Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
377
Views
2
Helpful
7
Replies

Firepower 2120: 'configure user delete' causes 'Invalid target user'

Go to solution
swscco001
Level 3
Level 3

‎07-15-2024 05:23 AM

Hello everybody,

a customer has a Firepower 2120 running rel. 7.4.1.1 and we lost the password
of a certain user ('acp-admin').

 

> show user
Login              UID   Auth Access  Enabled Reset   Exp     Warn    Grace MinL Str Lock Max
acp-admin         1000  Local Config  Enabled   Yes Never Disabled Disabled    1 Dis   No   5
admin              101  Local Config  Enabled    No Never Disabled Disabled    1 Dis   No N/A
qemu               994 Remote  Basic  Enabled   N/A Never Disabled Disabled    0 Dis   No N/A

 

We are logged in as the user 'admin' and want to delete the user 'acp-admin':

 

> configure user delete acp-admin
Invalid target user.

 

I found a bug CSCwf89641 for this misbehaviour.

I have two questions:

Is it possible to delete the user anyway?

Is it possible to simply change the password of the user 'acp-admin' when I am logged as the user 'admin'
(or can I change just the own password)?

Please let me know!

Every hint is welcome.

Thanks a lot!




Bye
R.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to swscco001

‎07-19-2024 07:52 AM

The sysopt command is undocumented/hidden from the help command, but should be available in fxos mode.

3110-fw-1# 
  acknowledge     Acknowledge 
  backup          Backup 
  commit-buffer   Commit transaction buffer 
  connect         Connect to Another CLI 
  discard-buffer  Discard transaction buffer 
  end             Go to exec mode 
  exit            Exit from command interpreter 
  scope           Changes the current mode 
  set             Set property values 
  show            Show system information 
  terminal        Terminal 
  top             Go to the top mode 
  up              Go up one mode 
  where           Show information about the current mode 

3110-fw-1# sysopt sam 1001 on
WARNING: FXOS configuration changes are experimental and are NOT supported.
WARNING: All FXOS changes can be overwritten on next policy deployment.
FXOS option 1001 was enabled.
3110-fw-1# sysopt sam 1001 off
FXOS option 1001 was disabled.
3110-fw-1#

View solution in original post

7 Replies 7

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-15-2024 11:07 AM

According to the bug you mentioned, the work around is to delete the user from the fxos cli.

https://www.cisco.com/c/en/us/td/docs/security/firepower/fxos/fxos271/cli-guide/b_CLI_ConfigGuide_FXOS_271/user_management.html#task_018DF73D741D4E7CB9A6E8A5F9D25CF9

I would first check to make sure it is not an externally authenticated user defined in FMC. If that is the case, then the user account should be deleted from FMC.

Go to solution
swscco001
Level 3
Level 3
In response to Marvin Rhoads

‎07-16-2024 02:08 AM

Hi Marvin,

thanks for the useful information!

In the FMC this user do not exist. So we will try to solve the issue on the FX-OS CLI.

Thanks a lot!



Bye
R.

0 Helpful

Go to solution
swscco001
Level 3
Level 3
In response to swscco001

‎07-18-2024 05:59 AM

Hi Marvin,

I followed the guide you gave the link for:

Step 1

Enter security mode:

Firepower-chassis# scope security

Step 2

Delete the local-user account:

Firepower-chassis /security # delete local-user local-user-name

Step 3

Commit the transaction to the system configuration:

Firepower-chassis /security # commit-buffer


When I enter the command 'commit-buffer'

FTD /Security* commit-buffer

I got the error message:

Error: Change not allowed. use: 'connect ftd' to make changes.

But with 'connect ftd' I just change in the FTD-mode and the "*" stays
in the fx-os mode CLI.

Do you have any idea what's going wrong?

Please let me know.

Thanks a lot!




Bye
R.



0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to swscco001

‎07-18-2024 09:55 AM

Try using the command "sysopt sam 1001 on" first. Afterwards set it back to "off".

0 Helpful

Go to solution
swscco001
Level 3
Level 3
In response to Marvin Rhoads

‎07-19-2024 01:15 AM

Hi Marvin,

the command 'sysopt' is neither available in the FTD- nor in the FX-OS-mode. We don't have the ASA-mode in this configuration:

030-420-0001# show version
  Version: 2.14(1.131)
  Startup-Vers: 2.14(1.131)
030-420-0001# ?
  acknowledge     Acknowledge
  backup          Backup
  commit-buffer   Commit transaction buffer
  connect         Connect to Another CLI
  create          Create managed objects
  discard-buffer  Discard transaction buffer
  end             Go to exec mode
  exit            Exit from command interpreter
  scope           Changes the current mode
  set             Set property values
  show            Show system information
  terminal        Terminal
  top             Go to the top mode
  up              Go up one mode
  where           Show information about the current mode

030-420-0001# connect ftd
> show version
------------------[ 030-420-0001 ]------------------
Model                     : Cisco Firepower 2130 Threat Defense (77) Version 7.4.1.1 (Build 12)
UUID                      : 5dfa0ba6-c6fc-11ea-b23d-a09591deb9b4
LSP version               : lsp-rel-20240715-2005
VDB version               : 377
----------------------------------------------------

