04-01-2020 09:00 AM
Hello all, I'm trying to get our Firepower suite scanned using Tenable SC and have been successful in getting the hosts scanned. The next step is to scan the FMC appliance. We are using the FMC 6.4 virtual appliance hosted on VMware and the CLI is different from the hardware.
There's an admin account on the FMC, but I can't see how to add a second user name for admin. Can this even be done? I attempted this a year ago when the systems were installed, but the documentation was/is scarce and I've had other priorities.
Everything I've researched either branches out to adding users to to the FTD hosts or it references the FMC gui instead of the command line.
04-01-2020 09:36 AM
Dewey, you cannot add users, or much even, to the FMC CLI. Users can only be created and managed from the System>Users GUI. There is troubleshooting available from the CLI, download of troubleshooting files, and verification of files and logs, but it's limited to admins on what we can accomplish on the FMC CLI.
04-01-2020 10:50 AM
Todd, thanks for answering.
As I said I'm trying to conduct vulnerability and audit scans on the FMC. Just yesterday I fixed the issues with the FTD2110's which were scanning the CLI using ssh.
I didn't think the FMC CLI would be the answer. I'm reviewing the Tenable website and other resources to find out if it's even possible.
Thanks for all of the content you provide!
04-01-2020 11:25 AM
04-01-2020 12:37 PM
Although it is not recommended to use the CLI to make changes, or in this case add users, it can be done. Have a look at the following guide for the steps.
04-01-2020 12:41 PM
04-01-2020 01:19 PM
That's what I've been reading today. The Cyber team wants to be able to scan all devices and the vFMC appliance is on their list to get working.
I may have to tell them that it can't be done, but I'm still looking.
04-27-2020 08:58 AM
Hi,
We have nessus scanner used for vulnerability scans in the environment. And now we are trying to confirm whether the authenticated scan is possible or not for Cisco FMC 2000 device.
It seems we cannot create CLI user in Cisco FMC 2000. Can we confirm this please.
04-27-2020 11:04 PM
You cannot create a new local cli user with local authentication, but you can create a local user who is externally authenticated. You do this from the FMC GUI.
As long as you have enabled shell authentication, those users can log into the shell (cli). I am using ISE (RADIUS method) with AD as the backend identity source as my authentication server for FMC and it works fine.
Here's my setup:
[C:\~]$ ssh adm-marvin@172.31.1.10 Connecting to 172.31.1.10:22... Connection established. To escape to local shell, press 'Ctrl+Alt+]'. WARNING: The use of this system is restricted to authorized users only. Unauthorized access, use, or modification of the computer system or of the data contained herein or in transit to/from this system may subject you to criminal prosecution. These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in the system by a user. If monitoring reveals possible evidence of criminal activity, such evidence may be provided to law enforcement personnel. Last login: Tue Apr 28 05:51:09 UTC 2020 from dcprime.ccielab.mrneteng.com on pts/1 Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved. Cisco is a registered trademark of Cisco Systems, Inc. All other trademarks are property of their respective owners. Cisco Fire Linux OS v6.6.0 (build 37) Cisco Firepower Management Center for VMWare v6.6.0 (build 90) >
04-28-2020 02:21 AM
Thanks for the update.
We do not have Radius or Tacacs integrated, the authentication is via AD and the default profile is "Administrator". And shell authentication is enabled with this AD server but there is no authorization externally defined for shell access. So with this setup we cannot have access to CLI via any other user right? Or do we have anything can be achieved with External AD authentication.
04-28-2020 09:40 PM
AD or LDAP external authentication methods only apply to GUI users.
To allow shell users other than admin, you need to use RADIUS.
TACACS is not currently supported for any AAA service in Firepower.
Even is the Nessus scanner had shell access, it would only log into the limited cli - not expert root user access that's required to do a proper scan. It would need to login and then change to expert mode and then sudo to root to do that.
02-16-2021 01:45 AM
So FMC external CLI users must be pre-created on GUI while FTD external CLI users need not be as they are created automatically on GUI after first login. Is that correct?
P.S.: s/FMC/CSFTDM/g
04-29-2020 06:44 AM
What I've researched on the Tenable Website is they can scan the FTD physical devices, but as for FMC there are issues.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide