-
User Accounts for Management Access
The Firepower Management Center and managed devices include a
default admin account for managementaccess. This chapter discusses
how to create custom user accounts for supported models. See
Logging intothe Firepower System for detailed information about
logging into the Firepower Management Center or amanaged device
with a user account.
This chapter also describes Cisco Security Manager (CSM) single
sign-on when you manage an ASA withCSM and the FirePOWER services
module with the Firepower Management Center.
• About User Accounts, on page 1• Requirements and Prerequisites
for User Accounts, on page 4• Guidelines and Limitations for User
Accounts, on page 5• Add an Internal User Account, on page 5•
Configure External Authentication, on page 9• Customize User Roles
for the Web Interface, on page 27• Configure Cisco Security Manager
Single Sign-on, on page 31• Troubleshooting LDAP Authentication
Connections, on page 32• History for User Accounts, on page 34
About User AccountsYou can add custom user accounts on the
Firepower Management Center and on managed devices, either
asinternal users or, if supported for your model, as external users
on a LDAP or RADIUS server. Each FirepowerManagement Center and
each managed device maintains separate user accounts. For example,
when you adda user to the Firepower Management Center, that user
only has access to the FMC; you cannot then use thatusername to log
directly into a managed device. You must separately add a user on
the managed device.
Internal and External UsersFirepower devices support two types
of users:
• Internal user—The device checks a local database for user
authentication. For more information aboutinternal users, see Add
an Internal User Account, on page 5.
• External user—If the user is not present in the local
database, the system queries an external LDAP orRADIUS
authentication server. For more information about external users,
see Configure ExternalAuthentication, on page 9.
User Accounts for Management Access1
fpmc-config-guide-v623_chapter2.pdf#nameddest=unique_87fpmc-config-guide-v623_chapter2.pdf#nameddest=unique_87
-
Web Interface and CLI or Shell AccessWhen you configure user
accounts, you enable web interface access and CLI or shell access
separately.Managed devices include an auxiliary CLI that runs on
top of Linux. CLI users can also access the Linuxshell under TAC
supervision. The Firepower Management Center does not have a CLI,
and only allows directshell access. For detailed information about
the management UIs, see Firepower System User Interfaces.
On all devices, users with CLI Config level access or shell
access can obtain sudoers privileges in the Linuxshell, which can
present a security risk. For system security reasons, we strongly
recommend:
• If you establish external authentication, make sure that you
restrict the list of users with CLI/shell accessappropriately.
• When granting CLI access privileges, restrict the list of
users with Config level access.
• Do not add users directly in the Linux shell; only use the
procedures in this chapter.
• Do not access Firepower devices using the Linux shell or CLI
expert mode unless directed by Cisco TACor by explicit instructions
in the Firepower user documentation.
Caution
Each device type supports different forms of access as detailed
here:
• For FTD, ASA FirePOWER, and NGIPSv, CLI access is available
for direct management of the device.
• You can create internal users on these devices using the
CLI.
• You can establish external users on Firepower Threat Defense
devices.
• Users who log into these devices through the management
interface access the CLI. Users with CLIConfig level access can
access the Linux shell using the CLI expert command.
We strongly recommend that you do not use the Linux shell unless
directed byCisco TAC or explicit instructions in the Firepower user
documentation.
Caution
• The FMC has a web interface and Linux shell for direct
management of the device.
• The FMC supports two different internal admin users: one for
the web interface, and another withshell access. These two admin
users are different accounts and do not share the same password.The
system initialization process synchronizes the passwords for these
two admin accounts so theystart out the same, but they are tracked
by different internal mechanisms and may diverge afterinitial
configuration. See the Getting Started Guide for your model for
more information on systeminitialization.
• FMC internal users added in the web interface have web
interface access only.
• You can grantaccess to FMC external users.
• On the FMC when any account with shell access logs in to the
management interface, it directlyaccesses the Linux shell.
• 7000 and 8000 Series devices have both a web interface and a
CLI for direct management of the device.
User Accounts for Management Access2
User Accounts for Management AccessWeb Interface and CLI or
Shell Access
fpmc-config-guide-v623_chapter2.pdf#nameddest=unique_89
-
• 7000 and 8000 Series device internal users have web interface
and CLI access.
• You can enable CLI or shell access for 7000 and 8000 Series
device external users.
• Users who log into these devices through the management
interface access the CLI. Users with CLIConfig level access can
access the shell using the shell expert command.
We strongly recommend that you do not use the Linux shell unless
directed byCisco TAC or explicit instructions in the FMC
documentation.
Caution
User RolesUser privileges are based on the assigned user role.
For example, you can grant analysts predefined roles suchas
Security Analyst and Discovery Admin and reserve the Administrator
role for the security administratormanaging the device. You can
also create custom user roles with access privileges tailored to
your organization’sneeds.
Web Interface User RolesThe 7000 and 8000 Series devices have
access to the following user roles: Administrator, Maintenance
User,and Security Analyst.
The Firepower Management Center includes the following
predefined user roles:
Access Admin
Provides access to access control policy and associated features
in the Policies menu. Access Adminscannot deploy policies.
Administrator
Administrators have access to everything in the product; their
sessions present a higher security risk ifcompromised, so you
cannot make them exempt from login session timeouts.
You should limit use of the Administrator role for security
reasons.
Discovery Admin
Provides access to network discovery, application detection, and
correlation features in the Policiesmenu. Discovery Admins cannot
deploy policies.
External Database User
Provides read-only access to the Firepower System database using
an application that supports JDBCSSL connections. For the
third-party application to authenticate to the Firepower System
appliance, youmust enable database access in the system settings.
On the web interface, External Database Users haveaccess only to
online help-related options in theHelpmenu. Because this role’s
function does not involvethe web interface, access is provided only
for ease of support and password changes.
Intrusion Admin
Provides access to all intrusion policy, intrusion rule, and
network analysis policy features in the Policiesand Objects menus.
Intrusion Admins cannot deploy policies.
User Accounts for Management Access3
User Accounts for Management AccessUser Roles
-
Maintenance User
Provides access to monitoring and maintenance features.
Maintenance Users have access tomaintenance-related options in the
Health and System menus.
Network Admin
Provides access to access control, SSL inspection, DNS policy,
and identity policy features in the Policiesmenu, as well as device
configuration features in the Devices menus. Network Admins can
deployconfiguration changes to devices.
Security Analyst
Provides access to security event analysis features, and
read-only access to health events, in theOverview,Analysis, Health,
and System menus.
Security Analyst (Read Only)
Provides read-only access to security event analysis features
and health event features in the Overview,Analysis, Health, and
System menus.
Security Approver
Provides limited access to access control and associated
policies and network discovery policies in thePolicies menu.
Security Approvers can view and deploy these policies, but cannot
make policy changes.
Threat Intelligence Director (TID) User
Provides access to Threat IntelligenceDirector configurations in
the Intelligencemenu. Threat IntelligenceDirector (TID) Users can
view and configure TID.
CLI User RolesOn managed devices, user access to commands in the
CLI depends on the role you assign.
None
The user cannot log into the device on the command line.
Config
The user can access all commands, including configuration
commands. Exercise caution in assigningthis level of access to
users.
Basic
The user can access non-configuration commands only.
External CLI users on managed devices always have the Config
user role.Note
Requirements and Prerequisites for User AccountsModel
Support
External user authentication is supported for the following
models:
User Accounts for Management Access4
User Accounts for Management AccessCLI User Roles
-
• Firepower Management Center
• Firepower Threat Defense
• 7000 and 8000 Series
Guidelines and Limitations for User AccountsDefaults
All devices include an admin user as a local user account for
all forms of access; you cannot delete the adminuser. The default
initial password is Admin123; the system forces you to change this
during the initializationprocess. See the Getting Started Guide for
your model for more information about system initialization.
