Firepower System User Accounts
You must provide a username and password to obtain local access
to the web interface or CLI on an
FMC or managed device. On managed devices, CLI users with Config level access can use
the expert
command to access the Linux shell. On the FMC, all CLI users can use the expert
command. The FTD and FMC can be configured to use external authentication, storing user credentials on an
external LDAP or RADIUS server; you can withhold or provide CLI access rights to external
users. The FMC can be configured to support Single Sign-On (SSO) using any SSO provider
conforming to the Security Assertion Markup Language (SAML) 2.0 open standard
for authentication and authorization.
The FMC CLI provides a single admin user who has access to all commands. The features FMC web interface users can access are controlled by the privileges an administrator grants to the user account. On managed devices, the features that users can access for both the CLI and the web interface are controlled by the privileges an administrator grants to the user account.
Note |
The system audits user activity based on user accounts; make sure that users log into the system with the correct account. |
Caution |
All FMC CLI users and, on managed devices, users with Config level CLI access can obtain root privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly recommend:
|
Caution |
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the Firepower user documentation. |
Different appliances support different types of user accounts, each with different capabilities.
Firepower Management Centers
Firepower Management Centers support the following user account types:
-
A pre-defined admin account for web interface access, which has the administrator role and can be managed through the web interface.
-
Custom user accounts, which provide web interface access and which admin users and users with administrator privileges can create and manage.
-
A pre-defined admin account for CLI access. Users logging in with this account can use the
expert
command to gain access to the Linux shell.During initial configuration, the passwords for the CLI admin account and the web interface admin account are synchronized but, optionally, thereafter you can configure separate passwords for the two admin accounts.
Caution |
For system security reasons, Cisco strongly recommends that you not establish additional Linux shell users on any appliance. |
NGIPSv Devices
NGIPSv devices support the following user account types:
-
A pre-defined admin account which can be used for all forms of access to the device.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The NGIPSv does not support external authentication for users.
Firepower Threat Defense and Firepower Threat Defense Virtual Devices
Firepower Threat Defense and Firepower Threat Defense Virtual devices support the following user account types:
-
A pre-defined adminaccount which can be used for all forms of access to the device.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The Firepower Threat Defense supports external authentication for SSH users.
ASA FirePOWER Devices
The ASA FirePOWER module supports the following user account types:
-
A pre-defined admin account.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The ASA FirePOWER module does not support external authentication for users. Accessing ASA devices via the ASA CLI and ASDM is described in the Cisco ASA Series General Operations CLI Configuration Guide and the Cisco ASA Series General Operations ASDM Configuration Guide.