Cisco Cisco FirePOWER Appliance 8390
35-45
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Obtaining User Data from LDAP Servers
Performing an On-Demand User Data Retrieval for Access Control
License:
FireSIGHT
If you change the user and group access control parameters in an LDAP connection, or if you change the
users or groups on your LDAP server and want your changes to be immediately available for access
control, you can force the Defense Center to perform an on-demand user data retrieval from an LDAP
server.
users or groups on your LDAP server and want your changes to be immediately available for access
control, you can force the Defense Center to perform an on-demand user data retrieval from an LDAP
server.
The maximum number of users the Defense Center can retrieve from the server depends on your
FireSIGHT license. If the access control parameters in your LDAP connection are too broad, the Defense
Center obtains information on as many users as it can and reports the number of users it failed to retrieve
in the task queue.
FireSIGHT license. If the access control parameters in your LDAP connection are too broad, the Defense
Center obtains information on as many users as it can and reports the number of users it failed to retrieve
in the task queue.
To perform an on-demand user data retrieval:
Access:
Admin/Discovery Admin
Step 1
Select
Policies > Users
.
The Users Policy page appears.
Step 2
Next to the LDAP connection you want to use to query the LDAP server, click the download icon (
).
The query begins. You can monitor its progress in the task queue (
System > Monitoring > Task Status
).
Configuring Defense Center-User Agent Connections
License:
FireSIGHT
If you use Microsoft Active Directory LDAP servers, Cisco recommends that you connect user agents
to your Active Directory servers. User agents monitor users as they log into the network or when
accounts authenticate against Active Directory credentials for other reasons (for example, your
organization may use services or applications that rely on Active Directory for centralized
authentication).
to your Active Directory servers. User agents monitor users as they log into the network or when
accounts authenticate against Active Directory credentials for other reasons (for example, your
organization may use services or applications that rely on Active Directory for centralized
authentication).
The agents send records of those logins and logoffs to the Defense Center, which logs and reports them
as user activity. The Defense Center uses this data in two main ways:
as user activity. The Defense Center uses this data in two main ways:
•
to supplement user activity detected directly by managed devices, as defined in your network
discovery policy
discovery policy
•
to associate users with IP addresses, which in turn allows access control rules with user conditions
to trigger
to trigger
Note
If you want to perform user control, you must install and use user agents. However, User agents only
detect LDAP logins. If you want to detect other types of logins, you must use managed devices; see
detect LDAP logins. If you want to detect other types of logins, you must use managed devices; see
.
You can use Version 2.1 of the user agent to report user logins and logoffs to any Version 5.x FireSIGHT
System Defense Center. If you have agents prior to Version 2.1, you can continue to use those agents to
report Active Directory server login data to your Defense Centers. Note, however, that support for older
agents will be phased out in future releases. Cisco recommends that you transition to Version 2.1 of the
user agent as soon as possible.
System Defense Center. If you have agents prior to Version 2.1, you can continue to use those agents to
report Active Directory server login data to your Defense Centers. Note, however, that support for older
agents will be phased out in future releases. Cisco recommends that you transition to Version 2.1 of the
user agent as soon as possible.