External Authentication

LDAP

Cisco Cyber Vision can delegate user authentication to external services using LDAP (Lightweight Directory Access Protocol), and in particular to Microsoft Active Directory services.

You can enable LDAP authentication in the LDAP Settings administration page.

Configuring LDAP:

LDAP integration can be done through normal connection or securely by using certificates depending on the installation compatibility.

Mapping Cisco Cyber Vision roles with Microsoft Active Directory groups:

User groups available in the external directory can be mapped to Cisco Cyber Vision Product, Operator and Auditor user roles or custom roles. Refer to Role Management to create custom roles.

Because the Admin user role is exclusively reserved for Cisco Cyber Vision internal usage, it cannot be mapped to any external users and thus is not proposed in LDAP settings.

Testing LDAP connection:

After setting up LDAP, the connection between the Cisco Cyber Vision Center and the external directory is to be tested. On the LDAP test connection window, you will use a user login and a password set in the external directory. The Center will attempt to authenticate on the directory server with these credentials. In return, you will get either a successful authentication, or a failed one with an error message.

Login in Cisco Cyber Vision:

When logging into Cisco Cyber Vision, the login format used will determine the base (i.e. internal or external) to be queried:

  • If you use an email, the Cisco Cyber Vision database is queried.

  • If you use the Active Directory format <domain_name>\<user_name> (e.g. cisco\john_doe), then the external directory is used to authenticate users.

Configure LDAP

This section explains how to configure LDAP in Cisco Cyber Vision using a normal connection or a secure connection.

Procedure


Step 1

In Cisco Cyber Vision, navigate to Admin > External Authentication > LDAP.

Step 2

Click New Settings.

The New LDAP Settings window pops up.


What to do next

Configure LDAP using a normal connection or a secure connection.

LDAP normal connection

After clicking the New Settings button, the following New LDAP Settings window pops up.

Before you begin
Procedure

Step 1

Fill in the LDAP settings.

Step 2

Click the Role Mapping tab.

Step 3

Fill in the following fields:

  1. Map one or more Cisco Cyber Vision default roles with an Active Directory group.

    Note 

    At least one default role must be mapped.

    Note 

    Because the Admin user role is exclusively reserved for Cisco Cyber Vision internal usage, it cannot be mapped to any external users and thus is not proposed in LDAP settings.

  2. Map Cisco Cyber Vision custom roles with Active Directory groups.

    You must type the exact group names as configured into the remote directory so they can be retrieved and mapped to user roles.

Step 4

Click OK.

Step 5

Click the Test connection button.

The Test Connection window pops up.

Step 6

Enter a user credentials to test the connection between Cisco Cyber Vision and Active Directory.

Note 

The Username format is domain\user.

A message Successful LDPA bind should appear.

Step 7

Click OK.

Step 8

Test the connection by logging out of Cisco Cyber Vision and logging in with the mapped user credentials.


Menus are displayed according to the rights granted to the user.

What to do next

LDAP secure connection

After clicking the New Settings button, the following New LDAP Settings window pops up.

Before you begin
Procedure

Step 1

Fill in the following fields:

  1. Tick LDAP over TLS/SLL.

  2. Fill in the LDAP settings.

  3. Upload a .pem root certificate or a chain certificate, or tick Use a self-signed certificate.

    If you upload a certificate, a message indicating that the certificate has been uploaded successfully appears.

    The certificate appears at the bottom of the New LDAP Settings window.

Step 2

Click OK.

Step 3

Click the Role Mapping tab.

Step 4

Fill in the following fields:

  1. Map one or more Cisco Cyber Vision default roles with an Active Directory group.

    Note 

    At least one default role must be mapped.

    Note 

    Because the Admin user role is exclusively reserved for Cisco Cyber Vision internal usage, it cannot be mapped to any external users and thus is not proposed in LDAP settings.

  2. Map Cisco Cyber Vision custom roles with Active Directory groups.

    You must type the exact group names as configured into the remote directory so they can be retrieved and mapped to user roles.

Step 5

Click OK.

Step 6

Click the Test connection button.

The Test Connection window pops up.

Step 7

Enter a user credentials to test the connection between Cisco Cyber Vision and Active Directory.

Note 

The Username format is <domain_name>\<user_name> (e.g. cisco\john_doe).

A message Successful LDPA bind should appear.

Step 8

Click OK.

Step 9

Test the connection by logging out of Cisco Cyber Vision and logging in with the mapped user credentials.


Menus are displayed according to the rights granted to the user.