Add an Internal User AccountEach device maintains separate user
accounts. The Firepower Management Center and 7000 and 8000
Serieshave similar web interfaces. For the Firepower Threat
Defense, NGIPSv, and ASA FirePOWER, you mustadd internal users at
the CLI. You cannot add users at the CLI on the Firepower
Management Center and 7000and 8000 Series.
Add an Internal User at the Web InterfaceAccessSupported
DomainsSupported DevicesClassic LicenseSmart License
AdministratorAnyFMC
7000 & 8000 Series
AnyAny
This procedure describes how to add custom internal user
accounts at the web interface of a FirepowerManagement Center or
7000 & 8000 Series device.
The System > Users > Users shows both internal users that
you added manually and external users that wereadded automatically
when a user logged in with LDAP or RADIUS authentication. For
external users, youcan modify the user role on this screen if you
assign a role with higher privileges; you cannot modify thepassword
settings.
In a multidomain deployment on the Firepower Management Center,
users are only visible in the domain inwhich they are created. Note
that if you add a user in the Global domain, but then assign a user
role for a leafdomain, then that user still shows on the
GlobalUsers page where it was added, even though the user
"belongs"to a leaf domain.
If you enable security certifications compliance or Lights-Out
Management (LOM) on a device, differentpassword restrictions apply.
For more information on security certifications compliance, see
SecurityCertifications Compliance.
When you add a user in a leaf domain, that user is not visible
from the global domain.
User Accounts for Management Access5
User Accounts for Management AccessGuidelines and Limitations
for User Accounts
fpmc-config-guide-v623_chapter52.pdf#nameddest=unique_123fpmc-config-guide-v623_chapter52.pdf#nameddest=unique_123
-
Procedure
Step 1 Choose System > Users.Step 2 Click Create User.Step 3
Enter a User Name.
The username must be Linux-valid:
• Maximum 32 alphanumeric characters, plus hyphen (-) and
underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot
include a period (.), at sign (@), or slash (/)
Step 4 The Use External Authentication Method checkbox is
checked for users that were added automaticallywhen they logged in
with LDAP or RADIUS. You do not need to pre-configure external
users, so you canignore this field. For an external user, you can
revert this user to an internal user by unchecking the
checkbox.
Step 5 Enter values in the Password and Confirm Password
fields.
The values must conform to the password options you set for this
user.
Step 6 Set the Maximum Number of Failed Logins.
Enter an integer, without spaces, that determines the maximum
number of times each user can try to log inafter a failed login
attempt before the account is locked. The default setting is 5
tries; use 0 to allow anunlimited number of failed logins. The
admin account is exempt from being locked out after a maximumnumber
of failed logins unless you enabled security certification
compliance.
Step 7 Set the Minimum Password Length.
Enter an integer, without spaces, that determines the minimum
required length, in characters, of a user’spassword. The default
setting is 8. A value of 0 indicates that no minimum length is
required.
Step 8 Set the Days Until Password Expiration.
Enter the number of days after which the user’s password
expires. The default setting is 0, which indicatesthat the password
never expires. If you change from the default, then the Password
Lifetime column of theUsers list indicates the days remaining on
each user’s password.
Step 9 Set the Days Before Password Expiration Warning.
Enter the number of warning days users have to change their
password before their password actually expires.The default setting
is 0 days.
Step 10 Set user Options.
• Force Password Reset on Login—Forces users to change their
passwords the next time they log in.
• Check Password Strength—Requires strong passwords. A strong
password must be at least eightalphanumeric characters of mixed
case and must include at least 1 numeric character and 1
specialcharacter. It cannot be a word that appears in a dictionary
or include consecutive repeating characters.
• Exempt from Browser Session Timeout—Exempts a user’s login
sessions from termination due toinactivity. Users with the
Administrator role cannot be made exempt.
User Accounts for Management Access6
User Accounts for Management AccessAdd an Internal User at the
Web Interface
-
Step 11 (7000 or 8000 Series) Assign the appropriate level of
Command-Line Interface Access as described in CLIUser Roles, on
page 4.
Unlike for the 7000 or 8000 Series, you cannot enable shell
access for Firepower ManagementCenter internal users. (On the FMC
you can enable shell access for external users, but we
recommendagainst doing so for system security reasons.)
Note
Step 12 In theUser Role Configuration area, assign user role(s).
For more information about user roles, see CustomizeUser Roles for
the Web Interface, on page 27.
For external users, if the user role is assigned through group
or list membership, you cannot remove theminimum access rights. You
can, however, assign additional rights. If the user role is the
default user rolethat you set on the device, then you can modify
the role in the user account without limitations. When youmodify
the user role, the Authentication Method column on the Users tab
provides a status of External -Locally Modified.
The options you see depend onwhether the device is in a single
domain ormultidomain (FirepowerManagementCenter only)
deployment.
• Single domain—Check the user role(s) you want to assign the
user.
• Multidomain (Firepower Management Center only)—In a
multidomain deployment, you can create useraccounts in any domain
in which you have been assigned Administrator access. Users can
have differentprivileges in each domain. You can assign user roles
in both ancestor and descendant domains. Forexample, you can assign
read-only privileges to a user in the Global domain, but
Administrator privilegesin a descendant domain. See the following
steps:
a. Click Add Domain.
b. Choose a domain from the Domain drop-down list.
c. Check the user roles you want to assign the user.
d. Click Save.
Step 13 Click Save.
Add an Internal User at the CLIAccessSupported DomainsSupported
DevicesClassic LicenseSmart License
ConfigAnyFTD
ASA FirePOWER
NGIPSv
AnyAny
Use the CLI to create internal users on the FTD, ASA FirePOWER,
and NGIPSv devices. These devices donot have a web interface, so
internal (and external) users can only access the CLI for
management.
User Accounts for Management Access7
User Accounts for Management AccessAdd an Internal User at the
CLI
-
Procedure
Step 1 Log into the device CLI using an account with Config
privileges.
The admin user account has the required privileges, but any
account with Config privileges will work. Youcan use an SSH session
or the Console port.
For certain FTD models, the Console port puts you into the FXOS
CLI. Use the connect ftd command to getto the FTD CLI.
Step 2 Create the user account.
configure user add username {basic | config}
• username—Sets the username. The username must be
Linux-valid:
• Maximum 32 alphanumeric characters, plus hyphen (-) and
underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot
include a period (.), at sign (@), orslash (/)
• basic—Gives the user basic access. This role does not allow
the user to enter configuration commands.
• config—Gives the user configuration access. This role gives
the user full administrator rights to allcommands.
Example:
The following example adds a user account named johncrichton
with Config access rights. The password isnot shown as you type
it.
> configure user add johncrichton configEnter new password
for user johncrichton: newpasswordConfirm new password for user
johncrichton: newpassword> show userLogin UID Auth Access
Enabled Reset Exp Warn Str Lock Maxadmin 1000 Local Config Enabled
No Never N/A Dis No N/Ajohncrichton 1001 Local Config Enabled No
Never N/A Dis No 5
Tell users they can change their own passwords using the
configure password command.Note
Step 3 (Optional) Adjust the characteristics of the account to
meet your security requirements.
You can use the following commands to change the default account
behavior.
• configure user aging username max_days warn_days
Sets an expiration date for the user's password. Specify the
maximum number of days for the passwordto be valid followed by the
number of days before expiration the user will be warned about the
upcomingexpiration. Both values are 1 to 9999, but the warning days
must be less than the maximum days. Whenyou create the account,
there is no expiration date for the password.
• configure user forcereset username
Forces the user to change the password on the next login.
User Accounts for Management Access8
User Accounts for Management AccessAdd an Internal User at the
CLI
-
• configure user maxfailedlogins username number
Sets the maximum number of consecutive failed logins you will
allow before locking the account, from1 to 9999. Use the configure
user unlock command to unlock accounts. The default for new
accountsis 5 consecutive failed logins.
• configure user minpasswdlen username number
Sets a minimum password length, which can be from 1 to 127.
