External Authentication

Note

You must have administrator privileges to perform this task.

When you enable external authentication for management users, the threat defense verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object.

Sharing External Authentication Objects

External authentication objects can be used by the management center and threat defense devices. You can share the same object between the management center and devices, or create separate objects. Note that the threat defense supports defining users on the RADIUS server, while the management center requires you to predefine the user list in the external authentication object. You can choose to use the predefined list method for the threat defense, but if you want to define users on the RADIUS server, you must create separate objects for the threat defense and the management center.

Note

The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for RADIUS). If you set the timeout to a higher value, the threat defense external authentication configuration will not work.

Assigning External Authentication Objects to Devices

For the management center, enable the external authentication objects directly on System > Users > External Authentication; this setting only affects management center usage, and it does not need to be enabled for managed device usage. For threat defense devices, you must enable the external authentication object in the platform settings that you deploy to the devices, and you can only activate one external authentication object per policy. An LDAP object with CAC authentication enabled cannot also be used for CLI access. Be sure that both the threat defense and the management center can reach the LDAP server, even if you are not sharing the object. The management center is essential to retrieving the user list and downloading it to the device.

Threat Defense Supported Fields

Only a subset of fields in the external authentication object are used for threat defense SSH access. If you fill in additional fields, they are ignored. If you also use this object for the management center, those fields will be used. This procedure only covers the supported fields for the threat defense. For other fields, see Configure External Authentication for the Management Center in the Cisco Secure Firewall Management Center Administration Guide.

Usernames

Usernames must be Linux-valid usernames and be lower-case only, using alphanumeric characters plus period (.) or hyphen (-). Other special characters such as at sign (@) and slash (/) are not supported. You cannot add the admin user for external authentication. You can only add external users (as part of the External Authentication object) in the management center; you cannot add them at the CLI. Note that internal users can only be added at the CLI, not in the management center.

If you previously configured the same username for an internal user using the configure user add command, the threat defense first checks the password against the internal user, and if that fails, it checks the AAA server. Note that you cannot later add an internal user with the same name as an external user; only pre-existing internal users are supported. For users defined on the RADIUS server, be sure to set the privilege level to be the same as any internal users; otherwise you cannot log in using the external user password.

Privilege Level

LDAP users always have Config privileges. RADIUS users can be defined as either Config or Basic users.

Before you begin

  • SSH access is enabled by default on the management interface. To enable SSH access on data interfaces, see SSH Access.

  • Inform RADIUS users of the following behavior to set their expectations appropriately:

    • The first time an external user logs in, threat defense creates the required structures but cannot simultaneously create the user session. The user simply needs to authenticate again to start the session. The user will see a message similar to the following: "New external username identified. Please log in again to start a session."

    • If the user's Service-Type attribute is not defined or incorrectly configured in the RADIUS server, and when using the RADIUS-defined users for authentication, the user will see a message similar to the following: "Your username is not defined with a service type that is valid for this system. You are not authorized to access the system?.

      In some cases, the SSH clients close the CLI window on an unsuccessful SSH connection, even before displaying the failure message. Hence, ensure that the user's Service-Type attribute is correctly defined in the RADIUS server.

    • Similarly, if the user’s Service-Type authorization was changed since the last login, the user will need to re-authenticate. The user will see a message similar to the following: "Your authorization privilege has changed. Please log in again to start a session."

Procedure

Step 1

Choose Devices > Platform Settings and create or edit the threat defense policy.

Step 2

Click External Authentication.

Step 3

Click the Manage External Authentication Server link.

You can also open the External Authentication screen by clicking System > Users > External Authentication.

Step 4

Configure an LDAP Authentication Object.

  1. Click Add External Authentication Object.

  2. Set the Authentication Method to LDAP

  3. Enter a Name and optional Description.

  4. Choose a Server Type from the drop-down list.

  5. For the Primary Server, enter a Host Name/IP Address.

    Note

    If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.

  6. (Optional) Change the Port from the default.

  7. (Optional) Enter the Backup Sever parameters.

  8. Enter LDAP-Specific Parameters.

    • Base DN—Enter the base distinguished name for the LDAP directory you want to access. For example, to authenticate names in the Security organization at the Example company, enter ou=security,dc=example,dc=com. Alternatively click Fetch DNs, and choose the appropriate base distinguished name from the drop-down list.

    • (Optional) Base Filter—For example, if the user objects in a directory tree have a physicalDeliveryOfficeName attribute and users in the New York office have an attribute value of NewYork for that attribute, to retrieve only users in the New York office, enter (physicalDeliveryOfficeName=NewYork).

