Cisco Cisco Firepower Management Center 4000
35-40
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Obtaining User Data from LDAP Servers
authentication object, contains connection settings and authentication filter settings for the server. The
connection’s user and group access control parameters specify the users and groups you can use in access
control rules.
connection’s user and group access control parameters specify the users and groups you can use in access
control rules.
Note
If you want to perform user control, you must use Microsoft Active Directory. The system uses User
Agents running on Active Directory servers to associate users with IP addresses, which is what allows
access control rules to trigger.
Agents running on Active Directory servers to associate users with IP addresses, which is what allows
access control rules to trigger.
Note that you can also create authentication objects to manage external authentication to the FireSIGHT
System’s web interface; see
System’s web interface; see
. Those objects are similar to
the authentication objects you create for user control, and you configure them in a similar way.
After you create an LDAP connection for user control, the Defense Center queries the LDAP server on
a schedule that you specify. If you add new users or remove users from the LDAP server, you must wait
until the Defense Center performs its scheduled update for those changes to take effect for access
control. Alternately, you can perform an on-demand query.
a schedule that you specify. If you add new users or remove users from the LDAP server, you must wait
until the Defense Center performs its scheduled update for those changes to take effect for access
control. Alternately, you can perform an on-demand query.
The Defense Center-LDAP server connection also allows you to retrieve metadata for users, both
access-controlled and non-access-controlled, whose logins were detected by User Agents, as well as for
certain users whose activity was detected directly by managed devices. The Defense Center regularly
queries the LDAP server to obtain metadata for new LDAP, POP3, and IMAP users whose activity was
detected since the last query. If a user already exists in the Defense Center’s Users database, the Defense
Center updates the metadata if it has not been updated in the last 12 hours.
access-controlled and non-access-controlled, whose logins were detected by User Agents, as well as for
certain users whose activity was detected directly by managed devices. The Defense Center regularly
queries the LDAP server to obtain metadata for new LDAP, POP3, and IMAP users whose activity was
detected since the last query. If a user already exists in the Defense Center’s Users database, the Defense
Center updates the metadata if it has not been updated in the last 12 hours.
The Defense Center uses the email addresses in POP3 and IMAP logins to correlate with users on the
LDAP server. For example, if a managed device detects a POP3 login for a user with the same email
address as an LDAP user, the Defense Center associates the LDAP user’s metadata with that user. Note
that it may take several minutes for the Defense Center to update with user metadata after the system
detects a new user login.
LDAP server. For example, if a managed device detects a POP3 login for a user with the same email
address as an LDAP user, the Defense Center associates the LDAP user’s metadata with that user. Note
that it may take several minutes for the Defense Center to update with user metadata after the system
detects a new user login.
The Defense Center obtains the following information and metadata about each user:
•
LDAP user name
•
first and last name
•
email address
•
department
•
telephone number
Note
If you remove a user that has been detected by the system from your LDAP servers, the Defense Center
does not remove that user from its users database; you must manually delete it. However, your LDAP
changes are reflected in access control rules when the Defense Center next updates its list of
access-controlled users.
does not remove that user from its users database; you must manually delete it. However, your LDAP
changes are reflected in access control rules when the Defense Center next updates its list of
access-controlled users.
For more information, see:
•
•
Preparing to Connect to an LDAP Server
License:
FireSIGHT