About External Authentication for the Threat Defense

When you enable external authentication for threat defense users, the threat defense verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object.

External authentication objects can be used by the management center and threat defense devices. You can share the same object between the different appliance/device types or create separate objects. For the threat defense, you can only activate one external authentication object in the platform settings that you deploy to the devices.

Only a subset of fields in the external authentication object are used for threat defense SSH access. If you fill in additional fields, they are ignored. If you also use this object for other device types, those fields will be used.

LDAP users always have Config privileges. RADIUS users can be defined as either Config or Basic users.

You can either define users on the RADIUS server (with the Service-Type attribute), or you can pre-define the user list in the external authentication object. For LDAP, you can specify a filter to match CLI users on the LDAP server.

Note	Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain root privileges, which can present a security risk. Make sure that you: Restrict the list of users with Linux shell access. Do not create Linux shell users.