Cisco Cisco FirePOWER Appliance 7020
48-6
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
LDAP, or the Lightweight Directory Access Protocol, allows you to set up a directory on your network
that organizes objects, such as user credentials, in a centralized location. Multiple applications can then
access those credentials and the information used to describe them. If you ever need to change a user's
credentials, you can change them in one place, rather than having to change them on each FireSIGHT
System appliance.
that organizes objects, such as user credentials, in a centralized location. Multiple applications can then
access those credentials and the information used to describe them. If you ever need to change a user's
credentials, you can change them in one place, rather than having to change them on each FireSIGHT
System appliance.
You can create LDAP authentication objects on a Defense Center, but not on other FireSIGHT System
appliances. However, you can use the external authentication object on any appliance by applying a
system policy where the object is enabled to the appliance. When you apply the policy, the object is
copied to the appliance.
appliances. However, you can use the external authentication object on any appliance by applying a
system policy where the object is enabled to the appliance. When you apply the policy, the object is
copied to the appliance.
Note
Before enabling external authentication on Series 3 managed devices, remove any
internally-authenticated shell users that have the same user name as externally-authenticated users
included in your shell access filter.
internally-authenticated shell users that have the same user name as externally-authenticated users
included in your shell access filter.
Note that you can use LDAP naming standards for address specification and for filter and attribute syntax
in your authentication object. For more information, see the RFCs listed in the Lightweight Directory
Access Protocol (v3): Technical Specification, RFC 3377. Examples of syntax are provided throughout
this procedure. Note that when you set up an authentication object to connect to a Microsoft Active
Directory Server, you can use the address specification syntax documented in the Internet RFC 822
(Standard for the Format of ARPA Internet Text Messages) specification when referencing a user name
that contains a domain. For example, to refer to a user object, you might type
in your authentication object. For more information, see the RFCs listed in the Lightweight Directory
Access Protocol (v3): Technical Specification, RFC 3377. Examples of syntax are provided throughout
this procedure. Note that when you set up an authentication object to connect to a Microsoft Active
Directory Server, you can use the address specification syntax documented in the Internet RFC 822
(Standard for the Format of ARPA Internet Text Messages) specification when referencing a user name
that contains a domain. For example, to refer to a user object, you might type
JoeSmith@security.example.com
rather than the equivalent user distinguished name of
cn=JoeSmith,ou=security, dc=example,dc=com
when using Microsoft Active Directory Server.
Note
Currently, Cisco supports LDAP external authentication on LDAP servers running Microsoft Active
Directory on Windows Server 2003 and Windows Server 2008, Oracle Directory Server Enterprise
Edition 7.0 on Windows Server 2003 and Windows Server 2008, or OpenLDAP on Linux. However,
Cisco does not support external authentication for virtual devices or Sourcefire Software for X-Series.
Directory on Windows Server 2003 and Windows Server 2008, Oracle Directory Server Enterprise
Edition 7.0 on Windows Server 2003 and Windows Server 2008, or OpenLDAP on Linux. However,
Cisco does not support external authentication for virtual devices or Sourcefire Software for X-Series.
For more information, see the following sections:
•
•
•
•
•
•
•
•
•
•
•
Setting Defaults
License:
Any