Configure FMC and FTD with LDAP for External Authentication

Available Languages

Download Options

  • PDF     (2.5 MB)
    View with Adobe Reader on a variety of devices
  • ePub     (2.9 MB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (1.7 MB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 15, 2024
Document ID:215538

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes how to enable Microsoft Lightweight Directory Access Protocol (LDAP) External Authentication with Cisco FMC and FTD.

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Cisco Firepower Threat Defense (FTD)
    • Cisco Firepower Management Center (FMC)
    • Microsoft LDAP

    Components Used

    The information in this document is based on these software and hardware versions:

    • FTD 6.5.0-123
    • FMC 6.5.0-115
    • Microsoft Server 2012

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information

    The FMC and managed devices include a default admin account for management access. You can add custom user accounts on the FMC and on managed devices, either as internal users or, if supported for your model, as external users on an LDAP or RADIUS server. External user authentication is supported for FMC and FTD.

    • Internal user - The FMC/FTD device checks a local database for user authentication.

    • External user - If the user is not present in the local database, the system information from an external LDAP or RADIUS authentication server populates its user database.

    Network Diagram

    Basic Topology

    Configure

    Basic LDAP Configuration in FMC GUI

    Step 1. Navigate to System > Users > External Authentication:

    Access External Authentication Settings in Cisco FMC and FTD

    Step 2. Choose Add External Authentication Object:

    Add an External Authentication Object in Cisco FMC and FTD

    Step 3. Complete the required fields:

    Complete Required Fields for External Authentication Configuration in Cisco FMC and FTD

    Complete Required Fields for External Authentication Configuration in Cisco FMC and FTD

    Step 4. Enable the External AuthenticationObject and Save:

    Enable and Save the External Authentication Object in Cisco FMC and FTD

    Shell Access for External Users

    The FMC supports two different internal admin users: one for the web interface, and another with CLI access. This means there is a clear distinction between who can access the GUI and who can also access CLI. At the time of installation, the password for the default admin user is synchronized in order to be the same on both GUI and CLI, however, they are tracked by different internal mechanisms, and can eventually be different.

    LDAP External users must also be granted shell access.

    Step 1. Navigate to System > Users > External Authentication and click Shell Authentication drop-down box as seen in the image and save:

    Access Shell Authentication Settings in Cisco FMC and FTD

    Step 2. Deploy changes in FMC.

    Once shell access for external users is configured, log in via SSH is enabled as seen in the image:

    Deploy Configuration Changes in Cisco FMC for Shell Access and Enable SSH Log In

    External Authentication to FTD

    External authentication can be enabled on FTD.

    Step 1. Navigate to Devices > Platform Settings > External Authentication. Click Enabled and save:

    Add LDAP to FTD

    User Roles

    User privileges are based on the assigned user role. You can also create custom user roles with access privileges tailored to the needs of your organization or you can use predefined roles such as Security Analyst and Discovery Admin.

    There are two types of user roles:

    1. Web Interface User Roles
    2. CLI User Roles

    For a full list of predefined roles and more information, refer to: User Roles.

    In order to configure a default user role for all External Authentication Objects, navigate to System > Users > External Authentication > Default User Role. Choose the default user role you like to assign and click Save.

    Default User Role for All External Authentication Objects

    In order to choose a default user role or assign specific roles to specific users in a particular object group, you can choose the object and navigate to Group Controlled Access Roles as seen in the image:

    Assign User Roles in Object Groups for Controlled Access in Cisco FMC

    SSL or TLS

    DNS must be configured in the FMC. This is because the Subject value of the Certificate must match the Authentication Object Primary Server Hostname. Once Secure LDAP is configured, packet captures no longer show clear text bind requests.

    SSL changes the default port to 636, and TLS keeps it as 389.

    Note: TLS encryption requires a certificate on all platforms. For SSL, the FTD also requires a certificate. For other platforms, SSL does not require a certificate. However, it is recommended that you always upload a certificate for SSL in order to prevent man-in-the-middle attacks.

    Step 1. Navigate to Devices > Platform Settings > External Authentication > External Authentication Object and enter the Advanced Options SSL/TLS information:

    Configure SSL/TLS Advanced Options for External Authentication Objects in Cisco FMC

    Step 2. Upload the certificate of the CA who signed the certificate of the server. The certificate must be in PEM format.

    Upload CA Certificate for Server Certificate Verification in Cisco FMC

    Step 3. Save the configuration.

    Verify

    Test Search Base

    Open a Windows command prompt or PowerShell where LDAP is configured and type the command: dsquery user -name <known username>.

