Cisco: Security - FMC 6.5 Integration with Active Directory (AD) for user authentication

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
[Applause] alright guys welcome to Cisco name so this video today is about how to integrate your fire power management center FMC into active directory using LDAP now the FMC has multiple ways you can integrate for user identities and in this case it's Active Directory this is your typical management scenario where you already have all this infrastructure stood up you have roles and permissions and groups and you just want to leverage that to allow people to log in and view certain things within fire power so we'll get to that configuration here in a minute just don't forget about in the description there are bookmarks to help you jump around there's also links to any resources if they were used in this video please like comment subscribe if you find this content useful Thanks we'll get to here in a minute alright so the requirements for this video are pretty simple today relative compared to other videos I've made you'll need a web browser so you can log in to your device your FMC in this case and manipulate the configuration you'll need an MMC that's installed it doesn't really matter which version I'm using 6 5 in this video whichever one you use it should not matter integration has been relatively stable across all of the versions you'll need an Active Directory server and a way to reach it so it doesn't matter if you already pee into it or a console or remote terminal into it I'm using VMware so I like using VMware as a web console it just works great that's what you'll need for this video we'll see you guys in a few alright guys welcome back to a Cisco Nate so I'm gonna show you everything I normally do I'm going to start off with logging into the resources that I need first there's no software to download this time so this should be a little easier than normal I'm good and login here and while I log in to vSphere for my Active Directory server and the FMC we'll just talk about some of the nuances or gotchas here to fill up the time so the reason I wanted to publish this video was integrating with Active Directory seems like a relatively easy task in indeed in general it is however there is one real big gotcha for engineers who have to kind of test and integrate all of these things and don't necessarily deal with every single component every day and that is on fire power to integrated Active Directory for a user authentication for the screen I just showed you I just logged in using an Active Directory user you have to very specifically integrate using the user name not the user ID and I'll get more specifically into what that is in a minute here and you'll see it'll click and make sense but it will hang you up most likely if it's your first time doing this so you can see here that cisco nate exists that's the username i just logged in with using an external authentication mechanism and that was the LDAP Active Directory Integration with my Active Directory server now these usernames do not have to be created here or pre placed here for this to work if I create a new user in Active Directory at the write permissions and then log in it will appear here it is seeded once you use the username and it queries and pulls back the information from Active Directory alright so onto the how do I get my FMC integrated you go under system users external authentication now I already have one created here and I'm going to use that as a template just kind of speed up how fast it takes me to do this how how long it takes me to do this so I'm going to copy this link I'm going to duplicate it in another tab here should just click duplicate tab duh and I'm gonna open this one as kind of a base template so I can cut and paste some of the longer parts of this configuration then I'm gonna come over here to my vSphere and login to my Active Directory server using the remote console or the web console from VMware now it's my preferred way whatever infrastructure you have running your ID is how you do you can RDP in you can console and doesn't matter and I'm gonna show you from the ground up how you do this I'm losing everything out just to do it again but if you run server manager and you're running it typical this is a Windows 2016 server then I should be able to from server manager to go to tools Active Directory users and computers now this is where it kind of gets hairy Active Directory is structured in what's called domains and then oh you objects and other things and they have special naming scheme and hierarchy I don't know all the specifics to it but I will tell you what you do need to know and that is you need to know your domain and this is important because it helps limit how much of the active ejector a tree FMC or anything else has to query or search through to find your users find the groups and find the proper membership typically best practice for servers or services is to create what's called a managed service account under a folder called managed service accounts and that's because these service accounts typically either have more strict or more relaxed requirements on them depending on the organization you're in you have to change passwords every 30 days every 60 days whatever it is versus a normal user who typically has every six month password change policy they may also have a policy where their passwords don't change or they're fixed or you want to disable the change that first log on all of these things matter the real gotcha though is when it comes to actually creating your service account so I'm going to create a new service account under here I'm going to right click on manage service accounts click new and click user yes it is a new user that goes under the managed service accounts for your service accounts ie f MC or IAC or whatever else you have running someone call this fire power management hope and we're gonna take that out of there and put it in the correct box here management and I'm gonna call this F MC - a3 alright and the reason I'm doing this is because in my naming scheme I labeled my devices f MC - a in this case for the FMC I have multiples so there's a B there's a C it doesn't really matter but what's relevant here is because this is for the primary FMC it's my third user name i'm creating that's why I'm naming it this now this user name is what you would intuitively think you use to integrate with