Firepower Management Center Active Directory Authenticated

AD Authenticated Firepower Management Center

The goal of this article is to quickly show you  how you can configure your Firepower Management Center (FMC) to authenticate against Active Directory.

  1. First login to FMC as a local admin

img 596a21cb10866

2. Hover over System, then select Users

img 596a2213161c0

 

3. Select External Authentication

img 596a2232b4c4a

4.  Select Add External Authentication Object

img 596a2264b6e7e

 

5.1 Set the Authentication Method to LDAP, give the object a name (can be anything), set the server type as MS Active Directory

img 596a22c6db390

 

5.2 Set your Primary and Backup AD server (ideally your environment should have two Domain Controllers at a minimum that are on different hardware and disks)

img 596a23141ac6c

5.3 Here we will set our base DN for the domain, then an LDAP filter to only allow domain admins. Finally we will finish it off by setting up a Firepower service account in AD (does not need to be an ADMIN, just needs to be able to read objects)

Base DN = dc=domain,dc=local

Base Filter = (memberOf=CN=Domain Admins,CN=Users,dc=domain,dc=local)

Username = CN=fire power,CN=Users,DC=domain,DC=local

img 596a240a703b7

Note: In production you should make sure to set up a self signed cert on the DC so that the LDAP session is encrypted. If you were to leave encryption off, a man in the middle attack could grab your AD account and wreck havoc.

 

5.4 Now we need to set our attribute mapping in FMC. This will be what the the admin types in to login, I chose sAMAccountName for consistency. UPN did not work well for me so I used this.

img 596a245f389c7

 

5.5 The group controlled access roles are if we want to get granular and assign FMC membership of tiers. In my setup I only need domain admins to be able to access FMC as admins, so I did not need to set this up. I left all of these blank, even the default user role.

img 596a24aa9c3ba

5.6

The Shell access filter (linux shell) is set to the same as the base filter, you don’t have to do this if you don’t need shell access.

img 596a24dfe9b0d

5.6 Go ahead and save this.

img 596a254474813

5.7 After clicking save it should have taken you one page back into the FMC external authentication page. We now need to save and apply our settings to the FMC.

img 596a25d25a746

5.8 Click apply here too

 

img 596a26f3f31e3

5.9 Now log out and test it!

img 596a26f9c0f62

6 Wohoo that worked!

 

img 596a26ff52fb9

Head back into the external authentication page where we set all of this up to view your new user profile.

The FMC creates a mapping for every user that logs in externally.

img 596a266015305

 

Troubleshooting:

The most common problem I foresee with AD authenticated FMC is people mistyping their DN’s so please double check those in section 5.3

Back in the external authentication object, if we edit we can go back in and use the test button.

img 596a2708b731e

Scroll all the way to the bottom of the page and input some domain admin credentials to test with.

img 596a273d03dd5

The page refreshes and we see this:

img 596a276b362cc

If we scroll all the way to the bottom we can check the verbose test log.

img 596a2788376d7

 

img 596a27cbc04d6

 

Leave a comment