Cisco Preparative Procedures & Operational User Guide
© 2016 Cisco Systems, Inc. All rights reserved.
The AAA server is a network server that is used for access control. Authentication identifies the user.
Authorization implements policies that determine which resources and services an authenticated user may
access. Accounting keeps track of time and data resources that are used for billing and analysis. The
Firepower chassis maintains a local database that you can populate with user profiles. You can use a local
database instead of AAA servers to provide user authentication, authorization, and accounting.
4.4.3 Configure LDAP via CLI
1) Enter security mode:
Firepower-chassis# scope security
2) Enter security LDAP mode:
Firepower-chassis /security # scope ldap
3) Create an LDAP server instance and enter security LDAP server mode:
Firepower-chassis /security/ldap # create server server-name
If SSL is enabled, the server-name , typically an IP address or FQDN, must exactly match a Common
Name (CN) in the LDAP server's security certificate. Unless an IP address is specified, a DNS server
must be configured.
4) (Optional) Set an LDAP attribute that stores the values for the user roles and locales:
Firepower-chassis /security/ldap/server # set attribute attr-name
This property is always a name-value pair. The system queries the user record for the value that
matches this attribute name.
This value is required unless a default attribute has been set for LDAP providers.
5) (Optional) Set the specific distinguished name in the LDAP hierarchy where the server should begin a
search when a remote user logs in and the system attempts to get the user's DN based on their
username:
Firepower-chassis /security/ldap/server # set basedn basedn-name
The length of the base DN can be set to a maximum of 255 characters minus the length of
CN=username, where username identifies the remote user attempting to access Firepower Chassis
Manager or the FXOS CLI using LDAP authentication.
This value is required unless a default base DN has been set for LDAP providers.
6) (Optional) Set the distinguished name (DN) for an LDAP database account that has read and search
permissions for all objects under the base DN:
Firepower-chassis /security/ldap/server # set binddn binddn-name
The maximum supported string length is 255 ASCII characters.
7) (Optional) Restrict the LDAP search to user names that match the defined filter.
Firepower-chassis /security/ldap/server # set filter filter-value
This value is required unless a default filter has been set for LDAP providers.
8) Specify the password for the LDAP database account specified for Bind DN:
Firepower-chassis /security/ldap/server # set password
To Next Page
Loading...
Need help?
General