cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16099
Views
21
Helpful
12
Replies

How to Add Additional User Accounts to FMC Command Line

dewey89
Level 1
Level 1

Hello all, I'm trying to get our Firepower suite scanned using Tenable SC and have been successful in getting the hosts scanned.  The next step is to scan the FMC appliance.  We are using the FMC 6.4 virtual appliance hosted on VMware and the CLI is different from the hardware.

  There's an admin account on the FMC, but I can't see how to add a second user name for admin.  Can this even be done?  I attempted this a year ago when the systems were installed, but the documentation was/is scarce and I've had other priorities.

  Everything I've researched either branches out to adding users to to the FTD hosts or it references the FMC gui instead of the command line.

12 Replies 12

toddlammle
Level 1
Level 1

Dewey, you cannot add users, or much even, to the FMC CLI. Users can only be created and managed from the System>Users GUI. There is troubleshooting available from the CLI, download of troubleshooting files, and verification of files and logs, but it's limited to admins on what we can accomplish on the FMC CLI.

Todd, thanks for answering.

  As I said I'm trying to conduct vulnerability and audit scans on the FMC.  Just yesterday I fixed the issues with the FTD2110's which were scanning the CLI using ssh.

  I didn't think the FMC CLI would be the answer.  I'm reviewing the Tenable website and other resources to find out if it's even possible.

 

 

Thanks for all of the content you provide!

 

Hi Dewey, you’re welcome! Good luck with your audit scans.

Although it is not recommended to use the CLI to make changes, or in this case add users, it can be done.  Have a look at the following guide for the steps.

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/user_accounts_for_management_access.html#id_63528

--
Please remember to select a correct answer and rate helpful posts

The guide is talking about devices, not the FMC, and says this explicitly:

For the Firepower Threat Defense, NGIPSv, and ASA FirePOWER, you must add internal users at the CLI.
You cannot add users at the CLI on the Firepower Management Center and 7000 and 8000 Series.

That's what I've been reading today.  The Cyber team wants to be able to scan all devices and the vFMC appliance is on their list to get working.

  I may have to tell them that it can't be done, but I'm still looking.

Hi,

 

We have nessus scanner used for vulnerability scans in the environment. And now we are trying to confirm whether the authenticated scan is possible or not for Cisco FMC 2000 device.

 

It seems we cannot create CLI user in Cisco FMC 2000. Can we confirm this please.

You cannot create a new local cli user with local authentication, but you can create a local user who is externally authenticated. You do this from the FMC GUI.

As long as you have enabled shell authentication, those users can log into the shell (cli). I am using ISE (RADIUS method) with AD as the backend identity source as my authentication server for FMC and it works fine.

Here's my setup:

FMC External Authentication.PNGFMC Users.PNG

 

[C:\~]$ ssh adm-marvin@172.31.1.10


Connecting to 172.31.1.10:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

WARNING: The use of this system is restricted to authorized users only.

Unauthorized access, use, or modification of the computer system or of the data contained herein or in transit to/from this system may subject you to criminal prosecution.

These systems and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures.

Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in the system by a user.

If monitoring reveals possible evidence of criminal activity, such evidence may be provided to law enforcement personnel.


Last login: Tue Apr 28 05:51:09 UTC 2020 from dcprime.ccielab.mrneteng.com on pts/1

Copyright 2004-2020, Cisco and/or its affiliates. All rights reserved. 
Cisco is a registered trademark of Cisco Systems, Inc. 
All other trademarks are property of their respective owners.

Cisco Fire Linux OS v6.6.0 (build 37)
Cisco Firepower Management Center for VMWare v6.6.0 (build 90)

>

FMC ISE AuthenticationFMC ISE Authentication

Thanks for the update.

 

We do not have Radius or Tacacs integrated, the authentication is via AD and the default profile is "Administrator". And shell authentication is enabled with this AD server but there is no authorization externally defined for shell access. So with this setup we cannot have access to CLI via any other user right? Or do we have anything can be achieved with External AD authentication.

AD or LDAP external authentication methods only apply to GUI users.

To allow shell users other than admin, you need to use RADIUS.

TACACS is not currently supported for any AAA service in Firepower.

Even is the Nessus scanner had shell access, it would only log into the limited cli - not expert root user access that's required to do a proper scan. It would need to login and then change to expert mode and then sudo to root to do that.

So FMC external CLI users must be pre-created on GUI while FTD external CLI users need not be as they are created automatically on GUI after first login. Is that correct?

 

P.S.: s/FMC/CSFTDM/g 

What I've researched on the Tenable Website is they can scan the FTD physical devices, but as for FMC there are issues.

Review Cisco Networking for a $25 gift card