Cisco Cisco Firepower Management Center 4000
48-45
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing User Accounts
Managing Externally Authenticated User Accounts
License:
Any
When an externally authenticated user logs into an appliance that has external authentication enabled,
the appliance grants the user the default access role you set by specifying group membership in the
authentication object. If you did not configure access group settings, the appliance grants the default user
role you set in the system policy. However, if you add users locally before they log into the appliance,
the user privileges you configure on the User Management page override the default settings.
the appliance grants the user the default access role you set by specifying group membership in the
authentication object. If you did not configure access group settings, the appliance grants the default user
role you set in the system policy. However, if you add users locally before they log into the appliance,
the user privileges you configure on the User Management page override the default settings.
For more information on selecting a default user role, see
. Note that you can set both predefined and
custom user roles as the default user role for externally authenticated users. For more information, see
.
An internally authenticated user is converted to external authentication when all of the following
conditions exist:
conditions exist:
•
You enable LDAP or RADIUS authentication.
•
The same user name exists for the user on the LDAP or RADIUS server.
•
The user logs in using the password stored for that user on the LDAP or RADIUS server.
Note that you can only enable external authentication in a system policy on a Defense Center. You must
use the Defense Center to apply the policy to managed devices if you want to use external authentication
on them.
use the Defense Center to apply the policy to managed devices if you want to use external authentication
on them.
For more information on modifying user access, see
Note that you cannot manage passwords for externally authenticated users or deactivate externally
authenticated users through the FireSIGHT System interface. For externally authenticated users, you
cannot remove the minimum access rights through the FireSIGHT System user management page for
users assigned an access role because of LDAP group or RADIUS list membership or attribute values.
On the Edit User page for an externally authenticated user, rights granted because of settings on an
external authentication server are marked with a status of
authenticated users through the FireSIGHT System interface. For externally authenticated users, you
cannot remove the minimum access rights through the FireSIGHT System user management page for
users assigned an access role because of LDAP group or RADIUS list membership or attribute values.
On the Edit User page for an externally authenticated user, rights granted because of settings on an
external authentication server are marked with a status of
Externally Modified
.
You can, however, assign additional rights. When you modify the access rights for an externally
authenticated user, the Authentication Method column on the User Management page provides a status
of
authenticated user, the Authentication Method column on the User Management page provides a status
of
External - Locally Modified
.
Shell users can log in using user names with lowercase, uppercase, or mixed case letters. Login
authentication for the shell is case sensitive.
authentication for the shell is case sensitive.
Caution
On Series 3 Defense Centers, all shell users have
sudoers
privileges. Make sure that you restrict the list
of users with shell access appropriately. On Series 3 and virtual devices, shell access granted to
externally authenticated users defaults to the
externally authenticated users defaults to the
Configuration
level of command line access, which also
grants
sudoers
privileges. For more information on setting up shell access, see
and
Managing User Login Settings
License:
Any