    For example:

    PS C:\Users\Administrator> dsquery user -name harry* 
    PS C:\Users\Administrator> dsquery user -name *

    Use Command Prompt or PowerShell to Search for a Known User in LDAP Configuration

    Test LDAP Integration

    Navigate to System > Users > External Authentication > External Authentication Object. At the bottom of the page, there is an Additional Test Parameters section as seen in the image:

    Access Additional Test Parameters in External Authentication Object Configuration in Cisco FMC

    Choose Test in order to see the results.

    Perform Test for External Authentication Object Configuration in Cisco FMC

    Test Results Capture

    Troubleshoot

    How Do FMC/FTD and LDAP Interact to Download Users

    In order for FMC to be able to pull users from a Microsoft LDAP server, the FMC must first send a bind request on port 389 or 636 (SSL) with the LDAP administrator credentials. Once the LDAP server is able to authenticate FMC, it responds with a success message. Finally, FMC is able to make a request with the search Request message as described in the diagram:

    << ---  FMC sends: bindRequest(1) "Administrator@SEC-LAB0" simple LDAP must respond with: bindResponse(1) success --- >> << --- FMC sends: searchRequest(2) "DC=SEC-LAB,DC=NET" wholeSubtree

    Notice that the authentication sends passwords in the clear by default:

    Enable Secure Password Transmission in External Authentication Configuration in Cisco FMC

    How Do FMC/FTD and LDAP Interact to Authenticate a User Log In Request

    In order for a user to be able to log in to FMC or FTD while LDAP authentication is enabled, the initial log in request is sent to Firepower, however, the username and password are forwarded to LDAP for a success/deny response. This means that FMC and FTD do not keep password information locally in the database and instead await confirmation from LDAP on how to proceed.

    Log In Request Flow

    FMC GUI Log In

    Successful User Log In Entry in Web GUI After LDAP Authentication in Cisco FMC and FTD

    If the username and password are accepted, an entry is added in the web GUI as seen in the image:

    User Added to GUI

    Run the command show user in FMC CLISH in order to verify user information: > show user <username>

    The command displays detailed configuration information for the specified user(s). These values are displayed:

    Log in — the log in name

    UID — the numeric user ID
    Auth (Local or Remote) — how the user is authenticated
    Access (Basic or Config) — the privilege level of the user
    Enabled (Enabled or Disabled) — whether the user is active
    Reset (Yes or No) — whether the user must change the password at the next log in
    Exp (Never or a number) — the number of days until the password of the user must be changed
    Warn (N/A or a number) — the number of days a user is given in order to change their password before it expires
    Str (Yes or No) — whether the password of the user must meet the criteria to check the strength
    Lock (Yes or No) — whether the account of the user has been locked due to too manylog in failures
    Max (N/A or a number) — the maximum number of failed log ins before the account of the user is locked

    SSL or TLS does not Work as Expected

    If you do not enable DNS on the FTDs, you can see errors in the pigtail log that suggest that LDAP is unreachable:

    root@SEC-FMC:/$ sudo cd /var/common
    root@SEC-FMC:/var/common$ sudo pigtail
    MSGS: 03-05 14:35:31 SEC-FTD sshd[10174]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.0.2.15  user=h.potter
    MSGS: 03-05 14:35:31 SEC-FTD sshd[10174]: pam_ldap: ldap_starttls_s: Can't contact LDAP server
    MSGS: 03-05 14:35:33 SEC-FTD sshd[10138]: error: PAM: Authentication failure for h.potter from 192.0.2.15
    MSGS: 03-05 14:35:33 SEC-FTD sshd[10138]: Failed keyboard-interactive/pam for h.potter from 192.0.2.15 port 61491 ssh2
    MSGS: 03-05 14:35:33 SEC-FTD sshd[10138]: error: maximum authentication attempts exceeded for h.potter from 192.0.2.15 port 61491 ssh2 [preauth]
    MSGS: 03-05 14:35:33 SEC-FTD sshd[10138]: Disconnecting authenticating user h.potter 192.0.2.15 port 61491: Too many authentication failures [preauth]

    Ensure that Firepower is able to resolve the LDAP Servers Fully Qualified Domain Name (FQDN). If not, add the correct DNS as seen in the image.

    FTD: Access the FTD CLISH and run the command: > configure network dns servers <IP Address>.

    Resolve FQDN

    FMC: Choose System > Configuration, and then choose Management Interfaces as seen in the image:

    Access Management Interfaces Configuration in Cisco FMC

    Ensure the certificate uploaded to FMC is the certificate of the CA who signed the server certificate of the LDAP, as illustrated in the image:

    Verify CA Certificate for LDAP Server in Cisco FMC

    Use packet captures in order to confirm LDAP server sends the correct information:

    SSL Packet Capture

    Related Information

    Revision History

    Revision Publish Date Comments
    3.0
    15-Jul-2024
    Updated Title, Introduction, Alt Text, and Formatting.
    1.0
    20-May-2020
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Luis Jose Esquivel Blanco
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products