Cisco Cisco Firepower Management Center 4000
50-12
FireSIGHT System User Guide
Chapter 50 Managing System Policies
Configuring a System Policy
When you apply a system policy with authentication enabled to an appliance, the appliance verifies the
user credentials against users on an LDAP or RADIUS server. In addition, if a user has local, internal
authentication enabled and the user credentials are not found in the internal database, the appliance then
checks the external server for a set of matching credentials. If a user has the same username on multiple
systems, all passwords across all servers work. Note, however, that if authentication fails on the available
external authentication servers, the appliance does not revert to checking the local database.
user credentials against users on an LDAP or RADIUS server. In addition, if a user has local, internal
authentication enabled and the user credentials are not found in the internal database, the appliance then
checks the external server for a set of matching credentials. If a user has the same username on multiple
systems, all passwords across all servers work. Note, however, that if authentication fails on the available
external authentication servers, the appliance does not revert to checking the local database.
When you enable authentication, you can set the default user role for any user whose account is
externally authenticated. You can select multiple roles, as long as those roles can be combined. For
example, if you set up an authentication profile that retrieves only users in the Network Security group
in your company, you may set the default user role to include the Security Analyst role so users can
access collected event data without any additional user configuration on your part. However, if your
authentication profile retrieves records for other personnel in addition to the security group, you would
probably want to leave the default role unselected. For more information on available user roles, see
externally authenticated. You can select multiple roles, as long as those roles can be combined. For
example, if you set up an authentication profile that retrieves only users in the Network Security group
in your company, you may set the default user role to include the Security Analyst role so users can
access collected event data without any additional user configuration on your part. However, if your
authentication profile retrieves records for other personnel in addition to the security group, you would
probably want to leave the default role unselected. For more information on available user roles, see
.
Note that when you create an LDAP authentication object on your Defense Center, you can set a filter
search attribute to specify the set of users who can successfully authenticate against the LDAP server.
See
search attribute to specify the set of users who can successfully authenticate against the LDAP server.
See
for more information.
If no access role is selected, users can log in but cannot access any functionality. After a user attempts
to log in, their account is listed on the User Management page, where you can edit the account settings
to grant additional permissions. For more information on modifying a user account, see
to log in, their account is listed on the User Management page, where you can edit the account settings
to grant additional permissions. For more information on modifying a user account, see
. For a complete procedure for logging in initially as an externally
authenticated user, see
If you configure the system policy to use one user role and apply the policy, then later modify the policy
to use different default user roles and reapply, any user accounts created before the modification retain
the first user role until you modify the accounts, or delete and recreate them.
to use different default user roles and reapply, any user accounts created before the modification retain
the first user role until you modify the accounts, or delete and recreate them.
You must enable authentication in a system policy on your Defense Center and then push that policy to
managed devices. After you apply the policy to a device, eligible externally authenticated users can log
into that device. To make changes to the authentication profile settings, you have to modify the system
policy on the Defense Center, and then apply the policy to the device again. To disable authentication on
a managed device, you can disable it in a system policy on the Defense Center and push that to the
device.
managed devices. After you apply the policy to a device, eligible externally authenticated users can log
into that device. To make changes to the authentication profile settings, you have to modify the system
policy on the Defense Center, and then apply the policy to the device again. To disable authentication on
a managed device, you can disable it in a system policy on the Defense Center and push that to the
device.
Note that you can only enable external authentication on physical and virtual Defense Centers and
managed devices. Enabling external authentication by applying a system policy is not supported on
X-Series-based software devices.
managed devices. Enabling external authentication by applying a system policy is not supported on
X-Series-based software devices.
If a user with internal authentication attempts to log in, the appliance first checks if that user is in the
local user database. If the user exists, the appliance then checks the username and password against the
local database. If a match is found, the user logs in successfully. If the login fails, however, and external
authentication is enabled, the appliance checks the user against each external authentication server in the
authentication order shown in the system policy. If the username and password match results from an
external server, the appliance changes the user to an external user with the default privileges for that
authentication object.
local user database. If the user exists, the appliance then checks the username and password against the
local database. If a match is found, the user logs in successfully. If the login fails, however, and external
authentication is enabled, the appliance checks the user against each external authentication server in the
authentication order shown in the system policy. If the username and password match results from an
external server, the appliance changes the user to an external user with the default privileges for that
authentication object.
If an external user attempts to log in, the appliance checks the username and password against the
external authentication server. If a match is found, the user logs in successfully. If the login fails, the
user login attempt is rejected. External users cannot authenticate against the user list in the local
database. If the user is a new external user, an external user account is created in the local database with
the default privileges from the external authentication object.
external authentication server. If a match is found, the user logs in successfully. If the login fails, the
user login attempt is rejected. External users cannot authenticate against the user list in the local
database. If the user is a new external user, an external user account is created in the local database with
the default privileges from the external authentication object.
To enable authentication of users on external servers:
Access:
Admin