Todd, thanks for answering.

  As I said I'm trying to conduct vulnerability and audit scans on the FMC.  Just yesterday I fixed the issues with the FTD2110's which were scanning the CLI using ssh.

  I didn't think the FMC CLI would be the answer.  I'm reviewing the Tenable website and other resources to find out if it's even possible.

Thanks for all of the content you provide!

That's what I've been reading today.  The Cyber team wants to be able to scan all devices and the vFMC appliance is on their list to get working.

  I may have to tell them that it can't be done, but I'm still looking.

Hi,

We have nessus scanner used for vulnerability scans in the environment. And now we are trying to confirm whether the authenticated scan is possible or not for Cisco FMC 2000 device.

It seems we cannot create CLI user in Cisco FMC 2000. Can we confirm this please.

You cannot create a new local cli user with local authentication, but you can create a local user who is externally authenticated. You do this from the FMC GUI.

As long as you have enabled shell authentication, those users can log into the shell (cli). I am using ISE (RADIUS method) with AD as the backend identity source as my authentication server for FMC and it works fine.

Here's my setup:

[C:\~]$ ssh adm-marvin@172.31.1.10


Connecting to 172.31.1.10:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING: The use of this system is restricted to authorized users only.

Unauthorized access, use, or modification of the computer system or of the data contained herein or in transit to/from this system may subject you to criminal prosecution.

These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures.

Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in the system by a user.

If monitoring reveals possible evidence of criminal activity, such evidence may be provided to law enforcement personnel.


Last login: Tue Apr 28 05:51:09 UTC 2020 from dcprime.ccielab.mrneteng.com on pts/1

Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.6.0 (build 37)
Cisco Firepower Management Center for VMWare v6.6.0 (build 90)

>

FMC ISE Authentication

Thanks for the update.

We do not have Radius or Tacacs integrated, the authentication is via AD and the default profile is "Administrator". And shell authentication is enabled with this AD server but there is no authorization externally defined for shell access. So with this setup we cannot have access to CLI via any other user right? Or do we have anything can be achieved with External AD authentication.

AD or LDAP external authentication methods only apply to GUI users.

To allow shell users other than admin, you need to use RADIUS.

TACACS is not currently supported for any AAA service in Firepower.

Even is the Nessus scanner had shell access, it would only log into the limited cli - not expert root user access that's required to do a proper scan. It would need to login and then change to expert mode and then sudo to root to do that.

So FMC external CLI users must be pre-created on GUI while FTD external CLI users need not be as they are created automatically on GUI after first login. Is that correct?

P.S.: s/FMC/CSFTDM/g 

What I've researched on the Tenable Website is they can scan the FTD physical devices, but as for FMC there are issues.