October 19, 2018

Cisco :: FXOS Authentication Using TACACS

(Last Updated On: 16th January 2018)

In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+.

At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me.

Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized.




  • A ‘Device Administration’ license is required in order to use TACACS+ within ISE


Components Used


Firepower 4150 FXOS

Virtual Cisco Identity Services Engine (ISE) 2.3


The information presented in this document was created within a lab environment. All devices used within this document started with default configurations. If you intend on using this document to configure devices in a live environment, ensure you understand the potential impact of any commands used.

Add Network Device in Identity Services Engine (ISE)


Access Identity Services Engines (ISE) and perform the following steps in order to add the FXOS device.


  • Navigate to Administration > Network Resources > Network Devices and click ‘Add’


  • Configure FXOS device settings and TACACS+ shared secret key


Configure TACACS+ Shell Profiles


  • Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles and click ‘Add’


  • In the TACACS Profile add the two following admin and read-only av-pairs in Raw View
    • Cisco-av-pair=shell:roles=”admin”
    • Cisco-av-pair=shell:roles=”read-only”

For a list of user roles please refer to the Cisco documentation: https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos221/cli-guide/b_CLI_ConfigGuide_FXOS_221/user_management.html?bookSearch=true#concept_2770BFB3259042F5A4420595A0A6946C


Create Device Administration Policy Set


  • Navigate to Work Centers > Device Administration > Device Admin Policy Sets and create an authentication and authorization policy that matches against the FXOS device


Configure TACACS+ Provider for FXOS


Configuration can be achieved by using the Firepower Chassis Manager graphical user interface (GUI) or by using the command line interface (CLI). This example will demonstrate both ways.


CLI Method


Enter FXOS Security Mode

#scope Security


Enter TACACS+ Mode

#scope tacacs


IP Address or FQDN of TACACS+ server

#create server


Set TACACS+ Shared Key (This is the same key that was configured in ISE)

 #set key (press enter)

Enter the desired key


Commit configuration to the system configuration



(Optional TACACS+ commands are available but not covered in this example)



Change Default Authentication Method (CLI)


Enter FXOS Security Mode

#scope security


Change default authentication to TACACS

#set authentication default tacacs


(Other authentication methods are available but not covered in this example)


GUI Method


  • Log into the Firepower Chassis Manager and navigate to Platform Settings > AAA > TACACS and click ‘Add’


  • Enter TACACS Provider settings ensuring you have entered the matching key configured in the Identity Services Engine (ISE)


Change Default Authentication Method (GUI)


  • Navigate to System > User Management > Settings and change ‘Default Authentication’ to ‘TACACS’. Local fallback authentication will be used once changes have been saved.


Test Access


You should now be able to access the Firepower Chassis Manager (FCM) and the FXOS Command Line Interface (CLI) using credentials from your TACACS Provider. The Admin shell profile created within ISE should return back Read-Write (RW) access whereas the Read-Only (RO) shell profile should return back Read-Only (RO) access. You can verify this by viewing the ISE logs or logging into FCM.


I hope you have found this article useful.

Previous «
Next »

Security Solutions Consulting Engineer @ Cisco - CCNA R&S/CCNA Security, CCDA & CCNP R&S - Currently working on CCIE Security. Sharing my knowledge and passion for technology. All views are mine and NOT of my company.


  1. You may also need an object for shell:locales so it know the domain to apply your role. I did: cisco-av-pair*shell:locales=”*”

Leave a Reply

Subscribe to SYNACK via Email

%d bloggers like this: