для Cisco Cisco Firepower Management Center 4000
48-9
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
Using Group Membership to Manage Access
License:
Any
If you prefer to base default access settings on a user’s membership in an LDAP group, you can specify
distinguished names for existing groups on your LDAP server for each of the access roles used by your
FireSIGHT System. When you do so, you can configure a default access setting for those users detected
by LDAP that do not belong to any specified groups. When a user logs in, the FireSIGHT System
dynamically checks the LDAP server and assigns default access rights according to the user’s current
group membership.
distinguished names for existing groups on your LDAP server for each of the access roles used by your
FireSIGHT System. When you do so, you can configure a default access setting for those users detected
by LDAP that do not belong to any specified groups. When a user logs in, the FireSIGHT System
dynamically checks the LDAP server and assigns default access rights according to the user’s current
group membership.
When a user authenticated by an LDAP server logs into a local FireSIGHT System appliance for the first
time, the user receives the default access settings for groups the user belongs to, or if groups are not
configured, the default access setting you selected in the system policy.
time, the user receives the default access settings for groups the user belongs to, or if groups are not
configured, the default access setting you selected in the system policy.
You can then modify those settings, unless the settings are granted through group membership.
Setting up Shell Access
License:
Any
You can use the LDAP server to authenticate accounts for shell access on a managed device or Defense
Center. Specify a search filter that retrieves entries for users to whom you want to grant shell access.
Note that you can only configure shell access for the first authentication object in your system policy.
For more information on managing authentication object order, see
Center. Specify a search filter that retrieves entries for users to whom you want to grant shell access.
Note that you can only configure shell access for the first authentication object in your system policy.
For more information on managing authentication object order, see
With the exception of the admin account, shell access is controlled entirely though the shell access
attribute you set. Shell users are configured as local users on the appliance. The filter you set here
determines which set of users on the LDAP server can log into the shell.
attribute you set. Shell users are configured as local users on the appliance. The filter you set here
determines which set of users on the LDAP server can log into the shell.
Note that a home directory for each shell user is created on login, and when an LDAP shell access user
account is disabled (by disabling the LDAP connection), the directory remains, but the user shell is set
to
account is disabled (by disabling the LDAP connection), the directory remains, but the user shell is set
to
/bin/false
in
/etc/password
to disable the shell. If the user then is re-enabled, the shell is reset,
using the same home directory.
If all users qualified in the base DN are also qualified for shell access privileges, you can configure the
shell access filter to search more efficiently by making the shell access filter the same as the base filter.
Normally, the LDAP query to retrieve users combines the base filter with the shell access filter. If the
shell access filter was the same as the base filter, the same query runs twice, which is unnecessarily
time-consuming.
shell access filter to search more efficiently by making the shell access filter the same as the base filter.
Normally, the LDAP query to retrieve users combines the base filter with the shell access filter. If the
shell access filter was the same as the base filter, the same query runs twice, which is unnecessarily
time-consuming.
Shell users can log in using user names with lowercase, uppercase, or mixed case letters. Login
authentication for the shell is case sensitive.
authentication for the shell is case sensitive.
Caution
On Series 3 Defense Centers, all shell users have
sudoers
privileges. Make sure that you restrict the list
of users with shell access appropriately. On Series 3 and virtual devices, shell access granted to
externally authenticated users defaults to the
externally authenticated users defaults to the
Configuration
level of command line access, which also
grants
sudoers
privileges.
Testing the Connection
License:
Any
After you configure LDAP server and authentication settings, you can specify user credentials for a user
who should be able to authenticate to test those settings.
who should be able to authenticate to test those settings.