topic Re: FMC External Authentication in Network Security

FMC External Authentication

Imm — Tue, 11 Oct 2022 11:13:52 GMT

Hello,

We have Cisco FMC, version is 7.0.1

I would like to configure access to the FMC based on AD Groups, integration done thought LDAP. At this moment we have 2 AD groups:

First - Full Access (Grant-FMC-Admin), Second - Read Only Security Analyst (Grant-FMC-ReadOnly)

You can see configuration on the screenshot.

There is test result:

As I have discovered, some users can login, some no. What is the problem?

Re: FMC External Authentication

balaji.bandi — Tue, 11 Oct 2022 11:47:59 GMT

This looks for me more of AD side users need to verify they are in correct Group

compare working vs not working so you see the different in user profiles in AD ?

Re: FMC External Authentication

Aref Alsouqi — Tue, 11 Oct 2022 13:08:06 GMT

The issue seems to be related to hitting the maximum limit of query size limit as stated on the error. I would try to use a more specific base DN instead of the root one, and also a base filter that would match all the queried users.

Re: FMC External Authentication

Imm — Tue, 11 Oct 2022 14:05:58 GMT

For example, User1 can be member of Grant-FMC-Admin\Grant-FMC-ReadOnly and this user will have correct assigned role. But User2 can be member of Grant-FMC-Admin\Grant-FMC-ReadOnly and this user can't login at all.

Re: FMC External Authentication

Imm — Tue, 11 Oct 2022 15:12:01 GMT

I tried to be more specific, but situation is the same.

Re: FMC External Authentication

Imm — Tue, 11 Oct 2022 15:14:14 GMT

How and what do I need to check regarding these 67 users? These users are created in such way as another 550...

Re: FMC External Authentication

Aref Alsouqi — Tue, 11 Oct 2022 15:45:05 GMT

I don't personally think the issue is related to the users' attributes, I think it is just the size limit that is getting hits. Did you also try the base filter?

Re: FMC External Authentication

Imm — Wed, 12 Oct 2022 12:53:21 GMT

You was right, I done more specific Base DN and now works. Thanks.

Re: FMC External Authentication

Aref Alsouqi — Wed, 12 Oct 2022 12:57:00 GMT

Glad to hear this has been fixed now and you're welcome.

Re: FMC External Authentication

northsidecenter — Thu, 06 Jun 2024 14:35:45 GMT

Hi,

I was able to find the method for the limitation to a specific group, but the result is still an error with found 0 users.

Opening connection to LDAP server - serverip:389 - CN="firepower management",CN="Managed Service Accounts",dc=domain,dc=com
Current TLS Require Cert: 0
binding
bind success
The directory server is up serverip:389
LDAP Server Primary Available
Search Filter Test...
Opening connection to LDAP server - serverip:389 - CN="firepower management",CN="Managed Service Accounts",dc=domain,dc=com
Current TLS Require Cert: 0
binding
bind success
starting search...
base :DC=domain,DC=com
filter :(memberof=CN="Managed Service Accounts",dc=domain,dc=com)
user :fmc-1
attrib :sAMAccountName
ldap_result: 0 -Success
found 0 entries...

Re: FMC External Authentication

s_SiD_s — Mon, 03 Nov 2025 14:34:06 GMT

same thing on 7.6 FMC