Cisco Cisco FirePOWER Appliance 8250
48-7
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
You can populate several fields using default values based on the server type you plan to connect to.
Default values propagate the User Name Template, UI Access Attribute, Shell Access Attribute, Group
Member Attribute, and Group Member URL Attribute fields when you select a server type and set
defaults.
Default values propagate the User Name Template, UI Access Attribute, Shell Access Attribute, Group
Member Attribute, and Group Member URL Attribute fields when you select a server type and set
defaults.
Setting a Base DN
License:
Any
When the local appliance searches the LDAP server to retrieve user information on the authentication
server, it needs a starting point for that search. You can specify the tree that the local appliance should
search by providing a base distinguished name, or base DN.
server, it needs a starting point for that search. You can specify the tree that the local appliance should
search by providing a base distinguished name, or base DN.
Typically, the base DN has a basic structure indicating the company domain and operational unit. For
example, the Security organization of the Example company might have a base DN of
example, the Security organization of the Example company might have a base DN of
ou=security,dc=example,dc=com
.
After you identify a primary server, you can automatically retrieve a list of available base DNs from it
and select the appropriate base DN.
and select the appropriate base DN.
Setting a Base Filter
License:
Any
You can add a base filter that sets a specific value for a specific attribute. The base filter focuses your
search by only retrieving objects in the base DN that have the attribute value set in the filter. Enclose the
base filter in parentheses. For example, to filter for only users with a common name starting with F, use
the filter
search by only retrieving objects in the base DN that have the attribute value set in the filter. Enclose the
base filter in parentheses. For example, to filter for only users with a common name starting with F, use
the filter
(cn=F*)
.
To test your base filter more specifically by entering a test user name and password, see
Selecting an Impersonation Account
License:
Any
To allow the local appliance to access the user objects, you must supply user credentials for an
impersonation account. The impersonation account is a user account with appropriate rights to browse
the directory named by the base DN and retrieve the user objects you want to retrieve. Remember that
the distinguished name for the user you specify must be unique to the tree for the server.
impersonation account. The impersonation account is a user account with appropriate rights to browse
the directory named by the base DN and retrieve the user objects you want to retrieve. Remember that
the distinguished name for the user you specify must be unique to the tree for the server.
Encrypting Your LDAP Connection
License:
Any
You can manage the encryption method for your LDAP connection. You can choose no encryption,
Transport Layer Security (TLS), or Secure Sockets Layer (SSL) encryption.
Transport Layer Security (TLS), or Secure Sockets Layer (SSL) encryption.
Note that if you are using a certificate to authenticate when connecting via TLS or SSL, the name of the
LDAP server in the certificate must match the name that you use in the Host Name/IP Address field. For
example, if you enter
LDAP server in the certificate must match the name that you use in the Host Name/IP Address field. For
example, if you enter
10.10.10.250
in the authentication profile and
computer1.example.com
in the
certificate, the connection fails. Changing the name of the server in the authentication profile to
computer1.example.com
causes the connection to succeed.
Note that if you change the encryption method after specifying the port, the port resets to the default
value for the selected server type.
value for the selected server type.