• configure user strengthcheck username {enable | disable}
Enables or disables password strength checking, which requires a
user to meet specific password criteriawhen changing their
password. When a user’s password expires or if the configure user
forceresetcommand is used, this requirement is automatically
enabled the next time the user logs in.
Step 4 Manage user accounts as necessary.
Users can get locked out of their accounts, or you might need to
remove accounts or fix other issues. Use thefollowing commands to
manage the user accounts on the system.
• configure user access username {basic | config}
Changes the privileges for a user account.
• configure user delete username
Deletes the specified account.
• configure user disable username
Disables the specified account without deleting it. The user
cannot log in until you enable the account.
• configure user enable username
Enables the specified account.
• configure user password username
Changes the password for the specified user. Users should
normally change their own password usingthe configure password
command.
• configure user unlock username
Unlocks a user account that was locked due to exceeding the
maximum number of consecutive failedlogin attempts.
Configure External AuthenticationTo enable external
authentication, you need to add one or more external authentication
objects.
User Accounts for Management Access9
User Accounts for Management AccessConfigure External
Authentication
-
About External AuthenticationWhen you enable external
authentication for management and administrative users of your
Firepower system,the device verifies the user credentials with an
LDAP or RADIUS server as specified in an externalauthentication
object.
External authentication objects can be used by the Firepower
Management Center, 7000 and 8000 Series, andFTD devices. You can
share the same object between the different appliance/device types,
or create separateobjects.
External authentication is not supported on FTD virtual
devices.Attention
For the FMC, enable the external authentication objects directly
on the System > Users > ExternalAuthentication tab; this
setting only affects FMC usage, and it does not need to be enabled
on this tab formanaged device usage. For the 7000 and 8000 Series
and FTD devices, you must enable the externalauthentication object
in the platform settings that you deploy to the devices.
Web interface users are defined separately from CLI/shell users
in the external authentication object. ForCLI/shell users on
RADIUS, you must pre-configure the list of RADIUS usernames in the
externalauthentication object. For LDAP, you can specify a filter
to match CLI users on the LDAP server.
You cannot use an LDAP object for CLI/shell access that is also
configured for CAC authentication.
Users with Linux shell access can obtain root privileges, which
can present a security risk. Make sure thatyou:
• restrict the list of users with Linux shell access
• do not create Linux shell users
Note
External Authentication for the Firepower Management Center and
7000 and 8000 SeriesYou can configure multiple external
authentication objects for web interface access. For example, if
you have5 external authentication objects, users from any of them
can be authenticated to access the web interface.
You can use only one external authentication object for CLI or
shell access. If you havemore than one externalauthentication
object enabled, then users can authenticate using only the first
object in the list. External CLIusers on 7000 or 8000 Series
devices always have Config privileges; other user roles are not
supported.
External Authentication for the Firepower Threat DefenseFor the
FTD, you can only activate one external authentication object.
Only a subset of fields in the external authentication object
are used for FTD SSH access. If you fill in additionalfields, they
are ignored. If you also use this object for other device types,
those fields will be used.
External authentication is not supported on FTD virtual
devices.Attention
User Accounts for Management Access10
User Accounts for Management AccessAbout External
Authentication
-
External users always have Config privileges; other user roles
are not supported.
About LDAPThe Lightweight Directory Access Protocol (LDAP)
allows you to set up a directory on your network thatorganizes
objects, such as user credentials, in a centralized location.
Multiple applications can then accessthose credentials and the
information used to describe them. If you ever need to change a
user's credentials,you can change them in one place.
Microsoft has announced that Active Directory servers will start
enforcing LDAP binding and LDAP signingin 2020. Microsoft is making
these a requirement because when using default settings, an
elevation of privilegevulnerability exists in Microsoft Windows
that could allow a man-in-the-middle attacker to
successfullyforward an authentication request to aWindows LDAP
server. For more information, see 2020 LDAP channelbinding and LDAP
signing requirement for Windows on the Microwoft support site.
If you have not done so already, we recommend you start using
TLS/SSL encryption to authenticate with anActive Directory
server.
About RADIUSRemote Authentication Dial In User Service (RADIUS)
is an authentication protocol used to authenticate,authorize, and
account for user access to network resources. You can create an
authentication object for anyRADIUS server that conforms to RFC
2865.
Firepower devices support the use of SecurID tokens. When you
configure authentication by a server usingSecurID, users
authenticated against that server append the SecurID token to the
end of their SecurID PINand use that as their password when they
log in. You do not need to configure anything extra on the
Firepowerdevice to support SecurID.
Add an LDAP External Authentication ObjectAccessSupported
DomainsSupported DevicesClassic LicenseSmart License
AdministratorAnyFTD
7000 and 8000Series
FMC
AnyAny
Add an LDAP server to support external users for device
management.
For the FTD, only a subset of fields are used for CLI access.
See Configure External Authentication for SSHfor details about
which fields are used.
In a multidomain deployment, external authentication objects are
only available in the domain in which theyare created.
Before you begin
• You must specify DNS server(s) for domain name lookup on your
device. Even if you specify an IPaddress and not a hostname for the
LDAP server on this procedure, the LDAP server may return a URIfor
authentication that can include a hostname. A DNS lookup is
required to resolve the hostname. SeeModify FMCManagement
Interfaces or Modify Management Interfaces at the CLI to add DNS
servers.
User Accounts for Management Access11
User Accounts for Management AccessAbout LDAP
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windowshttps://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windowshttps://tools.ietf.org/html/rfc2865fpmc-config-guide-v623_chapter51.pdf#nameddest=unique_132fpmc-config-guide-v623_chapter48.pdf#nameddest=unique_21fpmc-config-guide-v623_chapter12.pdf#nameddest=unique_131
-
• If you are configuring an LDAP authentication object for use
with CAC authentication, do not removethe CAC inserted in your
computer. You must have a CAC inserted at all times after enabling
usercertificates.
Procedure
Step 1 Choose System > Users.Step 2 Click the External
Authentication tab.Step 3 Click Add External Authentication
Object.Step 4 Set the Authentication Method to LDAP.Step 5
(Optional) Check the check box for CAC if you plan to use this
authentication object for CAC authentication
and authorization.
You must also follow the procedure in Configure Common Access
Card Authentication with LDAP, on page25 to fully configure CAC
authentication and authorization. You cannot use this object for
CLI users.
Step 6 Enter a Name and optional Description.Step 7 Choose a
Server Type from the drop-down list.
If you click Set Defaults, the device populates the User Name
Template, UI Access Attribute,Shell Access Attribute, Group Member
Attribute, and Group Member URL Attribute fieldswith default values
for the server type.
Tip
Step 8 For the Primary Server, enter a Host Name/IP Address.
If you are using a certificate to connect via TLS or SSL, the
host name in the certificate must match the hostname used in this
field. In addition, IPv6 addresses are not supported for encrypted
connections.
Step 9 (Optional) Change the Port from the default.Step 10
(Optional) Enter the Backup Server parameters.Step 11 Enter
LDAP-Specific Parameters.
a) Enter the Base DN for the LDAP directory you want to access.
In the LDAP directory tree, Base DN isthe entry that contains the
subtree in which your users exists. For example, to authenticate
names in theSecurity organization at the Example company, enter
ou=security,dc=example,dc=com. Alternatively,click Fetch DNs, and
choose the appropriate base distinguished name from the drop-down
list.
b) (Optional) Enter the Base Filter. To limit the number of
authenticated users, extend the Base DN filterby specifying the
attribute and value for the user objects. For example, if the user
objects in a directorytree have a physicalDeliveryOfficeName
attribute and users in the New York office have an attributevalue
of NewYork for that attribute, to retrieve only users in the New
York office, enter(physicalDeliveryOfficeName=NewYork).
c) Enter a User Name for a user who has sufficient credentials
to browse the LDAP server. For example, ifyou are connecting to an
OpenLDAP server where user objects have a uid attribute, and the
object forthe administrator in the Security division at your
example company has a uid value of NetworkAdmin,you might enter
uid=NetworkAdmin,ou=security,dc=example,dc=com.
d) Enter the user password in the Password and the Confirm
Password fields.e) (Optional) Click Show Advanced Options to
configure the following advanced options.
• Encryption—Click None, TLS, or SSL.
User Accounts for Management Access12
User Accounts for Management AccessAdd an LDAP External
Authentication Object
-
If you change the encryption method after specifying a port, you
reset the port to the default valuefor that method. For None or
TLS, the port resets to the default value of 389. If you choose
SSLencryption, the port resets to 636.
• SSL Certificate Upload Path—For SSL or TLS encryption, youmust
choose a certificate by clickingChoose File.
If you previously uploaded a certificate and want to replace it,
upload the new certificate and redeploythe configuration to your
devices to copy over the new certificate.
TLS encryption requires a certificate on all platforms. For SSL,
the FTD also requires acertificate. For other platforms, SSL does
not require a certificate. However, we recommendthat you always
upload a certificate for SSL to prevent man-in-the-middle
attacks.
Note
• User Name Template—Provide a template that corresponds with
your UI Access Attribute. Forexample, to authenticate all users who
work in the Security organization of the Example companyby
connecting to an OpenLDAP server where the UI access attribute is
uid, you might enteruid=%s,ou=security,dc=example,dc=com in theUser
Name Template field. For aMicrosoft ActiveDirectory server, you
could enter %[email protected].
This field is required for CAC authentication.
• Timeout—Enter the number of seconds before rolling over to the
backup connection. The defaultis 30.
Step 12 (Optional) Configure Attribute Matching to retrieve
users based on an attribute.
• Enter a UI Access Attribute, or click Fetch Attrs to retrieve
a list of available attributes. For example,on a Microsoft Active
Directory Server, you may want to use the UI Access Attribute to
retrieve users,because there may not be a uid attribute on Active
Directory Server user objects. Instead, you can searchthe
userPrincipalName attribute by typing userPrincipalName in the UI
Access Attribute field.
This field is required for CAC authentication.
• Set the Shell Access Attribute if you want to use a shell
access attribute other than the user distinguishedtype. For
example, on aMicrosoft Active Directory Server, use the
sAMAccountName shell access attributeto retrieve CLI/shell access
users by typing sAMAccountName.
Step 13 (Optional) Configure Group Controlled Access Roles.
Group controlled access roles allows you to grant privileges to
the users belonging to the specified groups. Ifyou do not configure
a user’s privileges using group-controlled access roles, a user has
only the privilegesgranted by default in the external
authentication policy.
Configuring group controlled access roles does not limit the
filter criteria on the LDAP server. Toextend the user filter beyond
the Base DN, use the Base Filter option.
Note
a) (Optional) In the fields that correspond to user roles, enter
the distinguished name for the LDAP groupsthat contain users who
should be assigned to those roles.
Any group you reference must exist on the LDAP server. You can
reference static LDAP groups ordynamic LDAP groups. Static LDAP
groups are groups where membership is determined by group
objectattributes that point to specific users, and dynamic LDAP
groups are groups where membership isdetermined by creating an LDAP
search that retrieves group users based on user object attributes.
Groupaccess rights for a role only affect users who are members of
the group.
User Accounts for Management Access13
User Accounts for Management AccessAdd an LDAP External
Authentication Object
-
If you use a dynamic group, the LDAP query is used exactly as it
is configured on the LDAP server. Forthis reason, the Firepower
device limits the number of recursions of a search to 4 to prevent
search syntaxerrors from causing infinite loops.
Example:
Enter the following in the Administrator field to authenticate
names in the information technologyorganization at the Example
company:
cn=itgroup,ou=groups, dc=example,dc=com
b) Choose a Default User Role for users that do not belong to
any of the specified groups.c) If you use static groups, enter a
Group Member Attribute.
Example:
If the member attribute is used to indicate membership in the
static group for default Security Analystaccess, enter member.
d) If you use dynamic groups, enter a Group Member URL
Attribute.
Example:
If the memberURL attribute contains the LDAP search that
retrieves members for the dynamic group youspecified for default
Admin access, enter memberURL.
If you change a user's role, you must save/deploy the changed
external authentication object and also removethe user from the
Users screen. The user will be re-added automatically the next time
they log in.
Step 14 (Optional) Set the Shell Access Filter to allow
CLI/shell users.
To prevent LDAP authentication of CLI/shell access, leave this
field blank. To specify CLI/shell users, chooseone of the following
methods:
• To use the same filter you specified when configuring
authentication settings, choose Same as BaseFilter.
• To retrieve administrative user entries based on attribute
value, enter the attribute name, a comparisonoperator, and the
attribute value you want to use as a filter, enclosed in
parentheses (maximum 450characters, including the enclosing
parentheses). For example, if all network administrators have
amanager attribute which has an attribute value of shell, you can
set a base filter of (manager=shell).
The usernames must be Linux-valid:
• Maximum 32 alphanumeric characters, plus hyphen (-) and
underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot
include a period (.), at sign (@), or slash (/)
For the 7000 or 8000 Series and Firepower Management Center, do
not create any internal usersthat have the same user name as users
included in the Shell Access Filter. The only internal FMCuser
should be admin; do not include an admin user in the Shell Access
Filter.
For the FTD, if you previously configured the same username for
an internal user, the FTD firstchecks the password against the
internal user, and if that fails, it checks the LDAP server. Note
thatyou cannot later add an internal user with the same name as an
external user; only pre-existinginternal users are supported.
Note
User Accounts for Management Access14
User Accounts for Management AccessAdd an LDAP External
Authentication Object
-
Step 15 (Optional) Click Test to test connectivity to the LDAP
server.
The test output lists valid and invalid user names. Valid user
names are unique, and can include underscores(_), periods (.),
hyphens (-), and alphanumeric characters. Note that testing the
connection to servers withmore than 1000 users only returns 1000
users because of UI page size limitations. If the test fails,
seeTroubleshooting LDAP Authentication Connections, on page 32.
Step 16 (Optional) You can also enter Additional Test Parameters
to test user credentials for a user who should beable to
authenticate: enter a User Name uid and Password, and then click
Test.
If you are connecting to a Microsoft Active Directory Server and
supplied a UI access attribute in place ofuid, use the value for
that attribute as the user name. You can also specify a fully
qualified distinguished namefor the user.
If you mistype the name or password of the test user, the test
fails even if the server configurationis correct. To verify that
the server configuration is correct, click Test without entering
userinformation in the Additional Test Parameters field first. If
that succeeds, supply a user name andpassword to test with the
specific user.
Tip
Example:
To test if you can retrieve the JSmith user credentials at the
Example company, enter JSmith and the correctpassword.
Step 17 Click Save.Step 18 Enable use of this server:
• FirepowerManagement Center—Enable External Authentication for
Users on the FirepowerManagementCenter, on page 24
• FTD—Configure External Authentication for SSH
• 7000 and 8000 Series—About External Authentication for
7000/8000 Series Devices
Step 19 If you later add or delete users on the LDAP server, you
must refresh the user list and redeploy the PlatformSettings on
managed devices. This step is not required for the Firepower
Management Center.
a) Click the Refresh ( ) next to each LDAP server.
If the user list changed, you will see a message advising you to
deploy configuration changes for yourdevice.
b) For 7000 and 8000 Series devices, make a small configuration
change in the Platform Settings so that thesettings are marked as
Out-of-Date. 7000 and 8000 Series Platform Settings are not
automatically markedas Out-of-Date for LDAP shell user list
updates.
Note that the Firepower Threat Defense Platform Setttings are
automatically marked as Out-of-Date, soyou do not need to perform
this workaround.
c) Deploy configuration changes; see Deploy Configuration
Changes.
