Cisco :: FXOS Authentication Using TACACS

In this article, I will describe how to enable authentication and authorization for Firepower eXtensible Operating System (FXOS) devices. The use case presented in this document illustrates how Cisco Identity Services Engine (ISE) can be utilised with attribute-value pairs (AV-Pairs) to authenticate and authorize users accessing the Firepower Chassis Manager (FCM) or FXOS platforms via TACACS+.

At the time of writing this post, I found that limited documentation existed and of that documentation that did exist, the examples given weren’t as straightforward. In an effort to make this process easier for my colleagues and customers to understand I have put together the following instructions based on a previous use case given to me.

Extracts of this document have been taken from a wider document I am currently creating. I will update this article with the complete document when it has been finalized.




  • A ‘Device Administration’ license is required in order to use TACACS+ within ISE


Components Used


Firepower 4150 FXOS

Virtual Cisco Identity Services Engine (ISE) 2.3


The information presented in this document was created within a lab environment. All devices used within this document started with default configurations. If you intend on using this document to configure devices in a live environment, ensure you understand the potential impact of any commands used.


(adsbygoogle = window.adsbygoogle || []).push({});

Add Network Device in Identity Services Engine (ISE)


Access Identity Services Engines (ISE) and perform the following steps in order to add the FXOS device.


  • Navigate to Administration > Network Resources > Network Devices and click ‘Add’


  • Configure FXOS device settings and TACACS+ shared secret key


Configure TACACS+ Shell Profiles


  • Navigate to Work Centers > Device Administration > Policy Elements > Results > TACACS Profiles and click ‘Add’


  • In the TACACS Profile add the two following admin and read-only av-pairs in Raw View
    • Cisco-av-pair=shell:roles=”admin”
    • Cisco-av-pair=shell:roles=”read-only”

For a list of user roles please refer to the Cisco documentation:


Create Device Administration Policy Set


  • Navigate to Work Centers > Device Administration > Device Admin Policy Sets and create an authentication and authorization policy that matches against the FXOS device


Configure TACACS+ Provider for FXOS


Configuration can be achieved by using the Firepower Chassis Manager graphical user interface (GUI) or by using the command line interface (CLI). This example will demonstrate both ways.


CLI Method


Enter FXOS Security Mode

#scope Security


Enter TACACS+ Mode

#scope tacacs


IP Address or FQDN of TACACS+ server

#create server


Set TACACS+ Shared Key (This is the same key that was configured in ISE)

 #set key (press enter)

Enter the desired key


Commit configuration to the system configuration



(Optional TACACS+ commands are available but not covered in this example)



Change Default Authentication Method (CLI)


Enter FXOS Security Mode

#scope security


Change default authentication to TACACS

#set authentication default tacacs


(Other authentication methods are available but not covered in this example)


GUI Method


  • Log into the Firepower Chassis Manager and navigate to Platform Settings > AAA > TACACS and click ‘Add’


  • Enter TACACS Provider settings ensuring you have entered the matching key configured in the Identity Services Engine (ISE)


Change Default Authentication Method (GUI)


  • Navigate to System > User Management > Settings and change ‘Default Authentication’ to ‘TACACS’. Local fallback authentication will be used once changes have been saved.


Test Access


You should now be able to access the Firepower Chassis Manager (FCM) and the FXOS Command Line Interface (CLI) using credentials from your TACACS Provider. The Admin shell profile created within ISE should return back Read-Write (RW) access whereas the Read-Only (RO) shell profile should return back Read-Only (RO) access. You can verify this by viewing the ISE logs or logging into FCM.


I hope you have found this article useful.


Kelvin is a Cyber Security professional with years and experience working with organisations in different verticals, both large and small. He enjoys contributing to the Network Wizkid knowledge base and he also creates technical content. Kelvin enjoys learning new things and often does this by working on achieving new technical certifications. He holds many professional certifications and academically, he has achieved a Bachelors and Master's degree in both Computer Networks and Cyber Security.

This Post Has 4 Comments

  1. Johnathan Wilkes

    You may also need an object for shell:locales so it know the domain to apply your role. I did: cisco-av-pair*shell:locales=”*”

    1. Kelvin

      Hi Johnathan,

      I never used that in my lab environment but thanks for the heads up, I’ll bare that in mind.



  2. ISaac

    Seems this is dropping my account to read-only — where in ISE do I tell it based on my tacacs role that I want Admin on the FXOS gui?

    1. iwiizkiid

      You do this under the TACACS policies you create. You tie the created profile to the policy. The profile should contain the relevant AV pairs.

Leave a Reply