CLI users
A CLI user is a user account that
-
can be added as internal users or as external users on a LDAP or RADIUS server
-
is maintained separately on each managed device, and
-
requires separate configuration for access to the Cloud-Delivered Firewall Management Center versus managed devices.
User account separation
When you add a user to the Cloud-Delivered Firewall Management Center, that user only has access to the Cloud-Delivered Firewall Management Center; you cannot then use that username to log directly into a managed device. You must separately add a user on the managed device.
Internal and external users
Internal and external users are authentication categories that managed devices support for user access control.
-
Internal users authenticate through a local database on the device
-
External users authenticate through external LDAP or RADIUS authentication servers when not present in the local database, and
-
both user types enable secure access management to network devices.
User authentication types
Managed devices support these user authentication methods:
-
Internal user—The device checks a local database for user authentication.
-
External user—If the user is not present in the local database, the system queries an external LDAP or RADIUS authentication server.
CLI access
CLI access is a command-line interface capability that
-
provides a Firepower CLI running on top of Linux for device administration
-
enables creation of internal users on devices using the CLI, and
-
supports establishment of external users on Firewall Threat Defense devices using the Cloud-Delivered Firewall Management Center.
Security considerations for CLI access
Users with CLI Config level access can access the Linux shell using the expert command, and obtain sudoers privileges in the Linux shell, which can present a security risk.
![]() Caution |
Users with CLI Config level access can access the Linux shell using the expert command, and obtain
|
CLI user roles
A CLI user role is an access control mechanism that
-
determines the level of command access a user has on managed devices,
-
controls whether users can execute configuration or non-configuration commands, and
-
provides security by restricting unauthorized access to critical system functions.
Role types and permissions
On managed devices, user access to commands in the CLI depends on the role you assign.
-
None: The user cannot log into the device on the command line.
-
Config: The user can access all commands, including configuration commands. Exercise caution in assigning this level of access to users.
-
Basic: The user can access non-configuration commands only. Allowed commands are dig, ping, and traceroute. Only internal users and Firewall Threat Defense external RADIUS users support the Basic role.

Feedback