Cisco Cisco Firepower Management Center 4000
48-3
FireSIGHT System User Guide
Chapter 48 Managing Users
Understanding Cisco User Authentication
Understanding Internal Authentication
License:
Any
By default, the FireSIGHT System uses internal authentication to check user credentials when a user logs
in. Internal authentication occurs when the user name and password are verified against records in the
internal FireSIGHT System database. If you do not enable external authentication when you create a
user, the user credentials are managed in the internal database.
in. Internal authentication occurs when the user name and password are verified against records in the
internal FireSIGHT System database. If you do not enable external authentication when you create a
user, the user credentials are managed in the internal database.
Because you manually create each internally authenticated user, you set the access settings when you
create the user and you do not need to set default settings.
create the user and you do not need to set default settings.
Note
Note that an internally authenticated user is converted to external authentication if you enable external
authentication, the same user name exists for the user on the external server, and the user logs in using
the password stored for that user on the external server. After an internally authenticated user converts
to an externally authenticated user, you cannot revert to internal authentication for that user.
authentication, the same user name exists for the user on the external server, and the user logs in using
the password stored for that user on the external server. After an internally authenticated user converts
to an externally authenticated user, you cannot revert to internal authentication for that user.
Understanding External Authentication
License:
Any
External authentication occurs when the Defense Center or managed device retrieves user credentials
from an external repository, such as an LDAP directory server or RADIUS authentication server. LDAP
authentication and RADIUS authentication are types of external authentication. Note that you can only
use one form of external authentication for an appliance.
from an external repository, such as an LDAP directory server or RADIUS authentication server. LDAP
authentication and RADIUS authentication are types of external authentication. Note that you can only
use one form of external authentication for an appliance.
If you want to use external authentication, you must configure an authentication object for each external
authentication server where you want to request user information. The authentication object contains
your settings for connecting to and retrieving user data from that server. You can then enable that object
in a system policy on the managing Defense Center and apply the policy to an appliance to enable
authentication. When any externally authenticated user logs in, the web interface checks each
authentication server to see if that user is listed, in the order the servers are listed in the system policy.
authentication server where you want to request user information. The authentication object contains
your settings for connecting to and retrieving user data from that server. You can then enable that object
in a system policy on the managing Defense Center and apply the policy to an appliance to enable
authentication. When any externally authenticated user logs in, the web interface checks each
authentication server to see if that user is listed, in the order the servers are listed in the system policy.
When you create a user, you can specify whether that user is internally or externally authenticated.
Note
Before enabling external authentication on Series 3 managed devices, remove any
internally-authenticated shell users that have the same user name as externally-authenticated users
included in your shell access filter.
internally-authenticated shell users that have the same user name as externally-authenticated users
included in your shell access filter.
You can push a system policy to a managed device to enable external authentication on that device, but
you cannot control the authentication object from the device’s web interface. The only configuration of
external authentication on the device occurs when you select the type of authentication for a new user.
If you want to disable external authentication on a managed device, disable it in the system policy on the
managing Defense Center and reapply the policy to the device. If you apply a local system policy
(created on the managed device) to the device itself, external authentication is also disabled.
you cannot control the authentication object from the device’s web interface. The only configuration of
external authentication on the device occurs when you select the type of authentication for a new user.
If you want to disable external authentication on a managed device, disable it in the system policy on the
managing Defense Center and reapply the policy to the device. If you apply a local system policy
(created on the managed device) to the device itself, external authentication is also disabled.
Tip
You can use the Import/Export feature to export system policies. When you export a policy with external
authentication enabled, the authentication objects are exported with the policy. You can then import the
policy and object on another Defense Center. Do not import policies with authentication objects onto
managed devices.
authentication enabled, the authentication objects are exported with the policy. You can then import the
policy and object on another Defense Center. Do not import policies with authentication objects onto
managed devices.