Examples
Basic Example
User Accounts for Management Access15
User Accounts for Management AccessAdd an LDAP External
Authentication Object
fpmc-config-guide-v623_chapter51.pdf#nameddest=unique_132fpmc-config-guide-v623_chapter50.pdf#nameddest=unique_135fpmc-config-guide-v623_chapter18.pdf#nameddest=unique_28
-
The following figures illustrate a basic configuration of an
LDAP login authentication object for aMicrosoft Active Directory
Server. The LDAP server in this example has an IP address of
10.11.3.4.The connection uses port 389 for access.
This example shows a connection using a base distinguished name
ofOU=security,DC=it,DC=example,DC=com for the security organization
in the information technologydomain of the Example company.
However, because this server is a Microsoft Active Directory
server, it uses the sAMAccountNameattribute to store user names
rather than the uid attribute. Choosing the MS Active Directory
servertype and clicking Set Defaults sets the UI Access Attribute
to sAMAccountName. As a result, the
User Accounts for Management Access16
User Accounts for Management AccessAdd an LDAP External
Authentication Object
-
Firepower System checks the sAMAccountName attribute for each
object for matching user nameswhen a user attempts to log into the
Firepower System.
In addition, a Shell Access Attribute of sAMAccountName causes
each sAMAccountName attribute tobe checked for all objects in the
directory for matches when a user logs into a shell or CLI
accounton the appliance.
Note that because no base filter is applied to this server, the
Firepower System checks attributes forall objects in the directory
indicated by the base distinguished name. Connections to the server
timeout after the default time period (or the timeout period set on
the LDAP server).
Advanced Example
This example illustrates an advanced configuration of an LDAP
login authentication object for aMicrosoft Active Directory Server.
The LDAP server in this example has an IP address of 10.11.3.4.The
connection uses port 636 for access.
This example shows a connection using a base distinguished name
ofOU=security,DC=it,DC=example,DC=com for the security organization
in the information technologydomain of the Example company.
However, note that this server has a base filter of (cn=*smith).The
filter restricts the users retrieved from the server to those with
a common name ending in smith.
The connection to the server is encrypted using SSL and a
certificate named certificate.pem isused for the connection. In
addition, connections to the server time out after 60 seconds
because ofthe Timeout setting.
User Accounts for Management Access17
User Accounts for Management AccessAdd an LDAP External
Authentication Object
-
Because this server is a Microsoft Active Directory server, it
uses the sAMAccountName attribute tostore user names rather than
the uid attribute. Note that the configuration includes a UI
AccessAttribute of sAMAccountName. As a result, the Firepower
System checks the sAMAccountName attributefor each object for
matching user names when a user attempts to log into the Firepower
System.
In addition, a Shell Access Attribute of sAMAccountName causes
each sAMAccountName attribute tobe checked for all objects in the
directory for matches when a user logs into a CLI/shell account
onthe appliance.
This example also has group settings in place. The Maintenance
User role is automatically assignedto all members of the group with
a member group attribute and the base domain name
ofCN=SFmaintenance,DC=it,DC=example,DC=com.
The shell access filter is set to be the same as the base
filter, so the same users can access the appliancethrough the shell
or CLI as through the web interface.
User Accounts for Management Access18
User Accounts for Management AccessAdd an LDAP External
Authentication Object
-
Add a RADIUS External Authentication ObjectAccessSupported
DomainsSupported DevicesClassic LicenseSmart License
AdministratorAnyFTD
7000 and 8000Series
FMC
AnyAny
Add a RADIUS server to support external users for device
management.
For the FTD, only a subset of fields are used for CLI access.
See Configure External Authentication for SSHfor details about
which fields are used.
In a multidomain deployment, external authentication objects are
only available in the domain in which theyare created.
Procedure
Step 1 Choose System > Users.Step 2 Click External
Authentication.Step 3 Click Add External Authentication Object.Step
4 Set the Authentication Method to RADIUS.Step 5 Enter a Name and
optional Description.Step 6 For the Primary Server, enter a Host
Name/IP Address.Step 7 (Optional) Change the Port from the
default.Step 8 Enter the RADIUS Secret Key.Step 9 (Optional) Enter
the Backup Server parameters.Step 10 (Optional) Enter
RADIUS-Specific Parameters.
a) Enter the Timeout in seconds before retrying the primary
server. The default is 30.b) Enter the Retries before rolling over
to the backup server. The default is 3.c) In the fields that
correspond to user roles, enter the name of each user or
identifying attribute-value pair
that should be assigned to those roles.
Separate usernames and attribute-value pairs with commas.
Example:
If you know all users who should be Security Analysts have the
value Analyst for their User-Categoryattribute, you can enter
User-Category=Analyst in the Security Analyst field to grant that
role to thoseusers.
Example:
To grant the Administrator role to the users jsmith and jdoe,
enter jsmith, jdoe in the Administratorfield.
Example:
To grant the Maintenance User role to all users with a
User-Category value of Maintenance, enterUser-Category=Maintenance
in the Maintenance User field.
User Accounts for Management Access19
User Accounts for Management AccessAdd a RADIUS External
Authentication Object
fpmc-config-guide-v623_chapter51.pdf#nameddest=unique_132
-
d) Select the Default User Role for users that do not belong to
any of the specified groups.
If you change a user's role, you must save/deploy the changed
external authentication object and also removethe user from the
Users screen. The user will be re-added automatically the next time
they log in.
Step 11 (Optional) Define Custom RADIUS Attributes.
If your RADIUS server returns values for attributes not included
in the dictionary file in /etc/radiusclient/,and you plan to use
those attributes to set roles for users with those attributes, you
need to define thoseattributes. You can locate the attributes
returned for a user by looking at the user’s profile on your
RADIUSserver.
a) Enter an Attribute Name.
When you define an attribute, you provide the name of the
attribute, which consists of alphanumericcharacters. Note that
words in an attribute name should be separated by dashes rather
than spaces.
b) Enter the Attribute ID as an integer.
The attribute ID should be an integer and should not conflict
with any existing attribute IDs in theetc/radiusclient/dictionary
file.
c) Choose the Attribute Type from the drop-down list.
You also specify the type of attribute: string, IP address,
integer, or date.
d) Click Add to add the custom attribute.
When you create a RADIUS authentication object, a new dictionary
file for that object is created on the devicein the
/var/sf/userauth directory. Any custom attributes you add are added
to the dictionary file.
Example:
If a RADIUS server is used on a network with a Cisco router, you
might want to use theAscend-Assign-IP-Pool attribute to grant a
specific role to all users logging in from a specific IP
addresspool. Ascend-Assign-IP-Pool is an integer attribute that
defines the address pool where the user is allowedto log in, with
the integer indicating the number of the assigned IP address
pool.
To declare that custom attribute, you create a custom attribute
with an attribute name ofAscend-IP-Pool-Definition, an attribute ID
of 218, and an attribute type of integer.
You could then enter Ascend-Assign-IP-Pool=2 in the Security
Analyst (Read Only) field to grant read-onlysecurity analyst rights
to all users with an Ascend-IP-Pool-Definition attribute value of
2.
Step 12 (Optional) In the Shell Access Filter area Administrator
Shell Access User List field, enter the user namesthat should have
CLI/shell access, separated by commas.
Make sure that these usernames match usernames on the RADIUS
server. The names must be Linux-validusernames:
• Maximum 32 alphanumeric characters, plus hyphen (-) and
underscore (_)
• All lowercase
• Cannot start with hyphen (-); cannot be all numbers; cannot
include a period (.), at sign (@), or slash (/)
To prevent RADIUS authentication of CLI/shell access for , leave
the field blank.
User Accounts for Management Access20
User Accounts for Management AccessAdd a RADIUS External
Authentication Object
-
For the 7000 or 8000 Series and Firepower Management Center,
remove any internal users thathave the same user name as users
included in the shell access filter. For the Firepower
ManagementCenter, the only internal CLI/shell user is admin, so do
not also create an admin external user.
