Regarding role based access control and Active Directory integration with FireEye back in FEOS versions 7.0.x (webmps), 6.3.2 (emailmps) and 6.4.1 (CMS), we only had the ability to map a single Active Directory group to a single FireEye “role”. And most enterprises would probably have mapped that single group to the Admin role. Well…..
Fast >> Forward >> to FEOS 7.1 “Shasta” where FireEye has merged the various code revisions for web/email/CMS into one single version, and we are finally provided with the tools under the hood to map multiple Active Directory groups to their respective roles (Admin, Monitor, Analyst, Audit, etc…). Huzzah, and thank you to FireEye for finally providing this, FINALLY. Moving on…
So from previous integrations, we were using the below FireEye/AD configs:
FEOS 7.0.x LDAP / AAA Config FireEye-WebMPS-1(config) # ldap base-dn DC=ACME,DC=com FireEye-WebMPS-1(config) # ldap bind-dn "CN=FireEye-Auth-User,OU=Service Acct,OU=Admin Service,DC=ACME,DC=com" FireEye-WebMPS-1(config) # ldap bind-password *************** FireEye-WebMPS-1(config) # ldap group-attribute member FireEye-WebMPS-1(config) # ldap group-dn "CN=FireEye-Admin-Group,OU=Global,OU=Domains,DC=ACME,DC=com" FireEye-WebMPS-1(config) # ldap host ACME.com FireEye-WebMPS-1(config) # ldap login-attribute sAMAccountName FireEye-WebMPS-1(config) # ldap port 389 FireEye-WebMPS-1(config) # ldap referrals FireEye-WebMPS-1(config) # ldap scope subtree FireEye-WebMPS-1(config) # aaa authentication login default local ldap FireEye-WebMPS-1(config) # aaa authorization map default-user admin FireEye-WebMPS-1(config) # wr mem Saving configuration file ... Done!
In FEOS 7.0.x, without RBAC (Role Based Access Control), the FireEye devices relied on the LDAP configs we set to force the group required for access. In FEOS 7.1 “Shasta”, using AAA rules is the preferred method for mapping AD groups to roles, with the AAA service using the LDAP service to do the look-ups. At this point I am assuming that you have created all the necessary AD/LDAP groups that you plan to use on your FireEye – here is a snippet from the FireEye Operators Guide for 7.1:
Admin The system administrator is a "super user" who has all capabilities except those that allow access to the FireEye Web services API. The primary function of this role is to configure the system. NOTE: You must be logged in with the admin role to view and access the FireEye appliance settings. Monitor The system monitor has read-only access to some things the admin role can change or configure. Operator The system operator has a subset of the capabilities associated with the admin role. Its primary function is configuring and monitoring the system. Analyst The system analyst focuses on the detection of malware and taking appropriate action, including setting up alerts and reports. Auditor The system auditor reviews audit logs and performs forensic analysis to trace how events occurred.
Lets start configuring our AAA settings shall we? We will start by building the mapping rules for AAA in the FireEye. One thing to note here is that the rules read from lowest number to highest number, so you will want rules providing less access at the top (least access to most access is: Audit –> Analyst –> Operator –> Monitor –> Admin).
aaa authorization rules rule set 1 match-ldap-group "CN=FireEye-Audit,OU=Global,OU=Domainss,DC=Company-X,DC=com" map-local-user audit aaa authorization rules rule set 2 match-ldap-group "CN=FireEye-Analyst,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user analyst aaa authorization rules rule set 3 match-ldap-group "CN=FireEye-Operator,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user operator aaa authorization rules rule set 4 match-ldap-group "CN=FireEye-Monitor,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user monitor aaa authorization rules rule set 5 match-ldap-group "CN=FireEye-Admin,OU=Global,OU=Domains,DC=ACME,DC=com" map-local-user admin FireEye-WebMPS-1 (config) # sh aaa authorization rules ------------------------------------------------ # AAA Authorization Rules : Enabled ------------------------------------------------ # Rule Statements ------------------------------------------------ # 1 Match LDAP Group : CN=GG-FireEye-Audit,OU=Global,OU=Domains,DC=ACME,DC=com -->Action Map Local User : audit # 2 Match LDAP Group : CN=GG-FireEye-Analyst,OU=Global,OU=Domains,DC=ACME,DC=com -->Action Map Local User : analyst # 3 Match LDAP Group : CN=GG-FireEye-Operator,OU=Global,OU=Domains,DC=ACME,DC=com -->Action Map Local User : operator # 4 Match LDAP Group : CN=GG-FireEye-Monitor,OU=Global,OU=Domains,DC=ACME,DC=com -->Action Map Local User : monitor # 5 Match LDAP Group : CN=GG-FireEye-Admin,OU=Global,OU=Domains,DC=ACME,DC=com -->Action Map Local User : admin # 6 Match Auth Methods : remote -->Action Map Local User : deny-access FireEye-WebMPS-1 (config) #
UPDATE:
FireEye does not have a ‘deny all’ authentication policy, so you must explicitly put the deny in!!!
