Cisco Cisco FirePOWER Appliance 7020
48-31
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
Step 5
Set the default user role. Optionally, specify the users or user attribute values for users that you want to
receive specific FireSIGHT System access roles. For more information, see
receive specific FireSIGHT System access roles. For more information, see
Step 6
Optionally, configure administrative shell access. For more information, see
.
Step 7
If the profiles for any of the users to authenticate return custom RADIUS attributes, define those
attributes. For more information, see
attributes. For more information, see
Step 8
Test your configuration by entering the name and password for a user who should successfully
authenticate. For more information, see
authenticate. For more information, see
Your changes are saved. Remember that you have to apply a system policy with the object enabled to an
appliance before the authentication changes take place on that appliance. For more information, see
appliance before the authentication changes take place on that appliance. For more information, see
Configuring RADIUS Connection Settings
License:
Any
When you create a RADIUS authentication object, you first specify the primary and backup server and
server port where you want the local appliance (managed device or Defense Center) to connect for
authentication.
server port where you want the local appliance (managed device or Defense Center) to connect for
authentication.
Note
For RADIUS to function correctly, you must open its authentication and accounting ports (by default,
1812 and 1813) on your firewall.
1812 and 1813) on your firewall.
If you specify a backup authentication server, you can set a timeout for the connection attempt to the
primary server. If the number of seconds indicated in the
primary server. If the number of seconds indicated in the
Timeout
field (or the timeout on the LDAP
server) elapses without a response from the primary authentication server, the appliance then re-queries
the primary server.
the primary server.
After the appliance re-queries the primary authentication server the number of times indicated by the
Retries
field and the number of seconds indicated in the
Timeout
field again elapses without a response
from the primary authentication server, the appliance then rolls over to the backup server.
If, for example, the primary server has RADIUS disabled, the appliance queries the backup server. If
RADIUS is running on the port of the primary RADIUS server and for some reason refuses to service
the request (due to misconfiguration or other issues), however, the failover to the backup server does not
occur.
RADIUS is running on the port of the primary RADIUS server and for some reason refuses to service
the request (due to misconfiguration or other issues), however, the failover to the backup server does not
occur.
To identify a RADIUS authentication server:
Access:
Admin
Step 1
Select
System > Local > User Management
.
The User Management page appears
Step 2
Click the
Login Authentication
tab.
The Login Authentication page appears.
Step 3
Click
Create Authentication Object
.
The Create Authentication Object page appears.