Cisco Cisco Firepower Management Center 4000
35-42
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Obtaining User Data from LDAP Servers
Server Type, IP Address, and Port
You must specify the server type, IP address or hostname, and port for a primary, and optionally a
backup, LDAP server. If you want to perform user control, you must use a Microsoft Active Directory
server.
backup, LDAP server. If you want to perform user control, you must use a Microsoft Active Directory
server.
LDAP-Specific Parameters
When the Defense Center searches the LDAP directory server to retrieve user information on the
authentication server, it needs a starting point for that search. You can specify the namespace, or
directory tree, that the local appliance should search by providing a base distinguished name, or base
DN. Typically, the base DN has a basic structure indicating the company domain and operational unit.
For example, the Security organization of the Example company might have a base DN of
authentication server, it needs a starting point for that search. You can specify the namespace, or
directory tree, that the local appliance should search by providing a base distinguished name, or base
DN. Typically, the base DN has a basic structure indicating the company domain and operational unit.
For example, the Security organization of the Example company might have a base DN of
ou=security,dc=example,dc=com
. Note that after you identify a primary server, you can automatically
retrieve a list of available base DNs from the server and select the appropriate base DN.
You must supply user credentials for a user with appropriate rights to the user information you want to
retrieve. Remember that the distinguished name for the user you specify must be unique to the directory
information tree for the directory server.
retrieve. Remember that the distinguished name for the user you specify must be unique to the directory
information tree for the directory server.
You can also specify an encryption method for the LDAP connection. Note that if you are using a
certificate to authenticate, the name of the LDAP server in the certificate must match the host name that
you specified in the Defense Center web interface. For example, if you use
certificate to authenticate, the name of the LDAP server in the certificate must match the host name that
you specified in the Defense Center web interface. For example, if you use
10.10.10.250
when
configuring the LDAP connection but
computer1.example.com
in the certificate, the connection fails.
Finally, you must specify the timeout period after which attempts to contact an unresponsive LDAP
server roll over to the backup connection.
server roll over to the backup connection.
User and Group Access Control Parameters
If you enable an authentication object for user awareness, you must specify the groups you want to use
in access control.
in access control.
Including a group automatically includes all of that group’s members, including members of any
sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly
include the sub-group. You can also exclude groups and individual users. Excluding a group excludes all
the members of that group, even if the users are members of an included group.
sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly
include the sub-group. You can also exclude groups and individual users. Excluding a group excludes all
the members of that group, even if the users are members of an included group.
The maximum number of users you can use in access control depends on your FireSIGHT license. When
choosing which users and groups to include, make sure the total number of users is less than your
FireSIGHT user license.
choosing which users and groups to include, make sure the total number of users is less than your
FireSIGHT user license.
Note
If you do not specify any groups to include, the system retrieves user data for all the groups that
match the LDAP parameters you provided. For performance reasons, Cisco recommends that
you explicitly include only the groups that represent the users you want to use in access control.
Note that you cannot include the Users or Domain Users groups.
match the LDAP parameters you provided. For performance reasons, Cisco recommends that
you explicitly include only the groups that represent the users you want to use in access control.
Note that you cannot include the Users or Domain Users groups.
You must also specify how often the Defense Center queries the LDAP server to obtain new users to use
in access control.
in access control.
To create an LDAP connection for user control:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Users
.
The Users Policy page appears.