External Authentication
Note | You must have administrator privileges to perform this task. |
When you enable external authentication for management users, the threat defense verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object.
Sharing External Authentication Objects
External authentication objects can be used by the management center and threat defense devices. You can share the same object between the management center and devices, or create separate objects. Note that the threat defense supports defining users on the RADIUS server, while the management center requires you to predefine the user list in the external authentication object. You can choose to use the predefined list method for the threat defense, but if you want to define users on the RADIUS server, you must create separate objects for the threat defense and the management center.
Note | The timeout range is different for the threat defense and the management center, so if you share an object, be sure not to exceed the threat defense's smaller timeout range (1-30 seconds for LDAP, and 1-300 seconds for RADIUS). If you set the timeout to a higher value, the threat defense external authentication configuration will not work. |
Assigning External Authentication Objects to Devices
For the management center, enable the external authentication objects directly on ; this setting only affects management center usage, and it does not need to be enabled for managed device usage. For threat defense devices, you must enable the external authentication object in the platform settings that you deploy to the devices, and you can only activate one external authentication object per policy. An LDAP object with CAC authentication enabled cannot also be used for CLI access. Be sure that both the threat defense and the management center can reach the LDAP server, even if you are not sharing the object. The management center is essential to retrieving the user list and downloading it to the device.
Threat Defense Supported Fields
Only a subset of fields in the external authentication object are used for threat defense SSH access. If you fill in additional fields, they are ignored. If you also use this object for the management center, those fields will be used. This procedure only covers the supported fields for the threat defense.
Usernames
Usernames must be Linux-valid usernames and be lower-case only, using alphanumeric characters plus period (.) or hyphen (-). Other special characters such as at sign (@) and slash (/) are not supported. You cannot add the admin user for external authentication. You can only add external users (as part of the External Authentication object) in the management center; you cannot add them at the CLI. Note that internal users can only be added at the CLI, not in the management center.
If you previously configured the same username for an internal user using the configure user add command, the threat defense first checks the password against the internal user, and if that fails, it checks the AAA server. Note that you cannot later add an internal user with the same name as an external user; only pre-existing internal users are supported. For users defined on the RADIUS server, be sure to set the privilege level to be the same as any internal users; otherwise you cannot log in using the external user password.
Privilege Level
LDAP users always have Config privileges. RADIUS users can be defined as either Config or Basic users.
Before you begin
-
SSH access is enabled by default on the management interface. To enable SSH access on data interfaces, see SSH Access.
-
Inform RADIUS users of the following behavior to set their expectations appropriately:
-
The first time an external user logs in, threat defense creates the required structures but cannot simultaneously create the user session. The user simply needs to authenticate again to start the session. The user will see a message similar to the following: "New external username identified. Please log in again to start a session."
-
If the user's Service-Type attribute is not defined or incorrectly configured in the RADIUS server, and when using the RADIUS-defined users for authentication, the user will see a message similar to the following: "Your username is not defined with a service type that is valid for this system. You are not authorized to access the system?.
In some cases, the SSH clients close the CLI window on an unsuccessful SSH connection, even before displaying the failure message. Hence, ensure that the user's Service-Type attribute is correctly defined in the RADIUS server.
-
Similarly, if the user’s Service-Type authorization was changed since the last login, the user will need to re-authenticate. The user will see a message similar to the following: "Your authorization privilege has changed. Please log in again to start a session."
-
Procedure
Step 1 | Choose threat defense policy. and create or edit the |
Step 2 | Click External Authentication. |
Step 3 | Click the Manage External Authentication Server link. You can also open the External Authentication screen by clicking . |
Step 4 | Configure an LDAP Authentication Object. |
Step 5 | For LDAP, if you later add or delete users on the LDAP server, you must refresh the user list and redeploy the Platform Settings. |
Step 6 | Configure a RADIUS Authentication Object. |
Step 7 | Return to . |
Step 8 | Click Refresh () to view any newly-added objects. For LDAP when you specify SSL or TLS encryption, you must upload a certificate for the connection; otherwise, the server will not be listed on this window. |
Step 9 | Click Slider enabled () next to the External Authentication object you want to use. You can only enable one object. |
Step 10 | Click Save. |
Step 11 | Deploy configuration changes; see Deploy Configuration Changes. |