spaces. The key must start with an alphanumeric character or an underscore, and it can contain the special characters: $ & - _ . + @. The string must match the one configured on the RADIUS server. If you do not configure a secret key, the connection is not encrypted. 
  1. If you have Cisco Identity Services Engine (ISE) already configured for your network and are using the server for remote access VPN Change of Authorization configuration, click the RA VPN Only link and configure the following:
  • Redirect ACL - Select the extended Access Control List (ACL) to use for the RA VPN redirect ACL. If you do not have an extended ACL you must create the required extended ACL object from a Smart CLI template in the FDM console. See the Configuring Smart CLI Objects  section of the Advanced Configuration chapter of the  Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.
    The purpose of the redirect ACL is to send initial traffic to ISE to assess the client posture. The ACL should send HTTPS traffic to ISE, but not traffic that is already destined for ISE, or traffic that is directed to a DNS server for name resolution. See the Configure Change of Authorization section of the Virtual Private Networks (VPN) chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running. 
  • Diagnostic Interface -Enabling this option allows the system to always use the "Diagnostic" interface to communicate with the server. If you leave this disabled, CDO will default to using the routing table to determine the which interface to use.
  1. Click Add
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

Create a RADIUS Server Group

Use the following procedure to create an object group:

  1. From the CDO navigation bar, click Objects.
  2. Click Create Object > FTD > Identity Source
  3. Enter an object name for the object.
  4. Select RADIUS Server Group as the Identity Source Type. Click Continue.
  5. Edit the Identity Source configuration with the following properties:
  • Dead Time - Failed servers are reactivated only after all servers have failed. The dead time is how long to wait after the last server fails before reactivating all servers. 
  • Maximum Failed Attempts - The number of failed requests (that is, requests that do not get a response) sent to a RADIUS server in the group before trying the next server. When the maximum number of failed attempts is exceeded, the system marks the server as Failed.
    For a given feature, if you configured a fallback method using the local database, and all the servers in the group fail to respond, then the group is considered to be unresponsive, and the fallback method is tried. The server group remains marked as unresponsive for the duration of the dead time, so that additional AAA requests within that period do not attempt to contact the server group, and the fallback method is used immediately. 
  • Dynamic Authorization/Port (Optional) - If you enable RADIUS dynamic authorization or change of authorization (CoA) services for this RADIUS server group, the group will be registered for CoA notification and listen on the specified port for CoA policy updates from Cisco Identity Services Engine (ISE). Enable dynamic authorization only if you are using this server group in a remote access VPN in conjunction with ISE.
  1. Select an AD realm that supported the RADIUS server from the drop-down menu. If you have not already created an AD realm, click Create from inside the drop-down menu. See Create and Edit a Firepower Threat Defense Active Directory Realm Object for more information. 
  2. Click the Add button blue_cross_button.png to add existing RADIUS server objects. Optionally, you can create a new RADIUS server object from this window is necessary. 

Note: Add these objects in priority, as the first server in the list is used until it is unresponsive. FTD then defaults to the next server in the list. 

  1. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

 

Edit a Radius Server Object or Group

Use the following procedure to edit a Radius server object or Radius server group:

  1. From the CDO navigation bar, click Objects.

  2. Locate the object you want to edit by using object filters and search field.
  3. Select the object you want to edit.
  4. Click the edit icon edit.png in the Actions pane of the details panel.
  5. Edit the values in the dialog box in the same fashion that you created them in the procedures above. To edit or test the hostname/IP address or encryption information, expand  the configuration bar. 
  6. Click Save
  7. CDO displays the policies that will be affected by the change. Click Confirm to finalize the change to the object and any policy affected by it.
  8. Review and deploy now the changes you made, or wait and deploy multiple changes at once.

 

Troubleshooting

Edit the Secret Server Key Through FDM

If you manually enter the secret server key to CDO and then make a change to the secret server key through the FDM console, CDO does not read the modified key when you deploy changes. If you change the key in FDM, you must manually update the key in the CDO UI.  

Identity Source Type

You cannot change the Identity Source Type when editing an Identity source object. You must create a new object with the correct type.

 

Related Articles:

  • Was this article helpful?