topic Re: Local admin and user account on cisco FTD disabled in Network Security

Local admin and user account on cisco FTD disabled

systems100 — Wed, 28 Sep 2022 08:30:42 GMT

Dears,

Kindly assist, i noticed that local admin and user account i created was disabled, though i had not used those two accounts for a while i use one other account to access the FTD via cli.

Please what do you think could cause this?.

Re: Local admin and user account on cisco FTD disabled

Sheraz.Salim — Wed, 28 Sep 2022 08:34:28 GMT

Normally admin account can not be disable. unless you forget the password? Is your FTD is using the LDAP/Radius authentication?

Re: Local admin and user account on cisco FTD disabled

systems100 — Wed, 28 Sep 2022 08:42:24 GMT

It is not using ldap or radius.

I observed that both account became enabled suddenly afterwards.

Am thinking this is just a setup mechanism on ftd to prevent unauthorized access.

What do you think?

Re: Local admin and user account on cisco FTD disabled

Sheraz.Salim — Wed, 28 Sep 2022 08:53:28 GMT

What is the FTD version and what the FXOS version you on? Is your FTD running the FTD code or running the ASA code?

this should not happened. Not doubting you but could be you put in the wrong password earlier?

Found this on cisco documentation.

Failed Authentication—The user was prompted to authenticate, but failed to enter a valid
username/password pair within the maximum number of allowed attempts.

Re: Local admin and user account on cisco FTD disabled

Aref Alsouqi — Wed, 28 Sep 2022 08:53:15 GMT

AFAIK the local admin account is exempted from being locked out, the only exception for this would be if you are using a restrict security standards such as the US DoD. How did you notice those users were in disabled state?

Re: Local admin and user account on cisco FTD disabled

systems100 — Wed, 28 Sep 2022 09:03:38 GMT

I noticed this by doing "show users" on the cisco FTD in the clish mode.

Re: Local admin and user account on cisco FTD disabled

Sheraz.Salim — Wed, 28 Sep 2022 09:14:26 GMT

show users in clish mode will show you all the username are configured in your FTD. (This include the username who have access the FMC) they will also showed in show users in clish.

Re: Local admin and user account on cisco FTD disabled

Aref Alsouqi — Wed, 28 Sep 2022 09:20:26 GMT

Did you notice if it was showing "Yes" in the lock column while they were disabled?

Re: Local admin and user account on cisco FTD disabled

Sheraz.Salim — Wed, 28 Sep 2022 09:38:46 GMT

I just check mine. it showed Lock No. but in your case in first attempt you could not login and suddenly later on it let you in the CLI.

show user
Login UID Auth Access Enabled Reset Exp Warn Str Lock Max
abc 1084 Remote Config Enabled N/A Never N/A Dis No N/A
xyz 1018 Remote Config Enabled N/A Never N/A Dis No N/A
admin 101 Local Config Enabled No Never N/A Ena No N/A

Re: Local admin and user account on cisco FTD disabled

systems100 — Wed, 28 Sep 2022 09:56:07 GMT

It is currently showing no:

Login UID Auth Access Enabled Reset Exp Warn Grace MinL Str Lock Max
admin 101 Local Config Enabled No Never Disabled Disabled 0 Dis No N/A
abc 1001 Local Config Enabled Yes Never Disabled Disabled 1 Dis No 5
dof 1000 Local Config Enabled No Never Disabled Disabled 12 Dis No 5

also do you know a command to set the password policy on the FTD?

Re: Local admin and user account on cisco FTD disabled

Sheraz.Salim — Wed, 28 Sep 2022 10:03:46 GMT

You can use these blow feature. for example to set the minim password length. if you use Managed the FTD from FMC in that case you can look at the FMC Gui.

how you managed your FTD standalone or via fmc?

> configure user access Set user access level add Add user aging Set user password aging delete Delete user disable Disable user enable Enable user forcereset Force user password reset maxfailedlogins Set maximum failed logins minpasswdlen Set minimum password length password Set user password strengthcheck Set strength requirement on user password unlock Unlock user account

have a look on tihs document

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

Re: Local admin and user account on cisco FTD disabled

Aref Alsouqi — Wed, 28 Sep 2022 11:38:33 GMT

Would really be interesting to check the lock column if this should happen again. If you see the disabled users marked as locked out, including the admin account and you are not using any strict security model, then I would raise this with Cisco. I don't think you can configure the password policy on the FTD from the UI, I think you can only use the "configure user ..." command as already mentioned.

Re: Local admin and user account on cisco FTD disabled

Sheraz.Salim — Wed, 28 Sep 2022 11:58:48 GMT

@Aref Alsouqi just to confirm i have tested

> configure user strengthcheck apiuser enable

you can check the strengthcheck if the password is strong.

Enables or disables password strength checking, which requires a user to meet specific password criteria when changing their password. When a user’s password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.

however you can add,enable and disable

Re: Local admin and user account on cisco FTD disabled

Aref Alsouqi — Wed, 28 Sep 2022 13:04:33 GMT

that is possible from the CLI, but I don't think you have equivalent configuration section on the UI.