Active Directory hey I need a username to log in to Active Directory authenticate myself and that is not the case that is what will stump you guys here if you're the first time you're an engineer trying to do this integration what you need is the username that shows up on the next screen so I'm going to go ahead and set this real quick the password must be whatever you want for your typical service account what you need is the full name this name that shows up here not the user ID now when it comes to actually logging in to the fire power you'll use the user ID or the username but for now you need this here alright so let's get back to the FMC and start building this new external authentication I'm gonna hit add external authentication object and we're gonna be stealing a lot of configuration from my old one just to make it easy this is LDAP you can also do radius I will publish the video on how to integrate with the radius in this case is see later on and later on down here I'm just showing you the simplest way to integrate that this is no SSL or TLS authentication with certificates this is just basic Active Directory Integration so I'm gonna call this Cisco Nate ad and then we're gonna go to ad to Cisco Nate local and then we're gonna go fill in our base filter so the or the base DN sorry not the filter and the base DN is essentially your domain now you could set it for the whole tree but in my case I am going to make it specific to my domain so that's d C equals Siskin ad C equals local you might wonder how you build this well when you look at your tree here the domain each component everything on other sides of periods is in this case for domain it's DC now if you get further down the manage tree object here you'll see that in this case later on we'll be referencing the managed service account and that falls under C n I'm not gonna go into the specifics of the hierarchy here I'm just going to tell you how it is and how you can configure itself if it's a folder under the domain it's C N and if it's a user it's C n if it's a domain it's DC so you can see I've built this tree kind of backwards here I stole this for my username and in this case my username not my username my user ID is fire power management I have to put it within quotes because there's a space that space was induced just by the name that I type there so that's another gotcha if you have spaces put it within the quotes so fire power management as the user name as the name shows not the user name right here fire power management now my fire power management is not a member of anything so I'm gonna go ahead and add him to my fire power administer creators group need to make sure he's in the proper group so firepower administrators is tied to my firepower admins and then I'm gonna type in the password here now the UI access attribute this is the attribute that it used to figure out what the usernames are and in this case in 99% of your cases it's going to be the Sam account name this is the user ID that shows up under the account tab here this is what people actually use to log in this is known as the Sam account name under the attributes so that's what you want to look for when you're trying to map permissions now I'm going to do group controlled access for people that I want to have administrator access on this device I'm going to look up their Sam account name and I'm going to make sure they're part of the firepower administrators with switches why I put that administrator group membership on that user ID so firepower administrators then the group member attribute tells you well I'm looking for a pro fire power administrators and I need it to be a member so that's what I've done here you can see member on my old template I'm going to make my shell access filter the same so shell access is when you CLI into FTD versus the FMC and end into the FMC itself as well and then we're going to test this and make sure everything we configure it works now if you test and it works it will give you a nice green blocks up the top it'll say success it'll say I found all these users the other thing you can do is in addition to just testing basic functionality you can add a user name specifically to look up in here so I'm gonna search for my other name and step with its password and it's going to simulate a login or a quick somebody logged in with end staff and now the FMC is checking Active Directory to validate it so now you should see there you go true membership for n sap was administrator so it's successfully validated a lookup as well as integrating so I can hit save at this point I know this worked and now name is in Oh cuz I okay sis gonna ad sorry I can save this now that it properly named configuration and we can actually switch over to using this new user account by this new LDAP integration so I'm going to disable the old one and enable the new one and I'm gonna hit save and apply now this is just to show you that the integration did indeed successfully work I'm using a new username to integrate with LDAP and what I should be able to do is to verify everything work properly I should be able to show you that the only users that exist currently are admin in Cisco Nate I should be able to log out and then log back in using a new username that does not exist in the current users and what you'll see is on the back end it's going to reach an Active Directory validate I have the ability to log in as an administrator and then it's going to add my user ID locally to the system and tell you that it's performing external authentication for me so let's go back to the users pane and there I am ence tap external everything is worked properly this is exactly as you want so this is great I look forward to showing you guys another video we're gonna publish another one later that shows you how to secure this using SSL or TLS and certificates and I'll probably also be publishing video on how to integrate with radius instead and another video that goes into more detail about shell access and filtering commands that people are able to execute on your devices alright I hope this was used for you guys have a good one
Info
Channel: Nathan Stapp
Views: 3,971
Rating: undefined out of 5
Keywords: cisco, cisconate, security, Firepower Management Center, FMC, Active directory, AD
Id: 19ofiCBZHeU
Channel Id: undefined
Length: 12min 47sec (767 seconds)
Published: Tue May 12 2020
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.