Cisco Cisco Firepower Management Center 4000
48-15
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
When you create an authentication object, you define settings that let you connect to an authentication
server. You also select the directory context and search criteria you want to use to retrieve user data from
the server. Optionally, you can configure shell access authentication.
server. You also select the directory context and search criteria you want to use to retrieve user data from
the server. Optionally, you can configure shell access authentication.
Make sure you have TCP/IP access from your local appliance to the authentication server where you
want to connect.
want to connect.
Although you can use the default settings for your server type to quickly set up a basic LDAP
configuration, you can also customize advanced settings to control whether the appliance makes an
encrypted connection to the LDAP server, the timeout for the connection, and which attributes the server
checks for user information.
configuration, you can also customize advanced settings to control whether the appliance makes an
encrypted connection to the LDAP server, the timeout for the connection, and which attributes the server
checks for user information.
For the LDAP-specific parameters, you can use LDAP naming standards and filter and attribute syntax.
For more information, see the RFCs listed in the Lightweight Directory Access Protocol (v3): Technical
Specification, RFC 3377. Examples of syntax are provided throughout this procedure. Note that when
you set up an authentication object to connect to a Microsoft Active Directory Server, you can use the
address specification syntax documented in the Internet RFC 822 (Standard for the Format of ARPA
Internet Text Messages) specification when referencing a user name that contains a domain. For
example, to refer to a user object, you might type
For more information, see the RFCs listed in the Lightweight Directory Access Protocol (v3): Technical
Specification, RFC 3377. Examples of syntax are provided throughout this procedure. Note that when
you set up an authentication object to connect to a Microsoft Active Directory Server, you can use the
address specification syntax documented in the Internet RFC 822 (Standard for the Format of ARPA
Internet Text Messages) specification when referencing a user name that contains a domain. For
example, to refer to a user object, you might type
JoeSmith@security.example.com
rather than the
equivalent user distinguished name of
cn=JoeSmith,ou=security, dc=example,dc=com
when using
Microsoft Active Directory Server.
To create an advanced authentication object:
Access:
Admin
Step 1
Select
System > Local > User Management
.
The User Management page appears
Step 2
Click the
Login Authentication
tab.
The Login Authentication page appears.
Step 3
Click
Create Authentication Object
.
The Create Authentication Object page appears.
Step 4
Identify the authentication server where you want to retrieve user data for external authentication. For
more information, see
more information, see
.
Step 5
Configure authentication settings to build a search request that retrieves the users you want to
authenticate. Specify a user name template to format the user names that users enter on login. For more
information, see
authenticate. Specify a user name template to format the user names that users enter on login. For more
information, see
Step 6
Optionally, configure LDAP groups to use as the basis for default access role assignments. For more
information, see
information, see
.
Step 7
Optionally, configure authentication settings for shell access. For more information, see
Step 8
Test your configuration by entering the name and password for a user who can successfully authenticate.
For more information, see
For more information, see
Your changes are saved. Remember that you have to apply a system policy with the object enabled to an
appliance before the authentication changes take place on that appliance. For more information, see
appliance before the authentication changes take place on that appliance. For more information, see