Note
|
You must have administrator privileges to perform this task.
|
When you enable external authentication for management users,
the threat
defense verifies the user credentials with an LDAP or RADIUS server as specified in an
external authentication object.
Sharing External Authentication Objects
External
authentication objects can be used by the management center and threat
defense devices. You can share the same object between the management center and devices, or create separate objects. Note that the threat
defense supports defining users on the RADIUS server, while the
management center requires you to predefine the user list in the external authentication
object. You can choose to use the predefined list method for the threat
defense, but if you want to define users on the RADIUS server,
you must create separate objects for the threat
defense and the management center.
Note
|
The timeout range is different for the threat
defense and the management center, so if you share an object, be sure not to exceed the threat
defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for
RADIUS). If you set the timeout to a higher value, the threat
defense external authentication configuration will not work.
|
Assigning External Authentication Objects to Devices
For the management center, enable the external authentication objects directly on ; this setting only affects management center usage, and it does not need to be enabled for managed device usage. For threat
defense devices, you must enable the external authentication object
in the platform settings that you deploy to the devices, and you can only activate
one external authentication object per policy. An LDAP object with CAC
authentication enabled cannot also be used for CLI access. Be sure
that both the threat
defense and the management center can reach the LDAP server, even if you are not sharing the object. The management center is essential to retrieving the user list and downloading it to the device.
Threat Defense Supported Fields
Only a subset of fields in the external authentication object are used for threat
defense SSH access. If you fill in additional fields, they are
ignored. If you also use this object for the management center, those fields will be used. This procedure only covers the supported fields for
the threat
defense. For other
fields, see Configure External Authentication for the Management
Center in the Cisco Secure Firewall Management
Center Administration Guide.
Usernames
Usernames must be Linux-valid usernames and be lower-case only, using alphanumeric
characters plus period (.) or hyphen (-). Other special characters such as at sign
(@) and slash (/) are not supported. You cannot add the admin user for
external authentication. You can only add external users (as part of the External
Authentication object) in the management center; you cannot add them at the CLI. Note that internal users can only be added at
the CLI, not in the management center.
If you previously configured the same username for an internal user using the
configure user add command, the threat
defense first checks the password against the internal user, and if that fails, it checks
the AAA server. Note that you cannot later add an internal user with the same name
as an external user; only pre-existing internal users are supported. For users
defined on the RADIUS server, be sure to set the privilege level to be the same
as any internal users; otherwise you cannot log in using the external user
password.
Privilege Level
LDAP users always have Config privileges. RADIUS users can be defined as either
Config or Basic users.