Configure an LDAP External Authentication Object

Configure external authentication to allow management users to be authenticated using an LDAP server.

Note

You must have administrator privileges to perform this task.

Procedure

Step 1

In the External Authentication Object page, select LDAP from the Authentication Method drop-down list and enter appropriate values in these fields:

  1. Enter a Name.

  2. (Optional) Enter Description.

Step 2

Choose a Server Type from the drop-down list.

Step 3

For the Primary Server enter these values:

  1. Enter a Host Name/IP Address.

    Note

    If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.

  2. Change the Port from the default.

Step 4

Enter the Backup Sever parameters.

Step 5

Enter LDAP-Specific Parameters.

  • Base DN—Enter the base distinguished name for the LDAP directory you want to access. For example, to authenticate names in the Security organization at the Example company, enter ou=security,dc=example,dc=com. Alternatively click Fetch DNs, and choose the appropriate base distinguished name from the drop-down list.

  • (Optional) Base Filter—For example, if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of NewYork for that attribute, to retrieve only users in the New York office, enter (physicalDeliveryOfficeName=NewYork).

  • User Name—Enter a distinguished name for a user who has sufficient credentials to browse the LDAP server. For example, if you are connecting to an OpenLDAP server where user objects have a uid attribute, and the object for the administrator in the Security division at our example company has a uid value of NetworkAdmin, you might enter uid=NetworkAdmin,ou=security,dc=example,dc=com.

  • Password and Confirm Password—Enter and confirm the password for the user.

  • (Optional) Show Advanced Options—Configure the following advanced options.

    • Encryption—Click None, TLS, or SSL.

      Note

      If you change the encryption method after specifying a port, you reset the port to the default value for that method. For None or TLS, the port resets to the default value of 389. If you choose SSL encryption, the port resets to 636.

    • SSL Certificate Upload Path—For SSL or TLS encryption, you must choose a certificate by clicking Choose File.

    • (Not Used) User Name Template—Not used by the Firewall Threat Defense.

    • Timeout—Enter the number of seconds before rolling over to the backup connection between 1 and 30. The default is 30.

      Note

      The timeout range is different for the Firewall Threat Defense and the Cloud-Delivered Firewall Management Center, so if you share an object, be sure not to exceed the Firewall Threat Defense's smaller timeout range (1-30 seconds). If you set the timeout to a higher value, the Firewall Threat Defense external authentication configuration will not work.

Step 6

(Optional) Set the CLI Access Attribute if you want to use a shell access attribute other than the user distinguished type. For example, on a Microsoft Active Directory Server, use the sAMAccountName shell access attribute to retrieve shell access users by typing sAMAccountName in the CLI Access Attribute field.

Step 7

Set the CLI Access Filter.

Choose one of these methods:

  • To use the same filter you specified when configuring authentication settings, choose Same as Base Filter.

  • To retrieve administrative user entries based on attribute value, enter the attribute name, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses. For example, if all network administrators have a manager attribute which has an attribute value of shell, you can set a base filter of (manager=shell).

The names on the LDAP server must be Linux-valid usernames:

  • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

  • All lowercase

  • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

Step 8

Click Save.

Step 9

For LDAP, if you later add or delete users on the LDAP server, you must refresh the user list and redeploy the Platform Settings.

  1. Choose Administration > Users > External Authentication.

  2. Click Refresh (refresh icon) next to the LDAP server.

    If the user list changed, you will see a message advising you to deploy configuration changes for your device. The Firepower Theat Defense Platform Settings will also show that it is "Out-of-Date on x targeted devices."

  3. Deploy configuration changes; see Deploy Configuration Changes.