Connecting to an LDAP Server for User Awareness and Control
License:
FireSIGHT or Control
Supported Devices:
feature dependent
Supported Defense Centers:
feature dependent
Connections between Defense Centers and your organization’s LDAP servers can:
-
specify the access-controlled users and groups whose activity you want to monitor with User Agents, and who you can use as criteria when limiting traffic with access control rules
-
allow you to query the server for metadata on access-controlled users, as well as some non-access-controlled users: POP3 and IMAP users detected by user discovery and LDAP users whose activity is detected by either user discovery or a User Agent.
These connections, or
user awareness objects
, specify connection settings and authentication filter settings for the LDAP server. They are similar to the authentication objects you configure to manage external authentication to the FireSIGHT System’s web interface; see Managing Authentication Objects.
To perform user control, you
must
connect to a Microsoft Active Directory LDAP server. If you simply want to retrieve LDAP user metadata, the system supports connections to other types of LDAP server; see Table 17-1.
When the system detects user activity, it can add a record of that user to the Defense Center users database, also called the user identity database. The Defense Center regularly queries the LDAP server to obtain metadata for new and updated users whose activity was detected since the last query. If a user already exists in the database, the system updates the metadata if it has not been updated in the last 12 hours. It may take several minutes for the Defense Center to update with user metadata after the system detects a new user login.
The system uses the email addresses in POP3 and IMAP logins to correlate with users on the LDAP server. For example, if a managed device detects a POP3 login for a user with the same email address as an LDAP user, the system associates the LDAP user’s metadata with that user.
Note If you remove a user that has been detected by the system from your LDAP servers, the Defense Center does not remove that user from its users database; you must manually delete it. However, your LDAP changes are reflected in access control rules when the Defense Center next updates its list of access-controlled users.
The following table lists the LDAP metadata you can associate with monitored users. Note that to successfully retrieve user metadata from an LDAP server, the server
must
use the LDAP field names listed in the table. If you rename the field on the LDAP server, the Defense Center cannot populate its database with the information in that field.
Table 17-2 Mapping LDAP Fields to Cisco Fields
|
|
|
|
|
LDAP user name
|
Username
|
samaccountname
|
cn
uid
|
cn
uid
|
first name
|
First Name
|
givenname
|
givenname
|
givenname
|
last name
|
Last Name
|
sn
|
sn
|
sn
|
email address
|
Email
|
mail
userprincipalname (if mail has no value)
|
mail
|
mail
|
department
|
Department
|
department
distinguishedname (if department has no value)
|
department
|
ou
|
telephone number
|
Phone
|
telephonenumber
|
n/a
|
telephonenumber
|
Work closely with your LDAP administrators to ensure your LDAP servers are correctly configured and that you can connect to them, and to obtain the information you must provide when creating an LDAP connection.
Server Type, IP Address, and Port
You must specify the server type, IP address or hostname, and port for a primary, and optionally a backup, LDAP server. To perform user control, you
must
use a Microsoft Active Directory server.
LDAP-Specific Parameters
When the Defense Center searches the LDAP server to retrieve user information on the authentication server, it needs a starting point for that search. You can specify the
namespace,
or directory tree, to search by providing a base distinguished name, or
base DN
. Typically, the base DN has a basic structure indicating the company domain and operational unit. For example, the Security organization of the Example company might have a base DN of
ou=security,dc=example,dc=com
. Note that after you identify a primary server, you can automatically retrieve a list of available base DNs from the server and select the appropriate base DN.
You must supply user credentials for a user with appropriate rights to the user information you want to retrieve. Remember that the distinguished name for the user you specify must be unique to the directory information tree for the directory server.
You can also specify an encryption method for the LDAP connection. Note that if you are using a certificate to authenticate, the name of the LDAP server in the certificate
must
match the host name that you specified in the Defense Center web interface. For example, if you use
10.10.10.250
when configuring the LDAP connection but
computer1.example.com
in the certificate, the connection fails.
Finally, you must specify the timeout period after which attempts to contact an unresponsive LDAP server roll over to the backup connection.
User and Group Access Control Parameters
To perform user control, specify the groups you want to use as criteria in access control rules.
Including a group automatically includes all of that group’s members, including members of any sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly include the sub-group. You can also exclude groups and individual users. Excluding a group excludes all the members of that group, even if the users are members of an included group.
