External Authentication with
RADIUS
Copyright © www.ine.com
� Module Overview
External Authentication overview
Hands-on example : RADIUS on ISE
Copyright © www.ine.com
� External Authentication Overview
FMC supports two types of external authentication servers
LDAP & RADIUS
Represented through an External Authentication Object
Server settings
Permissions (User Roles)
User List
AV pair
Default User Role
Platform Default Role is used if none was defined in the object (certain platforms)
CLI/Shell
Copyright © www.ine.com
� Configuration
Add External Authentication Object for a RADIUS server
System -> Users -> External Authentication
Specify server settings
Configure Permissions
Optional Configuration
Restrict Shell access
Add Custom Attributes
Enable External Authentication
Save and Apply
Copyright © www.ine.com
� FlexConfig
Copyright © www.ine.com
� Module Overview
FlexConfig overview
Configuration
Copyright © www.ine.com
� FlexConfig Overview
A tool used to configure features not yet supported through FMC
Use cases
ASA to FTD migration
Problem solving
Implemented through FlexConfig Policies
A series of FlexConfig Objects
ASA CLI code
(Optional) Scripts and/or Variables
See configuration guide “FlexConfig Policies for Firepower Threat Defense”
Objects can be appended (default) or prepended
A set of predefined Objects exist to provide tested configurations
Copyright © www.ine.com
� Configuration
Prerequisites
Software version
show version (GUI: System -> Health -> Monitor -> Advanced Troubleshooting)
CLI syntax
show running-config [all]
Look for existing Objects or create your own
Objects -> Object Management -> FlexConfig
Don’t add enable or configure terminal
Adjust Variables if needed (Text Objects and/or other)
Configure Policy (Devices -> FlexConfig) & deploy
Copyright © www.ine.com
� High Availability
Copyright © www.ine.com
� Module Overview
High Availability options
Failover configuration
Copyright © www.ine.com
� High Availability Options
Interface
Redundant Interface
EtherChannel
FTD System
Active/Standby Failover
Clustering
4100 & 9300 platforms
FMC
Active-Standby redundancy
System -> Integration -> High Availability
Copyright © www.ine.com
� Failover Configuration
Prerequisites
The following must match between the units
Model
Number & types of interfaces
Firewall mode
Major/minor/maintenance software version
NTP configuration
Licenses
Both devices must be registered with FMC with no uncommitted changes
Add a failover pair
Device -> Device Management -> Add High Availability
Copyright © www.ine.com
� SSL Policy
Copyright © www.ine.com
� Module Overview
SSL Policy & components overview
HTTPS decryption
Configuration
Copyright © www.ine.com
� SSL Policy Overview
FTD cannot inspect encrypted traffic by default
SSL Policy applications
HTTPS decryption
Selective blocking of encrypted traffic
Activating SSL Policy changes encrypted traffic handling behavior
SSL Policy is used before ACP
Copyright © www.ine.com
� HTTPS Decryption
FTD supports two SSL/TLS decryption methods
Known Key
Used for traffic coming to your network/servers
Server’s Private Key is uploaded to FTD
FTD decrypts the client-server traffic on the fly
Resign
Used for traffic to external servers
FTD splits the original session into two : client – FTD & FTD - server
The original server’s certificate is modified & resigned by FTD
Decrypted web traffic is still subject to ACP inspections
Copyright © www.ine.com
� Decryption Considerations
Decryption may pose severe load on FTD
SSL Policy can block traffic selectively without decrypting it
URLs, certificate status, SSL/TLS version, cipher suite & more
URL handling
Server’s certificate
Does not work for wildcard certificates
Server Name Indication (SNI)
A browser includes website’s hostname inside of the TLS Client Hello
Copyright © www.ine.com
� SSL Policy Actions
Monitor
Log & check other rules
Block (with Reset)
Immediately block traffic
Don’t Decrypt
Typically used for adding exceptions
Decrypt Known Key / Decrypt Resign
Perform decryption & send clear-text traffic to the ACP
Copyright © www.ine.com
� Configuration
Define PKI objects by importing the right certificates
Objects -> Object Management -> PKI
Internal CA
Internal CA’s certificate (“keyCertSign” usage) & keys
Needed for “Decrypt Resign” rules
Internal Certificate
Your server’s certificate & keys
Needed for “Decrypt Known Key” rules
Copyright © www.ine.com
� Configuration
Create a new SSL Policy & add rules
Policies -> Access Control -> SSL
Activate the Policy
Policies -> Access Control -> Advanced
Copyright © www.ine.com
� QoS Policy
Copyright © www.ine.com
� Module Overview
QoS Policy overview
