Cisco Cisco Firepower Management Center 4000
48-22
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
To configure default roles based on group membership:
Access:
Admin
Step 1
On the Create Authentication Object page, click the down arrow next to
Group Controlled Access Roles
.
The section expands.
Step 2
Optionally, configure access defaults by group membership.
In the
DN
fields that correspond to FireSIGHT System user roles, type the distinguished name for the
LDAP groups that contain users who should be assigned to those roles.
For example, you might type the following in the
Administrator
field to authenticate names in the
information technology organization at the Example company:
cn=itgroup,ou=groups, dc=example,dc=com
For more information on user access roles, see
Step 3
From the
Default User Role
list, select the default minimum access role for users that do not belong to any
of the specified groups.
Tip
Press the Ctrl key while clicking role names to select multiple roles.
Step 4
If you used static groups, in the
Group Member Attribute
field, type the LDAP attribute that designates
membership in a static group.
For example, if the
member
attribute is used to indicate membership in the static group you reference for
default Security Analyst access, type
member
.
Step 5
If you used dynamic groups, in the
Group Member URL Attribute
field, type the LDAP attribute that contains
the LDAP search string used to determine membership in a dynamic group.
For example, if the
memberURL
attribute contains the LDAP search that retrieves members for the
dynamic group you specified for default Admin access, type
memberURL
.
Step 6
Continue with
Configuring Administrative Shell Access
License:
Any
You can also use the LDAP server to authenticate accounts for shell access on your managed device or
Defense Center. Specify a search filter that retrieves entries for users you want to grant shell access. Note
that you can only configure shell access for the first authentication object in your system policy. For
more information on managing authentication object order, see
Defense Center. Specify a search filter that retrieves entries for users you want to grant shell access. Note
that you can only configure shell access for the first authentication object in your system policy. For
more information on managing authentication object order, see
Note
Cisco does not support external authentication for virtual devices or Sourcefire Software for X-Series.
In addition, IPv6 is not supported for shell access authentication.
In addition, IPv6 is not supported for shell access authentication.
With the exception of the admin account, shell access is controlled entirely though the shell access
attribute you set. The shell access filter you set determines which set of users on the LDAP server can
log into the shell.
attribute you set. The shell access filter you set determines which set of users on the LDAP server can
log into the shell.