Cisco Cisco Firepower Management Center 4000

48-15

FireSIGHT System User Guide

Chapter 48 Managing Users

Managing Authentication Objects

When you create an authentication object, you define settings that let you connect to an authentication
server. You also select the directory context and search criteria you want to use to retrieve user data from
the server. Optionally, you can configure shell access authentication.

Make sure you have TCP/IP access from your local appliance to the authentication server where you
want to connect.

Although you can use the default settings for your server type to quickly set up a basic LDAP
configuration, you can also customize advanced settings to control whether the appliance makes an
encrypted connection to the LDAP server, the timeout for the connection, and which attributes the server
checks for user information.

For the LDAP-specific parameters, you can use LDAP naming standards and filter and attribute syntax.
For more information, see the RFCs listed in the Lightweight Directory Access Protocol (v3): Technical
Specification, RFC 3377. Examples of syntax are provided throughout this procedure. Note that when
you set up an authentication object to connect to a Microsoft Active Directory Server, you can use the
address specification syntax documented in the Internet RFC 822 (Standard for the Format of ARPA
Internet Text Messages) specification when referencing a user name that contains a domain. For
example, to refer to a user object, you might type

JoeSmith@security.example.com

rather than the

equivalent user distinguished name of

cn=JoeSmith,ou=security, dc=example,dc=com

when using

Microsoft Active Directory Server.

To create an advanced authentication object:

Access:

Admin

Step 1

Select

System > Local > User Management

The User Management page appears

Step 2

Click the

Login Authentication

tab.

The Login Authentication page appears.

Step 3

Click

Create Authentication Object

The Create Authentication Object page appears.

Step 4

Identify the authentication server where you want to retrieve user data for external authentication. For
more information, see

Identifying the LDAP Authentication Server, page 48-16

Step 5

Configure authentication settings to build a search request that retrieves the users you want to
authenticate. Specify a user name template to format the user names that users enter on login. For more
information, see

Configuring LDAP-Specific Parameters, page 48-17

Step 6

Optionally, configure LDAP groups to use as the basis for default access role assignments. For more
information, see

Configuring Access Settings by Group, page 48-21

Step 7

Optionally, configure authentication settings for shell access. For more information, see

Configuring

Administrative Shell Access, page 48-22

Step 8

Test your configuration by entering the name and password for a user who can successfully authenticate.
For more information, see

Testing User Authentication, page 48-23

Your changes are saved. Remember that you have to apply a system policy with the object enabled to an
appliance before the authentication changes take place on that appliance. For more information, see

Configuring Authentication Profiles, page 50-11

and

Applying a System Policy, page 50-4