Symptom
On FTD devices managed via FDM and correctly configured to allow SSH CLI access with a Radius External Authentication the access to CLI is denied.
Despite the 1st authentication goes as expected and the user receives a message:
"!!! New external username identified. Please log in again to start a session. !!!"
On the 2nd attempt the session is closed immediately with message:
"This account is currently not available".
Conditions
FDM correctly configured to allow SSH CLI access to the FTD using a Radius Server as AAA method.
It is hitting only some software version.
GUI access correctly configured works fine.
Workaround
Enter in CLI in expert mode as root
>expert
~sudo su
and manually create a line for the user in the /etc/passwd file.
The workaround doesn’t permit to someone that has never been locally authorized to login but the auth is still using radius; when a user is added, configuring the password is not necessary, radius is used for that and if a user is [removed from the radius/not authorized cause wrong password or permissions] from the radius the login is going to be rightfully denied.
The line to add to /etc/passwd has this format
USERNAME:x:1001:201::/ngfw/Volume/home/USERNAME:/ngfw/usr/bin/clish
Username is the username of the user.
1002 is the user id, it is supposed to be unique per user and above 1000 (so for additional users it should be progressively assigned as 1001,1002,1003 ..etc).
In addition to updating /etc/passwd file, the /etc/shadow file must also be updated with user information.
The line to add in /etc/shadow has this format:
USERNAME:!!:19543:0:10000:7:0::
Where USERNAME is the username of the user.
