AD Authenticated Firepower Management Center
The goal of this article is to quickly show you how you can configure your Firepower Management Center (FMC) to authenticate against Active Directory.
- First login to FMC as a local admin
2. Hover over System, then select Users
3. Select External Authentication
4. Select Add External Authentication Object
5.1 Set the Authentication Method to LDAP, give the object a name (can be anything), set the server type as MS Active Directory
5.2 Set your Primary and Backup AD server (ideally your environment should have two Domain Controllers at a minimum that are on different hardware and disks)
5.3 Here we will set our base DN for the domain, then an LDAP filter to only allow domain admins. Finally we will finish it off by setting up a Firepower service account in AD (does not need to be an ADMIN, just needs to be able to read objects)
Base DN = dc=domain,dc=local
Base Filter = (memberOf=CN=Domain Admins,CN=Users,dc=domain,dc=local)
Username = CN=fire power,CN=Users,DC=domain,DC=local
Note: In production you should make sure to set up a self signed cert on the DC so that the LDAP session is encrypted. If you were to leave encryption off, a man in the middle attack could grab your AD account and wreck havoc.
5.4 Now we need to set our attribute mapping in FMC. This will be what the the admin types in to login, I chose sAMAccountName for consistency. UPN did not work well for me so I used this.
5.5 The group controlled access roles are if we want to get granular and assign FMC membership of tiers. In my setup I only need domain admins to be able to access FMC as admins, so I did not need to set this up. I left all of these blank, even the default user role.
The Shell access filter (linux shell) is set to the same as the base filter, you don’t have to do this if you don’t need shell access.
5.6 Go ahead and save this.
5.7 After clicking save it should have taken you one page back into the FMC external authentication page. We now need to save and apply our settings to the FMC.
5.8 Click apply here too
5.9 Now log out and test it!
6 Wohoo that worked!
Head back into the external authentication page where we set all of this up to view your new user profile.
The FMC creates a mapping for every user that logs in externally.
The most common problem I foresee with AD authenticated FMC is people mistyping their DN’s so please double check those in section 5.3
Back in the external authentication object, if we edit we can go back in and use the test button.
Scroll all the way to the bottom of the page and input some domain admin credentials to test with.
The page refreshes and we see this:
If we scroll all the way to the bottom we can check the verbose test log.