
Note
|
You must have administrator privileges to perform this task.
|
When you enable external authentication for management users,
the FTD verifies the user credentials with an LDAP or RADIUS server as specified in an
external authentication object.
Sharing External Authentication Objects
External
authentication objects can be used by the FMC and FTD devices. You can share the same object between the FMC and devices, or create separate objects. Note that the FTD supports defining users on the RADIUS server, while the
FMC requires you to predefine the user list in the external authentication
object. You can choose to use the predefined list method for the FTD, but if you want to define users on the RADIUS server,
you must create separate objects for the FTD and the FMC.

Note
|
The timeout range is different for the FTD and the FMC, so if you share an object, be sure not to exceed the FTD's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for
RADIUS). If you set the timeout to a higher value, the FTD external authentication configuration will not work.
|
Assigning External Authentication Objects to Devices
For the FMC, enable the external authentication objects directly on ; this setting only affects FMC usage, and it does not need to be enabled for managed device usage. For FTD devices, you must enable the external authentication object
in the platform settings that you deploy to the devices, and you can only activate
one external authentication object per policy. An LDAP object with CAC
authentication enabled cannot also be used for CLI access. Be sure
that both the FTD and the FMC can reach the LDAP server, even if you are not sharing the object. The FMC is essential to retrieving the user list and downloading it to the device.
FTD Supported Fields
Only a subset of fields in the external authentication object are used for FTD SSH access. If you fill in additional fields, they are
ignored. If you also use this object for the FMC, those fields will be used. This procedure only covers the supported fields for
the FTD. For other
fields, see Configure External Authentication for the FMC in the Firepower Management Center
Administration Guide.
Usernames
Usernames must be Linux-valid usernames and be lower-case only, using alphanumeric
characters plus period (.) or hyphen (-). Other special characters such as at sign
(@) and slash (/) are not supported. You cannot add the admin user for
external authentication. You can only add external users (as part of the External
Authentication object) in the FMC; you cannot add them at the CLI. Note that internal users can only be added at
the CLI, not in the FMC.
If you previously configured the same username for an internal user using the
configure user add command, the FTD first checks the password against the internal user, and if that fails, it checks
the AAA server. Note that you cannot later add an internal user with the same name
as an external user; only pre-existing internal users are supported. For users
defined on the RADIUS server, be sure to set the privilege level to be the same
as any internal users; otherwise you cannot log in using the external user
password.
Privilege Level
LDAP users always have Config privileges. RADIUS users can be defined as either
Config or Basic users.