About User Accounts
You can add custom user accounts on the Firepower Management Center and on managed devices, either as internal users or, if supported for your model, as external users on a LDAP or RADIUS server. Each Firepower Management Center and each managed device maintains separate user accounts. For example, when you add a user to the Firepower Management Center, that user only has access to the FMC; you cannot then use that username to log directly into a managed device. You must separately add a user on the managed device.
Internal and External Users
Firepower devices support two types of users:
-
Internal user—The device checks a local database for user authentication. For more information about internal users, see Add an Internal User Account.
-
External user—If the user is not present in the local database, the system queries an external LDAP or RADIUS authentication server. For more information about external users, see Configure External Authentication.
Web Interface and CLI or Shell Access
When you configure user accounts, you enable web interface access and CLI or shell access separately. Firepower devices include a Firepower CLI that runs on top of Linux. CLI users can also access the Linux shell under TAC supervision or when explicitly instructed by Firepower user documentation. For detailed information about the management UIs, see Firepower System User Interfaces.
Caution |
On all devices, users with CLI Config level access or shell access can obtain
|
Each device type supports different forms of access as detailed here:
-
For Firepower Threat Defense, ASA FirePOWER, and NGIPSv, CLI access is available for direct management of the device.
-
You can create internal users on these devices using the CLI.
-
You can establish external users on Firepower Threat Defense devices.
-
Users who log into these devices through the management interface access the CLI. Users with CLI Config level access can access the Linux shell using the CLI expert command.
Caution
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the Firepower user documentation.
-
-
The FMC has a web interface, a CLI, and Linux shell for direct management of the device.
-
The FMC supports two different internal admin users: one for the web interface, and another with CLI or shell access. These two admin users are different accounts and do not share the same password. The system initialization process synchronizes the passwords for these two admin accounts so they start out the same, but they are tracked by different internal mechanisms and may diverge after initial configuration. See the Getting Started Guide for your model for more information on system initialization.(To change the password for the web interface admin, use > Users. To change the password for the CLI/shell admin, use the FMC CLI command configure password.)
-
FMC internal users added in the web interface have web interface access only.
-
You can grant CLI or shell access to FMC external users.
-
On the FMC by default, when any account with shell or CLI access logs in to the management interface, it directly accesses the Linux shell. When you enable the FMC CLI, these users first gain access to the CLI on logging in and may gain access to the shell with the expert command. See Firepower Management Center Command Line Reference.
-
-
7000 and 8000 Series devices have both a web interface and a CLI for direct management of the device.
-
7000 and 8000 Series device internal users have web interface and CLI access.
-
You can enable CLI or shell access for 7000 and 8000 Series device external users.
-
Users who log into these devices through the management interface access the CLI. Users with CLI Config level access can access the shell using the shell expert command.
Caution
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the FMC documentation.
-
User Roles
User privileges are based on the assigned user role. For example, you can grant analysts predefined roles such as Security Analyst and Discovery Admin and reserve the Administrator role for the security administrator managing the device. You can also create custom user roles with access privileges tailored to your organization’s needs.
Web Interface User Roles
The 7000 and 8000 Series devices have access to the following user roles: Administrator, Maintenance User, and Security Analyst.
The Firepower Management Center includes the following predefined user roles:
- Access Admin
-
Provides access to access control policy and associated features in the Policies menu. Access Admins cannot deploy policies.
- Administrator
-
Administrators have access to everything in the product; their sessions present a higher security risk if compromised, so you cannot make them exempt from login session timeouts.
You should limit use of the Administrator role for security reasons.
- Discovery Admin
-
Provides access to network discovery, application detection, and correlation features in the Policies menu. Discovery Admins cannot deploy policies.
- External Database User
-
Provides read-only access to the Firepower System database using an application that supports JDBC SSL connections. For the third-party application to authenticate to the Firepower System appliance, you must enable database access in the system settings. On the web interface, External Database Users have access only to online help-related options in the Help menu. Because this role’s function does not involve the web interface, access is provided only for ease of support and password changes.
- Intrusion Admin
-
Provides access to all intrusion policy, intrusion rule, and network analysis policy features in the Policies and Objects menus. Intrusion Admins cannot deploy policies.
- Maintenance User
-
Provides access to monitoring and maintenance features. Maintenance Users have access to maintenance-related options in the Health and System menus.
- Network Admin
-
Provides access to access control, SSL inspection, DNS policy, and identity policy features in the Policies menu, as well as device configuration features in the Devices menus. Network Admins can deploy configuration changes to devices.
- Security Analyst
-
Provides access to security event analysis features, and read-only access to health events, in the Overview, Analysis, Health, and System menus.
- Security Analyst (Read Only)
-
Provides read-only access to security event analysis features and health event features in the Overview, Analysis, Health, and System menus.
- Security Approver
-
Provides limited access to access control and associated policies and network discovery policies in the Policies menu. Security Approvers can view and deploy these policies, but cannot make policy changes.
- Threat Intelligence Director (TID) User
-
Provides access to Threat Intelligence Director configurations in the Intelligence menu. Threat Intelligence Director (TID) Users can view and configure TID.
CLI User Roles
On managed devices, user access to commands in the CLI depends on the role you assign.
Note |
CLI external users on the FMC do not have a user role; they can use all available commands. |
- None
-
The user cannot log into the device on the command line.
- Config
-
The user can access all commands, including configuration commands. Exercise caution in assigning this level of access to users.
- Basic
-
The user can access non-configuration commands only.
Note |
External CLI users on managed devices always have the Config user role. For the Firepower Threat Defense when using RADIUS, you can specify either Config or Basic. |