topic Create a second local admin user on FTD FDM in Network Security

Create a second local admin user on FTD FDM

rwills — Wed, 20 Nov 2024 19:07:15 GMT

I am trying to create a second local admin user on a Cisco FTD device. It is a standalone device, running version 7.2.8-25, using FDM. I have no FMC.

I have tried creating a second admin user in the cli using

configure user add jsmith password config

I have tried creating it in expert mode

sudo su

usertool.pl -p 'jsmith password'

The new user does show up in CLI when I run the command 'show user'

> show user

admin 100 Local Config Enabled No 10000 7 Disabled 8 Ena No N/A

jsmith 1000 Local Config Enabled No 10000 7 Disabled 0 Dis No 5

And it shows up in expert mode when I run 'usertool.pl -d'

root@FTD01:/home/admin# usertool.pl -d

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

*********************************************************

User:jsmith UserID:10 Real Name:none

Contact:none Email:none

User is active

The user is human

Password strength checking off

Number of failed login attempts: 0

Max number of failed login attempts: 5

Last Login: Thu Jan 1 00:00:00 1970

Last Failed Login: Thu Jan 1 00:00:00 1970

Last Validate: Thu Jan 1 00:00:00 1970

Last Changed Password:

Hard Expires: ~ 0 days, 0sec

Soft Expires: ~ 0 days, 0sec

*********************************************************

But I cannot log into the GUI with this new account. It just says "Unable to authorize access. If you continue to have difficulty accessing this device, please contact the system administrator"

How do I activate this user for admin GUI access?

Re: Create a second local admin user on FTD FDM

Rob Ingram — Wed, 20 Nov 2024 19:12:14 GMT

@rwills with FDM as of 7.6 you cannot create additional user accounts for FDM management access. You'd have to use external authentication (i.e. RADIUS)

Re: Create a second local admin user on FTD FDM

Jonatan Jonasson — Thu, 21 Nov 2024 00:31:13 GMT

As Rob mentioned, you can only use the "admin" user when using locally authenticated users to FDM, as of 7.6

But for reference this is stated in the System Administration -> System Management section of the FDM Config guide:
"You can configure an external authentication and authorization source for users to log into threat defense (HTTPS access). You can use an external server in addition to, or instead of, the local user database and the system-defined admin user. Note that you cannot create additional local user accounts for device manager access."

https://www.cisco.com/c/en/us/td/docs/security/firepower/720/fdm/fptd-fdm-config-guide-720/fptd-fdm-mgmt.html#id_73790

Re: Create a second local admin user on FTD FDM

ahollifield — Fri, 22 Nov 2024 00:58:45 GMT

What is the use-case for FDM? Why not FMC/cdFMC?

Re: Create a second local admin user on FTD FDM

Jonatan Jonasson — Sat, 23 Nov 2024 00:03:02 GMT

@ahollifield this topic can be highly religious and probably deserves it's own thread 😛

Jokes aside, and while I can't speak for OP, there are a number of use cases from costs/logistics/operational and competitive standpoints to use FDM and not FMC.
Personally I would use FDM in more places if it had close to feature parity with FMC for single-box or single-pair environments.