Cisco Cisco FirePOWER Appliance 8250
48-8
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
Setting the User Name Template
License:
Any
Selecting a user name template lets you indicate how user names entered on login should be formatted,
by mapping the string conversion character (
by mapping the string conversion character (
%s
) to the value of the shell access attribute for the user. The
user name template is the format for the distinguished name used for authentication. When a user enters
a user name into the login page, the name is substituted for the string conversion character and the
resulting distinguished name is used to search for the user credentials.
a user name into the login page, the name is substituted for the string conversion character and the
resulting distinguished name is used to search for the user credentials.
For example, to set a user name template for the Security organization of the Example company, you
might enter
might enter
%s@security.example.com
.
Setting a Connection Timeout
License:
Any
If you specify a backup authentication server, you can set a timeout for the connection attempt to the
primary server. If the timeout period elapses without a response from the primary authentication server,
the appliance then queries the backup server. For example, if the primary server has LDAP disabled, the
appliance queries the backup server.
primary server. If the timeout period elapses without a response from the primary authentication server,
the appliance then queries the backup server. For example, if the primary server has LDAP disabled, the
appliance queries the backup server.
If LDAP is running on the port of the primary LDAP server and for some reason refuses to service the
request (due to misconfiguration or other issues), however, the failover to the backup server does not
occur.
request (due to misconfiguration or other issues), however, the failover to the backup server does not
occur.
Using Attributes to Manage Access
License:
Any
Different types of LDAP servers use different attributes to store user data. If your LDAP server uses a
UI access attribute of
UI access attribute of
uid
, the local appliance checks the
uid
attribute value for each object in the tree
indicated by the base DN you set. If you do not set a specific UI access attribute, the local appliance
checks the distinguished name for each user record on the LDAP server to see if it matches the user
name. If one of the objects has a matching user name and password, the user login request is
authenticated.
checks the distinguished name for each user record on the LDAP server to see if it matches the user
name. If one of the objects has a matching user name and password, the user login request is
authenticated.
You can substitute a different LDAP attribute to make the local appliance match a user name with that
attribute rather than the value of the distinguished name. Selecting a server type and setting defaults fills
in a UI access attribute appropriate for that type of server. If one of the objects has a matching user name
and password as a value for the attribute you specify, the user login request is authenticated. You can use
any attribute, if the value of the attribute is a valid user name for the FireSIGHT System web interface.
Valid user names are unique, and can include underscores (_), periods (.), hyphens (-), and alphanumeric
characters.
attribute rather than the value of the distinguished name. Selecting a server type and setting defaults fills
in a UI access attribute appropriate for that type of server. If one of the objects has a matching user name
and password as a value for the attribute you specify, the user login request is authenticated. You can use
any attribute, if the value of the attribute is a valid user name for the FireSIGHT System web interface.
Valid user names are unique, and can include underscores (_), periods (.), hyphens (-), and alphanumeric
characters.
The shell access attribute of your LDAP server acts as a shell access attribute. If your LDAP server uses
uid
, the local appliance checks the user name entered on login against the attribute value of
uid
. You
can also set a custom shell access attribute other than
uid
.
Note that selecting a server type and setting defaults prepopulates a shell access attribute typically
appropriate for that type of server. You can use any attribute, if the value of the attribute is a valid user
name for shell access. Valid user names are unique, and can include underscores (_), periods (.), hyphens
(-), and alphanumeric characters.
appropriate for that type of server. You can use any attribute, if the value of the attribute is a valid user
name for shell access. Valid user names are unique, and can include underscores (_), periods (.), hyphens
(-), and alphanumeric characters.