Connecting to an LDAP Server for User Awareness and Control
License: FireSIGHT or Control
Connections between ASA FirePOWER modules and your organization’s LDAP servers can:
- specify the access-controlled users and groups whose activity you want to use as criteria when limiting traffic with access control rules
- allow you to query the server for metadata on access-controlled users
These connections, or user awareness objects , specify connection settings and authentication filter settings for the LDAP server.
To perform user control, you must connect to a Microsoft Active Directory LDAP server. If you simply want to retrieve LDAP user metadata, the system supports connections to other types of LDAP server; see Table 9-1.
When the system detects user activity, it can add a record of that user to the ASA FirePOWER module users. The ASA FirePOWER module regularly queries the LDAP server to obtain metadata for new and updated users whose activity was detected since the last query. If a user already exists in the database, the system updates the metadata if it has not been updated in the last 12 hours. It may take several minutes for the ASA FirePOWER module to update with user metadata after the system detects a new user login.
Note If you remove a user that has been detected by the system from your LDAP servers, the ASA FirePOWER module does not remove that user; you must manually delete it. However, your LDAP changes are reflected in access control rules when the ASA FirePOWER module next updates its list of access-controlled users.
The following table lists the LDAP metadata you can associate with monitored users. Note that to successfully retrieve user metadata from an LDAP server, the server must use the LDAP field names listed in the table. If you rename the field on the LDAP server, the ASA FirePOWER module cannot populate its list of users with the information in that field.
Table 9-2 Mapping LDAP Fields to Cisco Fields
|
|
|
LDAP user name |
Username |
samaccountname |
first name |
First Name |
givenname |
last name |
Last Name |
sn |
email address |
Email |
mail userprincipalname (if mail has no value) |
department |
Department |
department distinguishedname (if department has no value) |
telephone number |
Phone |
telephonenumber |
Work closely with your LDAP administrators to ensure your LDAP servers are correctly configured and that you can connect to them, and to obtain the information you must provide when creating an LDAP connection.
Server Type, IP Address, and Port
You must specify the IP address or hostname, and port for a primary, and optionally a backup, LDAP server. You must use a Microsoft Active Directory server.
LDAP-Specific Parameters
When the ASA FirePOWER module searches the LDAP server to retrieve user information on the authentication server, it needs a starting point for that search. You can specify the namespace, or directory tree, to search by providing a base distinguished name, or base DN. Typically, the base DN has a basic structure indicating the company domain and operational unit. For example, the Security organization of the Example company might have a base DN of ou=security,dc=example,dc=com
. Note that after you identify a primary server, you can automatically retrieve a list of available base DNs from the server and select the appropriate base DN.
You must supply user credentials for a user with appropriate rights to the user information you want to retrieve. Remember that the distinguished name for the user you specify must be unique to the directory information tree for the directory server.
You can also specify an encryption method for the LDAP connection. Note that if you are using a certificate to authenticate, the name of the LDAP server in the certificate must match the host name that you specified in the ASA FirePOWER module interface. For example, if you use 10.10.10.250
when configuring the LDAP connection but computer1.example.com
in the certificate, the connection fails.
Finally, you must specify the timeout period after which attempts to contact an unresponsive LDAP server roll over to the backup connection.
User and Group Access Control Parameters
To perform user control, specify the groups you want to use as criteria in access control rules.
Including a group automatically includes all of that group’s members, including members of any sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly include the sub-group. You can also exclude groups and individual users. Excluding a group excludes all the members of that group, even if the users are members of an included group.
If your access control parameters are too broad, the ASA FirePOWER module obtains information on as many users as it can and reports the number of users it failed to retrieve in the task queue.
Note If you do not specify any groups to include, the system retrieves user data for all the groups that match the LDAP parameters you provided. For performance reasons, Cisco recommends that you explicitly include only the groups that represent the users you want to use in access control. Note that you cannot include the Users or Domain Users groups.
You must also specify how often the ASA FirePOWER module queries the LDAP server to obtain new users to use in access control.
After you create an LDAP connection, you can delete it by clicking the delete icon () and confirming your choice. To modify an LDAP connection, click the edit icon (). If the connection is enabled, your saved changes take effect when the ASA FirePOWER module next queries the LDAP server.
To create an LDAP connection for user awareness or user control:
Step 1 Select Configuration > ASA FirePOWER Configuration > Policies > Users.
The Users Policy page appears.
Step 2 Click Add LDAP Connection.
The Create User Awareness Authentication Object page appears.
Step 3 Type a Name and Description for the object.
Step 4 You must use a Microsoft Active Directory LDAP Server Type.
Step 5 Specify an IP Address or Host Name for a primary and, optionally, a backup LDAP server.
Step 6 Specify the Port that your LDAP servers use for authentication traffic.
Step 7 Specify the Base DN for the LDAP directory you want to access.
For example, to authenticate names in the Security organization at the Example company, type ou=security,dc=example,dc=com
.
Tip To fetch a list of all available domains, click Fetch DNs and select the appropriate base distinguished name from the drop-down list.
Step 8 Specify the distinguished User Name and Password that you want to use to validate access to the LDAP directory. Confirm the password.
Step 9 Choose an Encryption method. If you are using encryption, you can add an SSL Certificate.
The host name in the certificate must match the host name of the LDAP server you specified in step 4 .
Step 10 Specify the Timeout period (in seconds) timeout period after which attempts to contact an unresponsive primary LDAP server roll over to the backup connection.
Step 11 Optionally, before you specify user awareness settings for the object, test the connection by clicking Test.
Step 12 Optionally, enable User/Group Access Control Parameters to specify users to use in access control.
Step 13 Click Fetch Groups to populate the available groups list using the LDAP parameters you provided.
Step 14 Specify the users you want to use in access control by using the right and left arrow buttons to include and exclude groups.
Including a group automatically includes all of that group’s members, including members of any sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly include the sub-group. Excluding a group excludes all the members of that group, even if the users are members of an included group.
Step 15 Specify any particular User Exclusions.
Excluding a user prevents you from writing an access control rule using that user as a condition. Separate multiple users with commas. You can also use an asterisk ( *
) as a wildcard character in this field.
Step 16 Specify how often you want to query the LDAP server to obtain new user and group information.
By default, the ASA FirePOWER module queries the server once a day at midnight:
- Use the Start At drop-down list to specify when you want the query to occur. 0 represents midnight, 1 represents 1:00 AM, and so on.
- Use the Update Interval drop-down list to specify how often, in hours, you want to query the server.
Step 17 Click Save.
If you added or made changes to user and group access control parameters, confirm that you want to implement your changes. The object is saved and the Users Policy page appears again.
Step 18 Enable the connection by clicking the slider next to the connection you just created.
If you are enabling the connection and your connection has user and group access control parameters, choose whether you want to immediately query the LDAP server to obtain user and group information. Note that if you do not immediately query the LDAP server, the query occurs at the scheduled time. You can monitor any query’s progress in the task queue ( Monitoring > ASA FirePOWER Monitoring > Task Status).