Rule #6 above is required to ensure that you are denying access to anyone that is NOT in the specified groups!!!
Now you will need to enable each local user that you plan to use and assign it a password (please use secure passwords guys…). Once you have the AAA mappings and the local role users are enabled with secure passwords, the last thing you need to do is to remove the FireEye LDAP configuration line for the group-dn, so that the LDAP service is no longer the service controlling the mapping.
Here is what things look like before the group-dn is removed:
FireEye-WebMPS-1> ena FireEye-WebMPS-1 # sh ldap User base DN : DC=ACME,DC=com User search scope : subtree Login attribute : sAMAccountName Bind DN : CN=FireEye-Auth-User,OU=Service account,DC=ACME,DC=com Bind password : ******** Group base DN : CN=FireEye-Admin-Group,OU=Global,DC=ACME,DC=com Group attribute : member LDAP version : 3 Referrals : yes Server port : 389 Search Timeout : 5 Bind Timeout : 5 SSL mode : none Server SSL port : 636 (not active) SSL cert verify : yes SSL ca-list : default-ca-list LDAP servers: 1: ACME.com FireEye-WebMPS-1 #
Here is what things look like after the group-dn is removed:
FireEye-WebMPS-1> ena FireEye-WebMPS-1 # sh ldap User base DN : DC=ACME,DC=com User search scope : subtree Login attribute : sAMAccountName Bind DN : CN=FireEye-Auth-User,OU=Service account,DC=ACME,DC=com Bind password : ******** Group base DN : Group attribute : member LDAP version : 3 Referrals : yes Server port : 389 Search Timeout : 5 Bind Timeout : 5 SSL mode : none Server SSL port : 636 (not active) SSL cert verify : yes SSL ca-list : default-ca-list LDAP servers: 1: ACME.com FireEye-WebMPS-1 #
DONE – WOOHOO!
If you followed this guide you should have a FireEye RBAC functioning with users from each group now mapped to their respective groups in FireEye with that groups’ specified access level.
If you had issues, please drop me a line and I will see what I can do to help.
Thanks for stopping by!
Hello,
I just would like to know if FireEye has the integration capability in-built to integrate Active Directory with it ? All of them HX, NX, MPS, AX etc ?
Meaning if my AD name is Subhash can I login to FireEye console with my AD username ( if integration is done) and RBAC is enabled ?
I just would like to know if FireEye has the integration capability in-built to integrate Active Directory with it ? All of them HX, NX, MPS, AX etc ?
Meaning if my AD name is Subhash can I login to FireEye console with my AD username ( if integration is done) and RBAC is enabled ?
Hello Subash,
Yes, FireEye has native LDAP integration capability, and can be enabled by following the instructions in this post.
You can also find some LDAP integration information on the FireEye customer portal at the link below, which actually references unattributed information from my website:
https://community.fireeye.com/message/2096#2096
Here is another link if you need more information (you shouldn’t need anything more than this blog post really)
https://community.fireeye.com/servlet/JiveServlet/download/2109-5567/FireEye%20Active%20Directory%20Authentication%20Setup.docx
Hope that helps,
Ryan
Can you add multiple Group base DN attributes?
I know you can utilize multiple groups in the same base DN, but I have not had a need to use multiple base DN’s. You may need to dig into the FireEye documentation as well as looking at the online community to see what others have done.
/ryan
What’s the command to add Rule #6 ?
Hi Dan,
The command I used for the above config was:
aaa authorization rules rule set 6 match-auth-method remote map-local-user deny-access
This will act as a catch-all rule that will map the unprivileged LDAP user to a non-existent account named deny-access, basically blackholing the user.
Hope that helps!
Ryan