Create a RADIUS Server Object

RADIUS servers provide AAA (authentication, authorization, and accounting) services.

Use the following procedure to create an object:

Procedure

Step 1

In the CDO navigation bar on the left, click Objects > FDM Objects.

Step 2

Click , then click RA VPN Objects (ASA & FTD) > Identity Source.

Step 3

Enter an Object name for the object.

Step 4

For the Device Type, select FTD.

Step 5

For the Identity Source type, select RADIUS Server. Click Continue.

Step 6

Edit the Identity Source configuration with the following properties:

  • Server Name or IP Address - The fully-qualified host name (FQDN) or IP address of the server.

  • Authentication Port (Optional) - The port on which RADIUS authentication and authorization are performed. The default is 1812.

  • Timeout - The length of time, 1-300 seconds, that the system waits for a response from the server before sending the request to the next server. The default is 10 seconds.

  • Enter the Server Secret Key(Optional) - The shared secret that is used to encrypt data between the Firepower Threat Defense device and the RADIUS server. The key is a case-sensitive, alphanumeric string of up to 64 characters, with no spaces. The key must start with an alphanumeric character or an underscore, and it can contain the special characters: $ & - _ . + @. The string must match the one configured on the RADIUS server. If you do not configure a secret key, the connection is not encrypted.

Step 7

If you have Cisco Identity Services Engine (ISE) already configured for your network and are using the server for remote access VPN Change of Authorization configuration, click the RA VPN Only link and configure the following:

  • Redirect ACL - Select the extended Access Control List (ACL) to use for the RA VPN redirect ACL. If you do not have an extended ACL you must create the required extended ACL object from a Smart CLI template in the FDM-managed device console. See the Configuring Smart CLI Objects section of the Advanced Configuration chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Manager for the version your device is running. The purpose of the redirect ACL is to send initial traffic to ISE to assess the client posture. The ACL should send HTTPS traffic to ISE, but not traffic that is already destined for ISE, or traffic that is directed to a DNS server for name resolution. See the Configure Change of Authorization section of the Virtual Private Networks (VPN) chapter of the Cisco Firepower Threat Defense Configuration Guide for Firepower Device Managerfor the version your device is running.

  • Diagnostic Interface -Enabling this option allows the system to always use the "Diagnostic" interface to communicate with the server. If you leave this disabled, CDO will default to using the routing table to determine the which interface to use.

Step 8

Click Add.

Step 9

Review and deploy now the changes you made, or wait and deploy multiple changes at once.