Cisco Cisco Firepower Management Center 4000
48-35
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
If your RADIUS server returns values for attributes not included in the
dictionary
file in
/etc/radiusclient/
and you plan to use those attributes to set user roles for users with those attributes,
you need to define those attributes in the login authentication object.
You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS server.
When you define an attribute, you provide the name of the attribute, which consists of alphanumeric
characters. Note that words in an attribute name should be separated by dashes rather than spaces. You
also provide the attribute ID, which should be an integer and should not conflict with any existing
attribute IDs in the
characters. Note that words in an attribute name should be separated by dashes rather than spaces. You
also provide the attribute ID, which should be an integer and should not conflict with any existing
attribute IDs in the
etc/radiusclient/dictionary
file. You also specify the type of attribute: string, IP
address, integer, or date.
As an example, if a RADIUS server is used on a network with a Cisco router, you might want to use the
Ascend-Assign-IP-Pool
attribute to grant a specific role to all users logging in from a specific IP
address pool.
Ascend-Assign-IP-Pool
is an integer attribute that defines the address pool where the user
is allowed to log in, with the integer indicating the number of the assigned IP address pool. To declare
that custom attribute, you create a custom attribute with an attribute name of
that custom attribute, you create a custom attribute with an attribute name of
Ascend-IP-Pool-Definition
, an attribute ID of
218
, and an attribute type of
integer
. You could then
type
Ascend-Assign-IP-Pool=2
in the
Security Analyst (Read Only)
field to grant read-only security analyst
rights to all users with an
Ascend-IP-Pool-Definition
attribute value of
2.
When you create a RADIUS authentication object, a new dictionary file for that object is created on the
FireSIGHT System appliance in the
FireSIGHT System appliance in the
/var/sf/userauth
directory. Any custom attributes you add to the
authentication object are added to the dictionary file.
To define a custom attribute:
Access:
Admin
Step 1
Click the arrow to expand the Define Custom RADIUS Attributes section.
The attribute fields appear.
Step 2
Type an attribute name consisting of alphanumeric characters and dashes, with no spaces, in the
Attribute
Name
field.
Step 3
Type the attribute ID, in integer form, in the
Attribute ID
field.
Step 4
Select the type of attribute from the
Attribute Type
drop-down list.
Step 5
Click
Add
to add the custom attribute to the authentication object.
Tip
You can remove a custom attribute from an authentication object by clicking
Delete
next to the attribute.
Step 6
Continue with
Testing User Authentication
License:
Any
After you configure RADIUS connection, user role, and custom attribute settings, you can specify user
credentials for a user who should be able to authenticate to test those settings.
credentials for a user who should be able to authenticate to test those settings.
For the user name, you can enter the user name for the user you want to test with.
Note that testing the connection to servers with more than 1000 users only returns 1000 users because
of UI page size limitations.
of UI page size limitations.