Firepower System User Accounts
You must provide a username and password to obtain local access
to the web interface, shell, or CLI on an
FMC or managed device. On managed devices, CLI users with Config level access can use
the expert
command to access the Linux shell. On the FMC, all CLI users can use the expert
command. The FTD and FMC can be configured to use external authentication, storing user credentials on an
external LDAP or RADIUS server; you can withhold or provide CLI/shell access rights to external
users.
The FMC CLI provides a single admin user who has access to all commands. The features FMC web interface users can access are controlled by the privileges an administrator grants to the user account. On managed devices, the features that users can access for both the CLI and the web interface are controlled by the privileges an administrator grants to the user account.
Note |
The system audits user activity based on user accounts; make sure that users log into the system with the correct account. |
Caution |
All FMC CLI users and, on managed devices, users with Config level CLI access can obtain root privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly recommend:
|
Caution |
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the Firepower user documentation. |
Different appliances support different types of user accounts, each with different capabilities.
Firepower Management Centers
Firepower Management Centers support the following user account types:
-
A pre-defined admin account for web interface access, which has the administrator role and can be managed through the web interface.
-
Custom user accounts, which provide web interface access and which admin users and users with administrator privileges can create and manage.
-
A pre-defined admin account for CLI or shell access, which can obtain root privileges. By default, when this admin account logs into the device, it has direct access to the shell. But when the Firepower Management Center CLI is enabled, users logging in with this account must use the
expert
command to gain access to the shell.
Caution |
For system security reasons, Cisco strongly recommends that you not establish additional Linux shell users on any appliance. |
7000 & 8000 Series Devices
7000 & 8000 Series devices support the following user account types:
-
A pre-defined admin account which can be used for all forms of access to the device.
-
Custom user accounts, which admin users and users with the administrator role can create and manage.
The 7000 & 8000 Series supports external authentication for users.
NGIPSv Devices
NGIPSv devices support the following user account types:
-
A pre-defined admin account which can be used for all forms of access to the device.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The NGIPSv does not support external authentication for users.
Firepower Threat Defense and Firepower Threat Defense Virtual Devices
Firepower Threat Defense and Firepower Threat Defense Virtual devices support the following user account types:
-
A pre-defined adminaccount which can be used for all forms of access to the device.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The Firepower Threat Defense supports external authentication for SSH users.
ASA FirePOWER Devices
The ASA FirePOWER module supports the following user account types:
-
A pre-defined admin account.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The ASA FirePOWER module does not support external authentication for users. Accessing ASA devices via the ASA CLI and ASDM is described in the Cisco ASA Series General Operations CLI Configuration Guide and the Cisco ASA Series General Operations ASDM Configuration Guide.