    • User Name—Enter a distinguished name for a user who has sufficient credentials to browse the LDAP server. For example, if you are connecting to an OpenLDAP server where user objects have a uid attribute, and the object for the administrator in the Security division at our example company has a uid value of NetworkAdmin, you might enter uid=NetworkAdmin,ou=security,dc=example,dc=com.

    • Password and Confirm Password—Enter and confirm the password for the user.

    • (Optional) Show Advanced Options—Configure the following advanced options.

      • Encryption—Click None, TLS, or SSL.

        Note

        If you change the encryption method after specifying a port, you reset the port to the default value for that method. For None or TLS, the port resets to the default value of 389. If you choose SSL encryption, the port resets to 636.

      • SSL Certificate Upload Path—For SSL or TLS encryption, you must choose a certificate by clicking Choose File.

      • (Not Used) User Name Template—Not used by the threat defense.

      • Timeout—Enter the number of seconds before rolling over to the backup connection between 1 and 30. The default is 30.

        Note

        The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds). If you set the timeout to a higher value, the threat defense external authentication configuration will not work.

  9. (Optional) Set the CLI Access Attribute if you want to use a shell access attribute other than the user distinguished type. For example, on a Microsoft Active Directory Server, use the sAMAccountName shell access attribute to retrieve shell access users by typing sAMAccountName in the CLI Access Attribute field.

  10. Set the CLI Access Filter.

    Choose one of the following methods:

    • To use the same filter you specified when configuring authentication settings, choose Same as Base Filter.

    • To retrieve administrative user entries based on attribute value, enter the attribute name, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses. For example, if all network administrators have a manager attribute which has an attribute value of shell, you can set a base filter of (manager=shell).

    The names on the LDAP server must be Linux-valid usernames:

    • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

    • All lowercase

    • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

  11. Click Save.

Step 5

For LDAP, if you later add or delete users on the LDAP server, you must refresh the user list and redeploy the Platform Settings.

  1. Choose System > Users > External Authentication.

  2. Click Refresh (refresh icon) next to the LDAP server.

    If the user list changed, you will see a message advising you to deploy configuration changes for your device. The Firepower Theat Defense Platform Settings will also show that it is "Out-of-Date on x targeted devices."

  3. Deploy configuration changes; see Deploy Configuration Changes.

Step 6

Configure a RADIUS Authentication Object.

  1. Define users on the RADIUS server using the Service-Type attribute.

    The following are supported values for the Service-Type attribute:

    • Administrator (6)—Provides Config access authorization to the CLI. These users can use all commands in the CLI.

    • NAS Prompt (7) or any level other than 6—Provides Basic access authorization to the CLI. These users can use read-only commands, such as show commands, for monitoring and troubleshooting purposes.

    The names must be Linux-valid usernames:

    • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

    • All lowercase

    • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

    Alternatively, you can predefine users in the external authentication object (see Step 6.j). To use the same RADIUS server for the threat defense and management center while using the Service-Type attribute method for the threat defense, create two external authentication objects that identify the same RADIUS server: one object includes the predefined CLI Access Filter users (for use with the management center), and the other object leaves the CLI Access Filter empty (for use with threat defenses).

  2. In management center, click Add External Authentication Object.

  3. Set the Authentication Method to RADIUS.

  4. Enter a Name and optional Description.

  5. For the Primary Server, enter a Host Name/IP Address.

    Note

    If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.

  6. (Optional) Change the Port from the default.

  7. Enter a RADIUS Secret Key.

  8. (Optional) Enter the Backup Sever parameters.

  9. Enter RADIUS-Specific Parameters.

    • Timeout (Seconds)—Enter the number of seconds before rolling over to the backup connection. The default is 30.

    • Retries—Enter the number of times the primary server connection should be tried before rolling over to the backup connection. The default is 3.

  10. (Optional) Instead of using RADIUS-defined users, under CLI Access Filter, enter a comma-separated list of usernames in the Administrator CLI Access User List field. For example, enter jchrichton, aerynsun, rygel.

    You may want to use the CLI Access Filter method for threat defense so you can use the same external authentication object with threat defense and other platform types. Note that if you want to use RADIUS-defined users, you must leave the CLI Access Filter empty.

    Make sure that these usernames match usernames on the RADIUS server. The names must be Linux-valid usernames:

    • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

    • All lowercase

    • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

    Note

    If you want to only define users on the RADIUS server, you must leave this section empty.

  11. Click Save.

Step 7

Return to Devices > > Platform Settings > External Authentication.

Step 8

Click Refresh (refresh icon) to view any newly-added objects.

For LDAP when you specify SSL or TLS encryption, you must upload a certificate for the connection; otherwise, the server will not be listed on this window.

Step 9

Click Slider enabled (slider enabled) next to the External Authentication object you want to use. You can only enable one object.

Step 10

Click Save.

Step 11

Deploy configuration changes; see Deploy Configuration Changes.