For the FTD, if you previously configured the same username for
an internal user, the FTD firstchecks the password against the
internal user, and if that fails, it checks the RADIUS server.
Notethat you cannot later add an internal user with the same name
as an external user; only pre-existinginternal users are
supported.
Note
Step 13 (Optional) Click Test to test FMC connectivity to the
RADIUS server.
This function can only test FMC connectivity to the RADIUS
server; there is no test function for manageddevice connectivity to
the RADIUS server.
Step 14 (Optional) You can also enter Additional Test Parameters
to test user credentials for a user who should beable to
authenticate: enter a User Name and Password, and then click
Test.
If you mistype the name or password of the test user, the test
fails even if the server configurationis correct. To verify that
the server configuration is correct, click Test without entering
userinformation in the Additional Test Parameters field first. If
that succeeds, supply a user name andpassword to test with the
specific user.
Tip
Example:
To test if you can retrieve the JSmith user credentials at the
Example company, enter JSmith and the correctpassword.
Step 15 Click Save.Step 16 Enable use of this server:
• FirepowerManagement Center—Enable External Authentication for
Users on the FirepowerManagementCenter, on page 24
• FTD—Configure External Authentication for SSH
• 7000 and 8000 Series—About External Authentication for
7000/8000 Series Devices
Examples
Simple User Role Assignments
The following figure illustrates a sample RADIUS login
authentication object for a server runningCisco Identity Services
Engine (ISE) with an IP address of 10.10.10.98 on port 1812. No
backupserver is defined.
User Accounts for Management Access21
User Accounts for Management AccessAdd a RADIUS External
Authentication Object
fpmc-config-guide-v623_chapter51.pdf#nameddest=unique_132fpmc-config-guide-v623_chapter50.pdf#nameddest=unique_135
-
The following example shows RADIUS-specific parameters,
including the timeout (30 seconds) andnumber of failed retries
before the Firepower System attempts to contact the backup server,
if any.
This example illustrates important aspects of RADIUS user role
configuration:
Users ewharton and gsand are granted web interface
Administrative access.
The user cbronte is granted web interface Maintenance User
access.
The user jausten is granted web interface Security Analyst
access.
The user ewharton can log into the device using a CLI/shell
account.
User Accounts for Management Access22
User Accounts for Management AccessAdd a RADIUS External
Authentication Object
-
The following graphic depicts the role configuration for the
example:
Roles for Users Matching an Attribute-Value Pair
You can use an attribute-value pair to identify users who should
receive a particular user role. If theattribute you use is a custom
attribute, you must define the custom attribute.
The following figure illustrates the role configuration and
custom attribute definition in a sampleRADIUS login authentication
object for the same ISE server as in the previous example.
In this example, however, the MS-RAS-Version custom attribute is
returned for one or more of theusers because a Microsoft remote
access server is in use. Note the MS-RAS-Version custom attributeis
a string. In this example, all users logging in to RADIUS through
aMicrosoft v. 5.00 remote accessserver should receive the Security
Analyst (Read Only) role, so you enter the attribute-value pair
ofMS-RAS-Version=MSRASV5.00 in the Security Analyst (Read Only)
field.
User Accounts for Management Access23
User Accounts for Management AccessAdd a RADIUS External
Authentication Object
-
EnableExternalAuthenticationforUsersontheFirepowerManagementCenterAccessSupported
DomainsSupported DevicesClassic LicenseSmart License
AdminAnyFMCAnyAny
When you enable external authentication for management users,
the Firepower Management Center verifiesthe user credentials with
an LDAP or RADIUS server as specified in an External Authentication
object.
Before you begin
Add 1 or more external authentication objects according to Add
an LDAP External Authentication Object ,on page 11 and Add a RADIUS
External Authentication Object, on page 19.
Procedure
Step 1 Choose System > Users.Step 2 Click External
Authentication.Step 3 Set the default user role for external web
interface users.
Users without a role cannot perform any actions. Any user roles
defined in the external authentication objectoverrides this default
user role.
a) Click the Default User Roles value (by default, none
selected).
User Accounts for Management Access24
User Accounts for Management AccessEnable External
Authentication for Users on the Firepower Management Center
-
a) In the Default User Role Configuration dialog box, check the
role(s) that you want to use.b) Click Save.
Step 4 Click the Slider enabled ( ) next to the each external
authentication object that you want to use. If youenable more than
1 object, then users are compared against servers in the order
specified. See the next stepto reorder servers.
If you enable shell authentication, you must enable an external
authentication object that includes a ShellAccess Filter. Also,
CLI/shell access users can only authenticate against the server
whose authenticationobject is highest in the list.
Step 5 (Optional) Drag and drop servers to change the order in
which authentication they are accessed when anauthentication
request occurs.
Step 6 Choose Shell Authentication > Enabled if you want to
allow CLI/shell access for external users.
The first external authentication object name is shown next to
the Enabled option to remind you that onlythe first object is used
for CLI/shell
Step 7 Click Save and Apply.
Enable External Authentication for Users on Managed
DevicesEnable External Authentication in the device Platform
Settings, and then deploy the settings to the manageddevices. See
the following procedures for your managed device type:
• Firepower Threat Defense—Configure External Authentication for
SSH
• 7000 and 8000 Series—About External Authentication for
7000/8000 Series Devices
External authentication is not supported on FTD virtual
devices.Attention
Configure Common Access Card Authentication with
LDAPAccessSupported DomainsSupported DevicesClassic LicenseSmart
License
Administrator
Network Admin
AnyFMC
7000 and 8000Series
AnyAny
If your organization uses Common Access Cards (CACs), you can
configure LDAP authentication toauthenticate FMC or 7000 and 8000
Series users logging into the web interface. With CAC
authentication,users have the option to log in directly without
providing a separate username and password for the device.
CAC-authenticated users are identified by their electronic data
interchange personal identifier (EDIPI) numbers.
After 24 hours of inactivity, the device deletes
CAC-authenticated users from the Users tab. The users arere-added
after each subsequent login, but you must reconfigure any manual
changes to their user roles.
User Accounts for Management Access25
User Accounts for Management AccessEnable External
Authentication for Users on Managed Devices
fpmc-config-guide-v623_chapter51.pdf#nameddest=unique_132fpmc-config-guide-v623_chapter50.pdf#nameddest=unique_135
-
Before you begin
Youmust have a valid user certificate present in your browser
(in this case, a certificate passed to your browservia your CAC) to
enable user certificates as part of the CAC configuration process.
After you configure CACauthentication and authorization, users on
your network must maintain the CAC connection for the durationof
their browsing session. If you remove or replace a CAC during a
session, your web browser terminates thesession and the system logs
you out of the web interface.
Procedure
Step 1 Insert a CAC as directed by your organization.Step 2
Direct your browser to https://ipaddress_or_hostname/, where
ipaddress or hostname corresponds to your
device.Step 3 If prompted, enter the PIN associated with the CAC
you inserted in step 1.Step 4 If prompted, choose the appropriate
certificate from the drop-down list.Step 5 On the Login page, in
the Username and Password fields, log in as a user with
Administrator privileges.
You cannot yet log in using your CAC credentials.Step 6 Choose
System > Users > External Authentication.Step 7 Create an
LDAP authentication object exclusively for CAC, following the
procedure in Add an LDAP External
Authentication Object , on page 11. You must configure the
following:
• CAC check box.
• LDAP-Specific Parameters > Show Advanced Options > User
Name Template.
• Attribute Mapping > UI Access Attribute.
Step 8 Click Save.Step 9 Enable external authentication and CAC
authentication as described in Enable External Authentication
for
Users on the Firepower Management Center, on page 24 or Enable
External Authentication to 7000/8000Series Devices.
Step 10 Choose System > Configuration, and click HTTPS
Certificate.Step 11 Import a HTTPS server certificate, if
necessary, following the procedure outlined in Importing HTTPS
Server
Certificates.