> ?
  aaa-server                     Specify a AAA server
  activate-tunnel-group-scripts  Reload ASDM generated scripts for username-from-certificate
  app-agent                      Configure appagent features
  asp                            Configure ASP parameters
  attribute                      Modify a monitored attribute
  blocks                         Set block diagnostic parameters
  capture                        Capture inbound and outbound packets on one or more interfaces
  capture-traffic                Display traffic or save to specified file
  clear                          Reset functions
  cluster                        Cluster exec mode commands
  configure                      Change to Configuration mode
  conn                           Connection
  connect                        Connect to another component.
  copy                           Copy from one file to another
  cpu                            general CPU stats collection tools
  crypto                         Execute crypto Commands
  debug                          Debugging functions (see also 'undebug')
  delete                         Delete a file
  dig                            Look up an IP address or host name with the DNS servers
  dir                            List files on a filesystem
  dns                            List files on a filesystem
  dynamic-access-policy-config   Activates the DAP selection configuration file.
  eotool                         Change to Enterprise Object Tool Mode
  exit                           Exit this CLI session
  expert                         Invoke a shell
  failover                       Perform failover operation in Exec mode
  file                           Change to File Mode
  fips                           Execute FIPS tests
  fsck                           Filesystem check
  help                           Interactive help for commands
  history                        Display the current session's command line history
  ldapsearch                     Test LDAP configuration
  logging                        Configure flash file name to save logging buffer
  logout                         Logout of the current CLI session
  memory                         Memory tools
  more                           Display the contents of a file
  no                             Negate a command or set its defaults
  packet-tracer                  trace packets in F1 data path
  perfmon                        Change or view performance monitoring options
  pigtail                        Tail log files for debugging (pigtail)
  ping                           Test connectivity from specified interface to an IP address
  pmtool                         Change to PMTool Mode
  reboot                         Reboot the sensor
  redundant-interface            Redundant interface
  restore                        This command is used to restore FTD from sfr prompt
  sftunnel-status                Show sftunnel status
  sftunnel-status-brief          Show sftunnel status brief
  show                           Show running system information
  shun                           Manages the filtering of packets from undesired hosts
  shutdown                       Shutdown the sensor
  sync-from-peer                 Sync from peer FTD
  system                         Change to System Mode
  tail-logs                      Tails the logs selected by the user
  test                           Test subsystems, memory, interfaces, and configurations
  traceroute                     Find route to remote network
  undebug                        Disable debugging functions (see also 'debug')
  upgrade                        Install Upgrade Package
  verify                         Verify a file
  vpn-sessiondb                  Configure the VPN Session Manager
  webvpn-cache                   Remove cached object

Is there something else that we could try?

Thanks a lot!


Bye
R.



0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to swscco001

‎07-19-2024 07:52 AM

The sysopt command is undocumented/hidden from the help command, but should be available in fxos mode.

3110-fw-1# 
  acknowledge     Acknowledge 
  backup          Backup 
  commit-buffer   Commit transaction buffer 
  connect         Connect to Another CLI 
  discard-buffer  Discard transaction buffer 
  end             Go to exec mode 
  exit            Exit from command interpreter 
  scope           Changes the current mode 
  set             Set property values 
  show            Show system information 
  terminal        Terminal 
  top             Go to the top mode 
  up              Go up one mode 
  where           Show information about the current mode 

3110-fw-1# sysopt sam 1001 on
WARNING: FXOS configuration changes are experimental and are NOT supported.
WARNING: All FXOS changes can be overwritten on next policy deployment.
FXOS option 1001 was enabled.
3110-fw-1# sysopt sam 1001 off
FXOS option 1001 was disabled.
3110-fw-1#

Go to solution
swscco001
Level 3
Level 3
In response to Marvin Rhoads

‎07-26-2024 12:25 AM

Hi  Marvin,

the hidden sysopt command solved the issue even if the warning:
Warning: Changes not supported. use: 'connect ftd' to make changes.
appeared.

011-415-0001# sysopt sam 1001 on
WARNING: FXOS configuration changes are experimental and are NOT supported.
WARNING: All FXOS changes can be overwritten on next policy deployment.
FXOS option 1001 was enabled.
011-415-0001# scope security
011-415-0001 /security # delete local-user acp-admin
011-415-0001 /security* # commit-buffer
Warning: Changes not supported. use: 'connect ftd' to make changes.
011-415-0001 /security # up
011-415-0001# sysopt sam 1001 off
FXOS option 1001 was disabled.
011-415-0001# 011-415-0001#
WARNING: FXOS configuration changes are experimental and are NOT supported.
WARNING: All FXOS changes can be overwritten on next policy deployment.
FXOS option 1001 was enabled.
011-415-0001# scope security
011-415-0001 /security # delete local-user acp-admin
011-415-0001 /security* # commit-buffer
Warning: Changes not supported. use: 'connect ftd' to make changes.
011-415-0001 /security # up
011-415-0001# sysopt sam 1001 off
FXOS option 1001 was disabled.

Thanks a lot and have a nice weekend!



Bye
R.




0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card