topic Re: new user on Cisco Firepower 1120 unable to https in Network Security

new user on Cisco Firepower 1120 unable to https

network_geek1979 — Tue, 16 Apr 2024 08:45:53 GMT

Team,
We have a new Cisco Firepower 1120 just configured with basic configuration.

After the admin user I added another user with the "configure user add" command.
This new user can SSH to the device but cannot SSL.

Further, I want to ensure that this new user has all admin rights and for the same I have provided the "config" rights.
Will that suffice?

Regards,

Re: new user on Cisco Firepower 1120 unable to https

MHM Cisco World — Tue, 16 Apr 2024 08:52:19 GMT

Can you access http using admin user ?

MHM

Re: new user on Cisco Firepower 1120 unable to https

network_geek1979 — Tue, 16 Apr 2024 08:53:25 GMT

Hi, yes https works using "admin" user

Thanks,

Re: new user on Cisco Firepower 1120 unable to https

Rob Ingram — Tue, 16 Apr 2024 10:44:28 GMT

@network_geek1979 that's because the configure user add command creates a user account with CLI access only, they cannot log into the device manager web interface.

"You can create local user accounts that can log into the CLI using the configure user add command. However, these users can log into the CLI only. They cannot log into the device manager web interface." reference - https://www.cisco.com/c/en/us/td/docs/security/firepower/740/fdm/fptd-fdm-config-guide-740/fptd-fdm-get-started.html

Re: new user on Cisco Firepower 1120 unable to https

network_geek1979 — Tue, 16 Apr 2024 09:03:28 GMT

Hi Rob, where can I configure that? I see I can go to Objects and then create a new user.
However, it does not allow me to provide "MGMT" as the service types.

Re: new user on Cisco Firepower 1120 unable to https

Rob Ingram — Tue, 16 Apr 2024 09:09:45 GMT

@network_geek1979 actually you cannot create additional local admin user accounts, you'd have to use an external AAA.

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-mgmt.html#id_73790

Managing Device Manager and Threat Defense User Access

"You can configure an external authentication and authorization source for users to log into threat defense (HTTPS access). You can use an external server in addition to, or instead of, the local user database and the system-defined admin user. Note that you cannot create additional local user accounts for device manager access."

Re: new user on Cisco Firepower 1120 unable to https

MHM Cisco World — Tue, 16 Apr 2024 10:02:24 GMT

The new user use same subnet of admin' and admin can access http

Then this limitation of fpr.

To be more sure

Debug http 255

Abd try access

MHM

Re: new user on Cisco Firepower 1120 unable to https

Aref Alsouqi — Tue, 16 Apr 2024 11:17:08 GMT

@Rob Ingram is right, if you are managing this FTD via FDM then creating multiple admin users for the GUI accesses is not supported. In that case you would need to rely on an external authentication server such as ISE or Microsoft NPS for example. Here is a post of mine I had created to show you how to do it:

Creating Multiple Admin Accounts for FDM GUI Accesses (bluenetsec.com)