Cisco Cisco Firepower Management Center 4000
35-43
FireSIGHT System User Guide
Chapter 35 Introduction to Network Discovery
Obtaining User Data from LDAP Servers
Step 2
Click
Add LDAP Connection
.
The Create User Awareness Authentication Object page appears.
Step 3
Type a
Name
and
Description
for the object.
Step 4
Select the LDAP
Server Type
.
If you want to perform user control, you must use a Microsoft Active Directory server. If you use any
other type of LDAP server, you are limited to retrieving metadata for some users whose activity was
detected directly by managed devices (as opposed to by User Agents).
other type of LDAP server, you are limited to retrieving metadata for some users whose activity was
detected directly by managed devices (as opposed to by User Agents).
Note
User Agents cannot transmit Active Directory user names ending with the
$
character to the
Defense Center. If your Active Directory server contains such user names, you must edit those
names to remove the final
names to remove the final
$
character if you want to monitor them.
Step 5
Specify an
IP Address
or
Host Name
for a primary and, optionally, a backup LDAP server.
Step 6
Specify the
Port
that your LDAP servers use for authentication traffic.
Step 7
Specify the
Base DN
for the LDAP directory you want to access.
For example, to authenticate names in the Security organization at the Example company, type
ou=security,dc=example,dc=com
.
Tip
To fetch a list of all available domains, click
Fetch DNs
and select the appropriate base distinguished name
from the drop-down list.
Step 8
Specify the distinguished
User Name
and
Password
that you want to use to validate access to the LDAP
directory. Confirm the password.
For example, if you are connecting to an OpenLDAP server where user objects have a
uid
attribute and
the object for the administrator in the Security division at our example company has a
uid
value of
NetworkAdmin
, you would type
uid=NetworkAdmin,ou=security,dc=example,dc=com.
Step 9
Choose an
Encryption
method. If you are using encryption, you can add an
SSL Certificate
.
The host name in the certificate must match the host name of the LDAP server you specified in step
Step 10
Specify the
Timeout
period (in seconds) timeout period after which attempts to contact an unresponsive
primary LDAP server roll over to the backup connection.
Step 11
Optionally, before you specify user awareness settings for the object, test the connection by clicking
Test
.
Step 12
You have two options, depending on the type of LDAP server you selected in step
•
If you are connecting to an Active Directory server, you can enable
User/Group Access Control
Parameters
to specify users to use in access control. Continue with the next step.
•
If you are connecting to any other kind of server, or do not want to perform user control, skip to step
.
Step 13
Click
Fetch Groups
to populate the available groups list using the LDAP parameters you provided.
Step 14
Specify the users you want to use in access control by using the right and left arrow buttons to include
and exclude groups.
and exclude groups.
Including a group automatically includes all of that group’s members, including members of any
sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly
include the sub-group. Excluding a group excludes all the members of that group, even if the users are
members of an included group.
sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly
include the sub-group. Excluding a group excludes all the members of that group, even if the users are
members of an included group.