
Note
|
You must have administrator privileges to perform this task.
|
When you enable external authentication for management users,
the Firewall Threat Defense verifies the user credentials with an LDAP or RADIUS server as specified in an
external authentication object.
Sharing External Authentication Objects
External
authentication objects can be used by the Firewall Management
Center and Firewall Threat Defense devices. You can share the same object between the Firewall Management
Center and devices, or create separate objects. Note that the Firewall Threat Defense supports defining users on the RADIUS server, while the
Firewall Management
Center requires you to predefine the user list in the external authentication
object. You can choose to use the predefined list method for the Firewall Threat Defense, but if you want to define users on the RADIUS server,
you must create separate objects for the Firewall Threat Defense and the Firewall Management
Center.

Note
|
The timeout range is different for the Firewall Threat Defense and the Firewall Management
Center, so if you share an object, be sure not to exceed the Firewall Threat Defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for
RADIUS). If you set the timeout to a higher value, the Firewall Threat Defense external authentication configuration will not work.
|
Assigning External Authentication Objects to Devices
For the Firewall Management
Center, enable the external authentication objects directly on ; this setting only affects Firewall Management
Center usage, and it does not need to be enabled for managed device usage. For Firewall Threat Defense devices, you must enable the external authentication object
in the platform settings that you deploy to the devices, and you can only activate
one external authentication object per policy. An LDAP object with CAC
authentication enabled cannot also be used for CLI access. Be sure
that both the Firewall Threat Defense and the Firewall Management
Center can reach the LDAP server, even if you are not sharing the object. The Firewall Management
Center is essential to retrieving the user list and downloading it to the device.
Firewall Threat
Defense Supported Fields
Only a subset of fields in the external authentication object are used for Firewall Threat Defense SSH access. If you fill in additional fields, they are
ignored. If you also use this object for the Firewall Management
Center, those fields will be used. This procedure only covers the supported fields for
the Firewall Threat Defense. For other
fields, see Configure External Authentication for the Firewall
Management Center in the Cisco Secure Firewall Management
Center Administration Guide.
Usernames
Usernames must be Linux-valid usernames and be lower-case only, using alphanumeric
characters plus period (.) or hyphen (-). Other special characters such as at sign
(@) and slash (/) are not supported. You cannot add the admin user for
external authentication. You can only add external users (as part of the External
Authentication object) in the Firewall Management
Center; you cannot add them at the CLI. Note that internal users can only be added at
the CLI, not in the Firewall Management
Center.
If you previously configured the same username for an internal user using the
configure user add command, the Firewall Threat Defense first checks the password against the internal user, and if that fails, it checks
the AAA server. Note that you cannot later add an internal user with the same name
as an external user; only pre-existing internal users are supported. For users
defined on the RADIUS server, be sure to set the privilege level to be the same
as any internal users; otherwise you cannot log in using the external user
password.
Privilege Level
LDAP users always have Config privileges. RADIUS users can be defined as either
Config or Basic users.