Note
|
You must have administrator privileges to perform this task.
|
When you enable external authentication for management users, the threat
defense verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object.
Sharing External Authentication Objects
External authentication objects can be used by the management center and threat
defense devices. You can share the same object between the management center and devices, or create separate objects. Note that the threat
defense supports defining users on the RADIUS server, while the management center requires you to predefine the user list in the external authentication object. You can choose to use the predefined list
method for the threat
defense, but if you want to define users on the RADIUS server, you must create separate objects for the threat
defense and the management center.
Note
|
The timeout range is different for the threat
defense and the management center, so if you share an object, be sure not to exceed the threat
defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for RADIUS). If you set the timeout to a higher value,
the threat
defense external authentication configuration will not work.
|
Assigning External Authentication Objects to Devices
For the management center, enable the external authentication objects directly on ; this setting only affects management center usage, and it does not need to be enabled for managed device usage. For threat
defense devices, you must enable the external authentication object in the platform settings that you deploy to the devices, and
you can only activate one external authentication object per policy. An LDAP object with CAC authentication enabled cannot
also be used for CLI access.
Threat Defense Supported Fields
Only a subset of fields in the external authentication object are used for threat
defense SSH access. If you fill in additional fields, they are ignored. If you also use this object for the management center, those fields will be used. This procedure only covers the supported fields for the threat
defense. For other fields, see Configure External Authentication for the Management
Center in the Cisco Secure Firewall Management
Center Administration Guide.
Usernames
Usernames must be Linux-valid usernames and be lower-case only, using alphanumeric characters plus period (.) or hyphen (-).
Other special characters such as at sign (@) and slash (/) are not supported. You cannot add the admin user for external authentication. You can only add external users (as part of the External Authentication object) in the
management center; you cannot add them at the CLI. Note that internal users can only be added at the CLI, not in the management center.
If you previously configured the same username for an internal user using the configure user add command, the threat
defense first checks the password against the internal user, and if that fails, it checks the AAA server. Note that you cannot later
add an internal user with the same name as an external user; only pre-existing internal users are supported. For users defined on the RADIUS server, be sure to set the privilege level to be the same as any internal users; otherwise
you cannot log in using the external user password.
Privilege Level
LDAP users always have Config privileges. RADIUS users can be defined as either Config or Basic users.