Configuration
Copyright © www.ine.com
� QoS Policy Overview
FTD supports traffic rate-limiting through a QoS Policy
Requires traffic to match the ACP’s „Allow” or „Trust” rules
It is never used for prefiltered or blocked traffic
Only one active QoS Policy is supported per managed device
Copyright © www.ine.com
� Configuration
Define a QoS Policy
Devices -> QoS
Add rule(s)
Deploy configuration
Verfication
show service-policy
Copyright © www.ine.com
� Correlation Policy
Copyright © www.ine.com
� Module Overview
Correlation overview
Policy components
Configuration
Copyright © www.ine.com
� Correlation Overview
Allows to tie events together to trigger a violation
E.g. for security decision automation
Correlation Policy
Correlation Rules
Criteria for violations
Built using Event Types and/or Constraints
Compliance White Lists
Host criteria for violations
Correlation Responses
Triggered in response to a violation
Configured as Alerts or Remediations
Copyright © www.ine.com
� Correlation Rules
Event Types
Intrusion/Malware/Discovery/Host Input/Connection Event
User activity
Traffic profile change
Constraints
Host Profile Qualification
User Qualification
Connection Tracker
Snooze Period
Inactive Period
Copyright © www.ine.com
� Compliance White Lists
Host-specific criteria for a violation
Targets
Host Profiles
Operating System, applications & more
Default White List
Talos-recommended settings
Applies to all endpoints (0.0.0.0/0)
Compliance White List rules & Correlation rules are independent
Copyright © www.ine.com
� Correlation Responses
Alerts
Email, SNMP, Syslog
Remediations
ISE Endpoint Protection Service (EPS)
IOS Null Route
NMAP Scanning
Set Attribute Value
Copyright © www.ine.com
� Configuration
Prepare Policy components
Rules
Policies -> Correlation -> Rule Management
White Lists
Policies -> Correlation -> White List
Responses
Policies -> Actions -> Alerts
Policies -> Actions -> Instances
Create a Correlation Policy
Policies -> Correlation -> Policy Management
Add rules & enable it
Copyright © www.ine.com
� FTD VPN
Copyright © www.ine.com
� Module Overview
VPN on FTD overview
Supported features
Certificate considerations
Copyright © www.ine.com
� VPN on FTD Overview
Supported VPN Types
Site-to-Site
IPsec IKEv1/IKEv2
Remote Access
IPsec IKEv2 or SSL/TLS
Copyright © www.ine.com
� Supported Features
General
IPv6
Remote Access
Split Tunneling
AnyConnect
Core features (check documentation)
Copyright © www.ine.com
� Supported Features
Authentication
Site-to-Site
Certificates or PSK
Remote Access
Gateway - certificates
Clients - certificates, AAA (RADIUS, LDAP, AD) or both
Authorization & Accounting is available via RADIUS only
Local database is not supported for AAA
Copyright © www.ine.com
� Certificate Considerations
Supported CA’s include Microsoft, Cisco IOS & ASA
FTD cannot act as a CA
RSA are the only keys working as of 6.2
Enrollment methods
Self-signed
SCEP
Manual
Copyright © www.ine.com
� Site-to-Site
IPsec IKEv1
Copyright © www.ine.com
� Module Overview
Configuration
Implementation scenario
Copyright © www.ine.com
� Configuration
Certificate Setup (optional)
Devices -> Certificates
Tunnel Configuration
Devices -> VPN -> Site To Site
Verification & Troubleshooting
Overview -> Dashboards -> Access Controlled User Statistics -> VPN
Devices -> VPN -> Troubleshooting
Copyright © www.ine.com
� Remote Access
SSL/TLS
Copyright © www.ine.com
� Module Overview
Configuration
Implementation scenario
Copyright © www.ine.com
� Configuration
Prerequisites
Identity Certificate
Devices -> Certificates
Objects -> Object Management -> PKI -> Cert Enrollment
AnyConnect image
Objects -> Object Management -> VPN -> AnyConnect File
AD/LDAP Realm
System -> Integration -> Realms
RADIUS Server Group
Objects -> Object Management -> RADIUS Server Group
FTD sends two attributes during Authentication & Authorization
Client Type (150) & Connection Profile Name or Tunnel Group Name (146)
Copyright © www.ine.com
� Configuration
Create a VPN Policy
Devices -> VPN -> Remote Access
Add an AnyConnect Profile XML
AnyConnect Profile Editor
Optional Configurations
Modify ACP
Unless using sysopt permit-vpn
NAT Exemption
Split Tunneling
Copyright © www.ine.com
� Configuration
Optional Configurations
IP Address Pool
E.g. Objects -> Object Management -> Address Pools
Connection Profile Settings
Group Policy attributes are NOT inherited
DfltGroupPolicy attributes are only used if no custom policy was specified
Routing for VPN Authentication
Management-only RIB routes are preferred over the data interface routes
Make sure that your AAA server is reachable via the correct interface
Copyright © www.ine.com
