Six Orbits, Inc.

Enterprise Consulting Services

Contact us

Six Orbits, a technology consulting solutions provider, offers design and implementation services for today's expanding enterprises. We believe that Cloud Computing is more than just a buzz-word, but rather an approach to building scalable applications and infrastructure. Our mission is to enable business to meet their growing IT needs through the proper application of architecture and technology.

Configuration of a Cisco FMC to use LDAP authentication is not impossible with just a little help. Hopefully this page will give you what you need to get over your hurdle.

  1. Define the External Authentication Object ( Navigate : System | Users | External Authentication )
  2. Choose the following options:
    1. Authentication Method: LDAP
    2. Name: <you pick the name, I usually use the Active Directory domain name>
    3. Host Name / IP address: <choose a server IP or if the AD domain name resolves to the AD server, use the domain name… note, if you use the domain name, you likely don’t need to specify a backup server>
    4. Port: 389 (This is unencrypted LDAP)
    5. Base DN: <specify a DN where the user accounts are stored, such as DC=domain,DC=com or OU=Users,DC=domain,DC=com>
    6. Base Filter: <see notes below>
      1. The FMC doesn’t like too many responses (900+). If there are more than 900 users in the domain, specify the groups that are allowed to access the FMC as such:
      2. (|(memberOf=CN=GROUP1,DC=domain,DC=com)(memberOf=CN=GROUP2,DC=domain,DC=com))
    7. User Name: <specify the LDAP bind user… a user that will always be available on the LDAP directory>
    8. Password: <the password for the account above>
    9. UI Access Attribute: sAMAccountName <for Active Directory… may be different for your directory>
    10. Group Controlled Access Roles (Optional)
      1. If there’s more than one group specified in the Base Filter, then it’s likely you’ll want to have different roles based upon group. In this case, follow this syntax per group: CN=GROUP1,DC=domain,DC=com
    11. Shell Access Attribute: <same as above>
    12. Shell Access Filter: [check] Same as Base Filter <you may use a different filter if you have some groups that you don’t wish to allow FTD access>

With the release of macOS Sierra, Apple has updated OpenSSL and SSH. As a result, a number of network devices that were previously administered via SSH from the command line have been impacted. This is due to the fact that, by default, the version of SSH shipping with macOS Sierra doesn’t support older encryption methods. As such, you may see the following error when attempting to establish an SSH session:

Unable to negotiate with port 22: no matching key exchange method found. Their offer: diffie-hellman-group1-sha1

In order to still manage devices what require older encryption, you may create an alias to the ssh command within your BASH shell. To do so, add the following command to your BASH profile (~/.bash_profile):

alias ssh='ssh -oKexAlgorithms=+diffie-hellman-group1-sha1'

Using the VMware Client Integration Plugin on macOS Sierra

Many system and network administrators are using MACs as their laptop of choice. Unfortunately, there are still a few instances where Windows is required. When that happens, an engineer may choose to use a locally installed virtual machine running Windows. This was the case with the VMware Client Integration Plugin (CIP). However, by following this process you can get the CIP installed and working on macOS.

  1. Download the VMware Client Integration Plugin
  2. Restart macOS in Recovery Mode: restart your MAC and hold down ⌘R until the  icon appears
  3. Once your MAC boots up, select “Terminal” from the “Utilities” menu.
  4. Type the following in the terminal: csrutil disable
  5. Restart your MAC and install the VMware Client Integration Plugin
  6. Again, reboot your MAC into Recover Mode (steps 2 and 3) and type the following in the terminal: csrutil enable

You now have the CIP available to install VMs from OVF, etc.

(Note: tested with the Chrome browser. Additional note: I’ve found it better to push the OVF to a web server and provide the link to vCenter rather than try to install it from a local file.)