The same certificate authority (CA) must issue the HTTPS server
certificate and the user certificates on theCACs you plan to
use.
Step 12 Under HTTPS User Certificate Settings, choose Enable
User Certificates. For more information, seeRequiring Valid HTTPS
Client Certificates .
Step 13 Log into the device according to Logging Into the
Firepower Management Center with CAC Credentials orLogging Into a
7000 or 8000 Series Device with CAC Credentials.
User Accounts for Management Access26
User Accounts for Management AccessConfigure Common Access Card
Authentication with LDAP
fpmc-config-guide-v623_chapter50.pdf#nameddest=unique_138fpmc-config-guide-v623_chapter50.pdf#nameddest=unique_138fpmc-config-guide-v623_chapter48.pdf#nameddest=unique_139fpmc-config-guide-v623_chapter48.pdf#nameddest=unique_139fpmc-config-guide-v623_chapter48.pdf#nameddest=unique_140fpmc-config-guide-v623_chapter2.pdf#nameddest=unique_97fpmc-config-guide-v623_chapter2.pdf#nameddest=unique_99
-
Customize User Roles for the Web InterfaceEach user account must
be defined with a user role. This section describes how to manage
user roles and howto configure a custom user role for web interface
access. For default user roles, see Web Interface User Roles,on
page 3.
CLI/shell user roles for managed devices are limited to Config
and Basic roles. See CLI User Roles, on page4 for more
information.
Note
Create Custom User RolesAccessSupported DomainsSupported
DevicesClassic LicenseSmart License
AdministratorAnyFMC
7000 & 8000 Series
AnyAny
Custom user roles can have any set of menu-based and system
permissions, and may be completely original,copied from a
predefined or another custom user role, or imported from another
device.
Users with menu-based User Management permissions have the
ability to elevate their own privileges orcreate new user accounts
with extensive privileges, including the Administrator user role.
For system securityreasons we strongly recommend you restrict the
list of users with UserManagement permissions appropriately.
Caution
Procedure
Step 1 Choose System > Users.Step 2 Click User Roles.Step 3
Add a new user role with one of the following methods:
• Click Create User Role.
• Click the Copy ( ) next to the user role you want to copy.
• Import a custom user role from another device:
a. On the old device, click the Export ( ) to save the role to
your PC.
b. On the new device, choose System > Tools >
Import/Export.
c. Click Upload Package, then follow the instructions to import
the saved user role to the new device.
Step 4 Enter a Name for the new user role. User role names are
case sensitive.Step 5 (Optional) Add a Description.
User Accounts for Management Access27
User Accounts for Management AccessCustomize User Roles for the
Web Interface
-
Step 6 Choose Menu-Based Permissions for the new role.
When you choose a permission, all of its children are chosen,
and the multi-value permissions use the firstvalue. If you clear a
high-level permission, all of its children are cleared also. If you
choose a permission butnot its children, it appears in italic
text.
Copying a predefined user role to use as the base for your
custom role preselects the permissions associatedwith that
predefined role.
You can apply restrictive searches to a custom user role. These
searches constrain the data a user can see inthe tables on the
pages available under the Analysis menu. You can configure a
restrictive search by firstcreating a private saved search and
selecting it from the Restrictive Search drop-down menu under
theappropriate menu-based permission.
Step 7 (Optional) Check the External Database Access check box
to set database access permissions for the newrole.
This option provides read-only access to the database using an
application that supports JDBC SSL connections.For the third-party
application to authenticate to the device, you must enable database
access in the systemsettings.
Step 8 (Optional) To set escalation permissions for the new user
role, see Enable User Role Escalation, on page 29.Step 9 Click
Save.
Example
You can create custom user roles for access control-related
features to designate whether users canview and modify access
control and associated policies.
The following table lists custom roles that you could create and
user permissions granted for eachexample. The table lists the
privileges required for each custom role. In this example, Policy
Approverscan view (but not modify) access control and intrusion
policies. They can also deploy configurationchanges to devices.
Table 1: Example Access Control Custom Roles
Example: Policy ApproverExample: Intrusion & NetworkAnalysis
Editor
Example: Access Control EditorCustom Role Permission
yesnoyesAccess Control
yesnoyesAccess Control Policy
nonoyesModify Access Control Policy
yesyesnoIntrusion Policy
noyesnoModify Intrusion Policy
yesnonoDeploy Configuration toDevices
User Accounts for Management Access28
User Accounts for Management AccessCreate Custom User Roles
-
Deactivate User RolesAccessSupported DomainsSupported
DevicesClassic LicenseSmart License
AdministratorAnyFMC
7000 & 8000 Series
AnyAny
Deactivating a role removes that role and all associated
permissions from any user who is assigned that role.You cannot
delete predefined user roles, but you can deactivate them.
In a multidomain deployment, the system displays custom user
roles created in the current domain, whichyou can edit. It also
displays custom user roles created in ancestor domains, which you
cannot edit. To viewand edit custom user roles in a lower domain,
switch to that domain.
Procedure
Step 1 Choose System > Users.Step 2 Click User Roles.Step 3
Click the slider next to the user role you want to activate or
deactivate.
If the controls are dimmed, the configuration belongs to an
ancestor domain, or you do not have permissionto modify the
configuration.
If you deactivate, then reactivate, a role with Lights-Out
Management while a user with that role is loggedin, or restore a
user or user role from a backup during that user’s login session,
that user must log back intothe web interface to regain access to
IPMItool commands.
Enable User Role EscalationFor the Firepower Management Center,
you can give custom user roles the permission, with a password,
totemporarily gain the privileges of another, targeted user role in
addition to those of the base role. This featureallows you to
easily substitute one user for another during an absence, or to
more closely track the use ofadvanced user privileges. Default user
roles do not support escalation.
For example, a user whose base role has very limited privileges
can escalate to the Administrator role toperform administrative
actions. You can configure this feature so that users can use their
own passwords, orso they use the password of another user that you
specify. The second option allows you to easily manageone
escalation password for all applicable users.
To configure user role escalation, see the following
workflow.
Procedure
Step 1 Set the Escalation Target Role, on page 30. Only one user
role at a time can be the escalation target role.Step 2 Configure a
Custom User Role for Escalation, on page 30.
User Accounts for Management Access29
User Accounts for Management AccessDeactivate User Roles
-
Step 3 (For the logged in user) Escalate Your User Role, on page
31.
Set the Escalation Target Role
AccessSupported DomainsSupported DevicesClassic LicenseSmart
License
AdministratorAnyFMCAnyAny
You can assign any of your user roles, predefined or custom, to
act as the system-wide escalation target role.This is the role to
which a custom role can escalate, if it has the ability. Only one
user role at a time can bethe escalation target role. Each
escalation lasts for the duration of a login session and is
recorded in the auditlog.
Procedure
Step 1 Choose System > Users.Step 2 Click User Roles.Step 3
Click Configure Permission Escalation.Step 4 Choose a user role
from the Escalation Target drop-down list.Step 5 Click OK to save
your changes.
Changing the escalation target role is effective immediately.
Users in escalated sessions now have thepermissions of the new
escalation target.
Configure a Custom User Role for Escalation
AccessSupported DomainsSupported DeviceClassic LicenseSmart
License
AdministratorAnyFMCAnyAny
Users for whom you want to enable escalation must belong to a
custom user role with escalation enabled.This procedure describes
how to enable escaltion for a custom user role.
Consider the needs of your organization when you configure the
escalation password for a custom role. Ifyou want to easily manage
many escalating users, you might want to choose another user whose
passwordserves as the escalation password. If you change that
user’s password or deactivate that user, all escalatingusers who
require that password are affected. This action allows you to
manage user role escalation moreefficiently, especially if you
choose an externally-authenticated user that you can manage
centrally.
Before you begin
Set a target user role according to Set the Escalation Target
Role, on page 30.