The maximum number of users you can use in access control depends on your FireSIGHT license. When choosing which users and groups to include, make sure the total number of users is less than your FireSIGHT user license. If your access control parameters are too broad, the Defense Center obtains information on as many users as it can and reports the number of users it failed to retrieve in the task queue.
Note If you do not specify any groups to include, the system retrieves user data for all the groups that match the LDAP parameters you provided. For performance reasons, Cisco recommends that you explicitly include only the groups that represent the users you want to use in access control. Note that you cannot include the Users or Domain Users groups.
You must also specify how often the Defense Center queries the LDAP server to obtain new users to use in access control.
After you create an LDAP connection, you can delete it by clicking the delete icon (
) and confirming your choice. To modify an LDAP connection, click the edit icon (
). If the connection is enabled, your saved changes take effect when the Defense Center next queries the LDAP server.
To create an LDAP connection for user awareness or user control:
Access:
Admin/Discovery Admin
Step 1 Select
Policies > Users
.
The Users Policy page appears.
Step 2 Click
Add LDAP Connection
.
The Create User Awareness Authentication Object page appears.
Step 3 Type a
Name
and
Description
for the object.
Step 4 Select the LDAP
Server Type
.
If you want to perform user control, you
must
use a Microsoft Active Directory server.
Note User Agents cannot transmit Active Directory user names ending with the $
character to the Defense Center. You must remove the final $
character if you want to monitor these users.
Step 5 Specify an
IP Address
or
Host Name
for a primary and, optionally, a backup LDAP server.
Step 6 Specify the
Port
that your LDAP servers use for authentication traffic.
Step 7 Specify the
Base DN
for the LDAP directory you want to access.
For example, to authenticate names in the Security organization at the Example company, type
ou=security,dc=example,dc=com
.
Tip To fetch a list of all available domains, click Fetch DNs and select the appropriate base distinguished name from the drop-down list.
Step 8 Specify the distinguished
User Name
and
Password
that you want to use to validate access to the LDAP directory. Confirm the password.
For example, if you are connecting to an OpenLDAP server where user objects have a
uid
attribute and the object for the administrator in the Security division at our example company has a
uid
value of
NetworkAdmin
, you would type
uid=NetworkAdmin,ou=security,dc=example,dc=com.
Step 9 Choose an
Encryption
method. If you are using encryption, you can add an
SSL Certificate
.
The host name in the certificate
must
match the host name of the LDAP server you specified in step 5.
Step 10 Specify the
Timeout
period (in seconds) timeout period after which attempts to contact an unresponsive primary LDAP server roll over to the backup connection.
Step 11 Optionally, before you specify user awareness settings for the object, test the connection by clicking
Test
.
Step 12 You have two options, depending on the type of LDAP server you selected in step 4:
-
If you are connecting to an Active Directory server, you can enable
User/Group Access Control Parameters
to specify users to use in access control. Continue with the next step.
-
If you are connecting to any other kind of server, or do not want to perform user control, skip to step 17.
Step 13 Click
Fetch Groups
to populate the available groups list using the LDAP parameters you provided.
Step 14 Specify the users you want to use in access control by using the right and left arrow buttons to include and exclude groups.
Including a group automatically includes all of that group’s members, including members of any sub-groups. However, if you want to use the sub-group in access control rules, you must explicitly include the sub-group. Excluding a group excludes all the members of that group, even if the users are members of an included group.
Step 15 Specify any particular
User Exclusions
.
Excluding a user prevents you from writing an access control rule using that user as a condition. Separate multiple users with commas. You can also use an asterisk (
*
) as a wildcard character in this field.
Step 16 Specify how often you want to query the LDAP server to obtain new user and group information.
By default, the Defense Center queries the server once a day at midnight:
-
Use the
Start At
drop-down list to specify when you want the query to occur.
0
represents midnight,
1
represents 1:00 AM, and so on.
-
Use the
Update Interval
drop-down list to specify how often, in hours, you want to query the server.
Step 17 Click
Save
.
If you added or made changes to user and group access control parameters, confirm that you want to implement your changes. The object is saved and the Users Policy page appears again.
Step 18 Enable the connection by clicking the slider next to the connection you just created.
If you are enabling the connection and your connection has user and group access control parameters, choose whether you want to immediately query the LDAP server to obtain user and group information. Note that if you do not immediately query the LDAP server, the query occurs at the scheduled time. You can monitor any query’s progress in the task queue (
System > Monitoring > Task Status
).