cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2548
Views
5
Helpful
13
Replies

Local admin and user account on cisco FTD disabled

systems100
Level 1
Level 1

Dears,

 

Kindly assist, i noticed that local admin and user account i created was disabled, though i had not used those two accounts for a while i use one other account to access the FTD via cli.

Please what do you think could cause this?.

13 Replies 13

Normally admin account can not be disable. unless you forget the password? Is your FTD is using the LDAP/Radius authentication?

 

please do not forget to rate.

It is not using ldap or radius.

 

I observed that both account became enabled suddenly afterwards.

Am thinking this is just a setup mechanism on ftd to prevent unauthorized access.

 

What do you think?

What is the FTD version and what the FXOS version you on? Is your FTD running the FTD code or running the ASA code?

this should not happened. Not doubting you but could be you put in the wrong password earlier?

 

Found this on cisco documentation.

Failed Authentication—The user was prompted to authenticate, but failed to enter a valid
username/password pair within the maximum number of allowed attempts.

please do not forget to rate.

AFAIK the local admin account is exempted from being locked out, the only exception for this would be if you are using a restrict security standards such as the US DoD. How did you notice those users were in disabled state?

I noticed this by doing "show users" on the cisco FTD in the clish mode.

show users in clish mode will show you all the username are configured in your FTD.  (This include the username who have access the FMC) they will also showed in show users in clish.

please do not forget to rate.

Did you notice if it was showing "Yes" in the lock column while they were disabled?

I just check mine. it showed Lock No. but in your case in first attempt you could not login and suddenly later on it let you in the CLI.

show user
Login UID Auth Access Enabled Reset Exp Warn Str Lock Max
abc 1084 Remote Config Enabled N/A Never N/A Dis No N/A
xyz 1018 Remote Config Enabled N/A Never N/A Dis No N/A
admin 101 Local Config Enabled No Never N/A Ena No N/A

 

 

please do not forget to rate.

It is currently showing no:

Login UID Auth Access Enabled Reset Exp Warn Grace MinL Str Lock Max
admin 101 Local Config Enabled No Never Disabled Disabled 0 Dis No N/A
abc 1001 Local Config Enabled Yes Never Disabled Disabled 1 Dis No 5
dof 1000 Local Config Enabled No Never Disabled Disabled 12 Dis No 5

also do you know a command to set the password policy on the FTD?

You can use these blow feature. for example to set the minim password length. if you use Managed the FTD from FMC in that case you can look at the FMC Gui.

how you managed your FTD standalone or via fmc?

 

> configure user
  access           Set user access level
  add              Add user
  aging            Set user password aging
  delete           Delete user
  disable          Disable user
  enable           Enable user
  forcereset       Force user password reset
  maxfailedlogins  Set maximum failed logins
  minpasswdlen     Set minimum password length
  password         Set user password
  strengthcheck    Set strength requirement on user password
  unlock           Unlock user account

 

 

 

have a look on tihs document

 

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/hardening/ftd/FTD_Hardening_Guide_v64.html

please do not forget to rate.

Would really be interesting to check the lock column if this should happen again. If you see the disabled users marked as locked out, including the admin account and you are not using any strict security model, then I would raise this with Cisco. I don't think you can configure the password policy on the FTD from the UI, I think you can only use the "configure user ..." command as already mentioned.

@Aref Alsouqi just to confirm i have tested

 

 > configure user strengthcheck apiuser enable

you can check the strengthcheck if the password is strong.

 

Enables or disables password strength checking, which requires a user to meet specific password criteria when changing their password. When a user’s password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.

 

 

however you can add,enable and disable

 

please do not forget to rate.

that is possible from the CLI, but I don't think you have equivalent configuration section on the UI.

Review Cisco Networking for a $25 gift card