Skip to main content



Cisco Defense Orchestrator

Configure Change of Authorization on the FTD Device

Most of the Change of Authorization policy is configured in the ISE server. However, you must configure the FTD device to connect to ISE correctly. 

Before you begin

If you use hostnames in any object, ensure that you configure DNS servers for use with the data interfaces, as explained in Configuring DNS for Data and Management Interfaces section of the System Settings chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running.You typically need to configure DNS anyway to have a fully-functional system.


  1. Log on to the FDM for your FTD device.
  2. Configure the extended access control list (ACL) for redirecting initial connections to ISE.
    The purpose of the redirect ACL is to send initial traffic to ISE so that ISE can assess the client posture. The ACL should send HTTPS traffic to ISE, but not traffic that is already destined for ISE, or traffic that is directed to a DNS server for name resolution. A sample redirect ACL might look like the following:

    access-list redirect extended deny ip any host <ISE server IP>
    access-list redirect extended deny ip any host <DNS server IP>
    access-list redirect extended deny icmp any any 
    access-list redirect extended permit tcp any any eq www

    However, note that ACLs have an implicit “deny any any” as the last access control entry (ACE). In this example, the last ACE, which matches TCP port www (that is, port 80), will not match any traffic that matches the first 3 ACEs, so those are redundant. You could simply create an ACL with the last ACE and get the same results.

    Note that in a redirect ACL, the permit and deny actions simply determine which traffic matches the ACL, with permit matching and deny not matching. No traffic is actually dropped, denied traffic is simply not redirected to ISE.

    To create the redirect ACL, you need to configure a Smart CLI object.

    1. Choose Device > Advanced Configuration > Smart CLI > Objects.

    2. Click + to create a new object.

    3. Enter a name for the ACL. For example, redirect.

    4. For CLI Template, select Extended Access List.

    5. Configure the following in the Template body:

      • configure access-list-entry action = permit

      • source-network = any-ipv4

      • destination-network = any-ipv4

      • configure permit port = any-source

      • destination-port = HTTP

      • configure logging = disabled

The ACE should look like the following:


  1. Click OK.
    This ACL will be configured the next time you deploy changes. You do not need to use the object in any other policy to force deployment.

Note: This ACL applies to IPv4 only. If you also want to support IPv6, simply add a second ACE with all the same attributes, except select any-ipv6 for the source and destination networks. You can also add the other ACEs to ensure traffic to the ISE or DNS server is not redirected. You will first need to create host network objects to hold the IP addresses of those servers.

  1. Configure a RADIUS server group for dynamic authorization.
    Perform the below steps by following the instructions provided in the Create or Edit a Firepower Threat Defense RADIUS Server Object or Group section.
    1. Create a RADIUS Server Object
    2. Create a RADIUS Server Group
  2. Create a connection profile that uses this RADIUS server group. See Configure an RA VPN Connection Profile.
    Use AAA Authentication (either only or with certificates), and select the server group in the Primary Identity
    Source for User Authentication
    , Authorization, and Accounting options.
  • Was this article helpful?