Authentication Objects are server profiles for external authentication servers, containing connection settings and authentication filter settings for those servers. You can create, manage, and delete Authentication Objects on a FireSIGHT Management Center. This document describes how to configure LDAP Authentication Object on FireSIGHT System.
1. Login to the web user interface of the FireSIGHT Management Center.
2. Navigate to System > Local > User Management.
Select the Login Authentication tab.
Click on Create Authentication Object.
3. Select an Authentication Method and a Server Type.
4. Specify the Primary and Backup Server Host Name or IP Address. A Backup Server is optional. However, any Domain Controller within the same domain can be used as a backup server.
5. Specify the LDAP-Specific Parameters as shown below:
Advanced Options:
In the Domain Security Policy Setting of the AD, if LDAP server Signing requirement is set to Require Signing, SSL or TLS must be used.
LDAP server Signing requirement
6. Specify Attribute Mapping
7. Configure Group Controlled Access Roles
On ldp.exe, browse to each groups and copy the corresponding group DN to the Authentication Object as shown below:
Example:
An AD security group has an attribute of member followed by the DN of member users. The number preceding member attribute indicates the number of member users.
8. Select Same as Base Filter for Shell Access Filter, or specify memberOf attribute as indicated in step 5.
Shell Access Filter: (memberOf=<group DN>)
As example,
Shell Access Filter: (memberOf=CN=Shell users,CN=Security Groups,DC=VirtualLab,DC=local)
9. Save the Authentication Object and perform a test. A successful test result looks like below:
10. Once the Authentication Object passes the test, enable the object in the System Policy and reapply the policy to your appliance.
Revision | Publish Date | Comments |
---|---|---|
1.0 |
05-Jan-2015 |
Initial Release |