Procedure
Step 1 Begin configuring your custom user role as described in
Create Custom User Roles, on page 27.
User Accounts for Management Access30
User Accounts for Management AccessSet the Escalation Target
Role
-
Step 2 In System Permissions, choose the Set this role to
escalate to: Maintenance User check box.
The current escalation target role is listed beside the check
box.
Step 3 Choose the password that this role uses to escalate. You
have two options:
• Choose Authenticate with the assigned user’s password if you
want users with this role to use theirown passwords when they
escalate, .
• Choose Authenticate with the specified user’s password and
enter that username if you want userswith this role to use the
password of another user.
When authenticating with another user’s password, you can enter
any username, even that ofa deactivated or nonexistent user.
Deactivating the user whose password is used for escalationmakes
escalation impossible for users with the role that requires it. You
can use this feature toquickly remove escalation powers if
necessary.
Note
Step 4 Click Save.
Escalate Your User Role
AccessSupported DomainsSupported DeviceClassic LicenseSmart
License
AnyAnyFMCAnyAny
When a user has an assigned custom user role with permission to
escalate, that user can escalate to the targetrole’s permissions at
any time. Note that escalation has no effect on user
preferences.
Procedure
Step 1 From the drop-down list under your user name, choose
Escalate Permissions.
If you do not see this option, your administrator did not enable
escalation for your user role.
Step 2 Enter the authentication password.Step 3 Click Escalate.
You now have all permissions of the escalation target role in
addition to your current role.
Escalation lasts for the remainder of your login session. To
return to the privileges of your base role only, youmust log out,
then begin a new session.
Configure Cisco Security Manager Single Sign-onAccessSupported
DomainsSupported DevicesClassic LicenseSmart License
AdministratorAnyASA FirePOWERAnyAny
Single sign-on enables integration between Cisco Security
Manager (CSM) Version 4.7 or higher and theFirepower Management
Center, which allows you to access the Firepower Management Center
from CSM
User Accounts for Management Access31
User Accounts for Management AccessEscalate Your User Role
-
without additional authentication to log in. When managing an
ASA with the ASA FirePOWERmodule, youmay want to modify the
policies deployed to the module. You can select the managing
FirepowerManagementCenter in CSM and launch it in a web
browser.
You cannot log in with single sign-on if your organization uses
CACs for authentication.Note
Before you begin
• In NAT environments, the Firepower Management Center and CSM
must reside on the same side of theNAT boundary.
Procedure
Step 1 From CSM, generate a single sign-on shared encryption key
that identifies the connection. See your CSMdocumentation for more
information.
Step 2 From the Firepower Management Center, choose System >
Users.Step 3 Choose CSM Single Sign-on.Step 4 Enter the CSM
hostname or IP address and the server Port.Step 5 Enter the Shared
key that you generated from CSM.Step 6 (Optional) Click the Use
Proxy For Connection check box if you want to use the Firepower
Management
Center’s proxy server to communicate with CSM.Step 7 Click
Submit.Step 8 Click Confirm Certificate to save the
Certificate.
Troubleshooting LDAP Authentication ConnectionsIf you create an
LDAP authentication object and it either does not succeed in
connecting to the server youselect, or does not retrieve the list
of users you want, you can tune the settings in the object.
If the connection fails when you test it, try the following
suggestions to troubleshoot your configuration:
• Use the messages displayed at the top of the web interface
screen and in the test output to determinewhich areas of the object
are causing the issue.
• Check that the user name and password you used for the object
are valid:
• Check that the user has the rights to browse to the directory
indicated in your base distinguishedname by connecting to the LDAP
server using a third-party LDAP browser.
• Check that the user name is unique to the directory
information tree for the LDAP server.
• If you see an LDAP bind error 49 in the test output, the user
binding for the user failed. Tryauthenticating to the server
through a third-party application to see if the binding fails
through thatconnection as well.
User Accounts for Management Access32
User Accounts for Management AccessTroubleshooting LDAP
Authentication Connections
-
• Check that you have correctly identified the server:
• Check that the server IP address or host name is correct.
• Check that you have TCP/IP access from your local appliance to
the authentication server whereyou want to connect.
• Check that access to the server is not blocked by a firewall
and that the port you have configuredin the object is open.
• If you are using a certificate to connect via TLS or SSL, the
host name in the certificate must matchthe host name used for the
server.
• Check that you have not used an IPv6 address for the server
connection if you are authenticatingshell access.
• If you used server type defaults, check that you have the
correct server type and click Set Defaultsagain to reset the
default values.
• If you typed in your base distinguished name, click Fetch DNs
to retrieve all the available basedistinguished names on the
server, and select the name from the list.
• If you are using any filters, access attributes, or advanced
settings, check that each is valid and typedcorrectly.
• If you are using any filters, access attributes, or advanced
settings, try removing each setting and testingthe object without
it.
• If you are using a base filter or a shell access filter, make
sure that the filter is enclosed in parenthesesand that you are
using a valid comparison operator.
• To test a more restricted base filter, try setting it to the
base distinguished name for the user to retrievejust that user.
• If you are using an encrypted connection:
• Check that the name of the LDAP server in the certificate
matches the host name that you use toconnect.
• Check that you have not used an IPv6 address with an encrypted
server connection.
• If you are using a test user, make sure that the user name and
password are typed correctly.
• If you are using a test user, remove the user credentials and
test the object.
• Test the query you are using by connecting to the LDAP server
and using this syntax:
ldapsearch -x -b 'base_distinguished_name'-h
LDAPserver_ip_address -p port -v -D'user_distinguished_name' -W
'base_filter'
For example, if you are trying to connect to the security domain
on myrtle.example.com using [email protected] user
and a base filter of (cn=*), you could test the connection
usingthis statement:
ldapsearch -x -b 'CN=security,DC=myrtle,DC=example,DC=com'-h
myrtle.example.com -p 389 -v -D
User Accounts for Management Access33
User Accounts for Management AccessTroubleshooting LDAP
Authentication Connections
-
'[email protected]' -W '(cn=*)'
If you can test your connection successfully but authentication
does not work after you deploy a platformsettings policy, check
that authentication and the object you want to use are both enabled
in the platformsettings policy that is applied to the device.
If you connect successfully but want to adjust the list of users
retrieved by your connection, you can add orchange a base filter or
shell access filter or use a more restrictive or less restrictive
base DN.
History for User AccountsDetailsVersionFeature
You can now configure externalauthentication for SSH access to
the FTDusing LDAP or RADIUS.
New/Modified screens:
Devices > Platform Settings > ExternalAuthentication
Supported platforms: FTD
6.2.3External Authentication for FTD SSHAccess
User Accounts for Management Access34
User Accounts for Management AccessHistory for User Accounts
User Accounts for Management AccessAbout User AccountsInternal
and External UsersWeb Interface and CLI or Shell AccessUser
RolesWeb Interface User RolesCLI User Roles
Requirements and Prerequisites for User AccountsGuidelines and
Limitations for User AccountsAdd an Internal User AccountAdd an
Internal User at the Web InterfaceAdd an Internal User at the
CLI
Configure External AuthenticationAbout External
AuthenticationExternal Authentication for the Firepower Management
Center and 7000 and 8000 SeriesExternal Authentication for the
Firepower Threat DefenseAbout LDAPAbout RADIUS
Add an LDAP External Authentication ObjectAdd a RADIUS External
Authentication ObjectEnable External Authentication for Users on
the Firepower Management CenterEnable External Authentication for
Users on Managed DevicesConfigure Common Access Card Authentication
with LDAP
Customize User Roles for the Web InterfaceCreate Custom User
RolesDeactivate User RolesEnable User Role EscalationSet the
Escalation Target RoleConfigure a Custom User Role for
EscalationEscalate Your User Role
Configure Cisco Security Manager Single Sign-onTroubleshooting
LDAP Authentication ConnectionsHistory for User Accounts