Cisco Cisco Firepower Management Center 4000
48-30
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
The Remote Authentication Dial In User Service (RADIUS) is an authentication protocol used to
authenticate, authorize, and account for user access to network resources. You can create an
authentication object for any RADIUS server that conforms to RFC 2865.
authenticate, authorize, and account for user access to network resources. You can create an
authentication object for any RADIUS server that conforms to RFC 2865.
Note
Before enabling external authentication on Series 3 managed devices, remove any
internally-authenticated shell users that have the same user name as externally-authenticated users
included in your shell access filter.
internally-authenticated shell users that have the same user name as externally-authenticated users
included in your shell access filter.
When a user authenticated on a RADIUS server logs in for the first time, the user receives the roles
specified for that user in the authentication object, or if the user is not listed for any of the user roles, the
default access role you selected in the authentication object, or failing that, the system policy. You can
modify a user’s roles, if needed, unless the settings are granted through the user lists in the authentication
object. Note that when a user authenticated on a RADIUS server using attribute matching attempts to
log in for the first time, the login is rejected as the user account is created. The user must log in a second
time.
specified for that user in the authentication object, or if the user is not listed for any of the user roles, the
default access role you selected in the authentication object, or failing that, the system policy. You can
modify a user’s roles, if needed, unless the settings are granted through the user lists in the authentication
object. Note that when a user authenticated on a RADIUS server using attribute matching attempts to
log in for the first time, the login is rejected as the user account is created. The user must log in a second
time.
The FireSIGHT System implementation of RADIUS supports the use of SecurID® tokens. When you
configure authentication by a server using SecurID, users authenticated against that server append the
SecurID token to the end of their SecurID pin and use that as their password when they log into a Cisco
appliance. As long as SecurID is configured correctly to authenticate users outside the FireSIGHT
System, those users can log into a FireSIGHT System appliance using their PIN plus the SecurID token
without any additional configuration on the appliance.
configure authentication by a server using SecurID, users authenticated against that server append the
SecurID token to the end of their SecurID pin and use that as their password when they log into a Cisco
appliance. As long as SecurID is configured correctly to authenticate users outside the FireSIGHT
System, those users can log into a FireSIGHT System appliance using their PIN plus the SecurID token
without any additional configuration on the appliance.
Creating RADIUS Authentication Objects
License:
Any
When you create a RADIUS authentication object, you define settings that let you connect to an
authentication server. You also grant user roles to specific and default users. If your RADIUS server
returns custom attributes for any users you plan to authenticate, you must define those custom attributes.
Optionally, you can also configure shell access authentication.
authentication server. You also grant user roles to specific and default users. If your RADIUS server
returns custom attributes for any users you plan to authenticate, you must define those custom attributes.
Optionally, you can also configure shell access authentication.
Note that to create an authentication object, you need TCP/IP access from your local appliance to the
authentication server where you want to connect.
authentication server where you want to connect.
To create an authentication object:
Access:
Admin
Step 1
Select
System > Local > User Management
.
The User Management page appears
Step 2
Click the
Login Authentication
tab.
The Login Authentication page appears.
Step 3
Click
Create Authentication Object
.
The Create Authentication Object page appears.
Step 4
Identify the primary and backup authentication servers where you want to retrieve user data for external
authentication and set timeout and retry values. For more information, see
authentication and set timeout and retry values. For more information, see