Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2592
Views
0
Helpful
1
Replies

REVISIT How to Add Additional SSH User Accounts to FMC/FTD

dewey89
Level 1
Level 1

‎03-31-2021 11:10 AM

Time to bring up this subject again.  We've been running a Cisco FMC/FTD suite for awhile now and have been trying to do security scans to no avail.

  Previously I found out that it was because of the version of Tenable Security Center we were using so I stopped pursuing the older post from the link below.  We now have the newer version,  but still can't scan the devices.

  We've just upgraded our Firepower suite to 6.6 code and hope to be able to provide successful scans.  The caveat to all of this is having a separate user/service account to be able to conduct the scans with.

  There's a lot of success in other discussions, but that deals with the ASA code for the devices (FTD2110's) and not the Firepower code that we use.  From the ASA side there's no problem creating accounts.

  For twenty years I've been taught that when you get a new device, network or other the first thing you do it change the default username and passwords.  If that's best practice then I don't know why Cisco restricts that ability.

  The second issue we have is having SSH open long enough to conduct a scan.  As we know we can override the SSH lockout, but the security practices say to lock it down to 10 minutes.

 

  Is there a service or other account that can be created to where SSH doesn't have to be enabled and disabled?

  Any help would be appreciated.

 

https://community.cisco.com/t5/network-security/how-to-add-additional-user-accounts-to-fmc-command-line/td-p/4056936

1 person had this problem
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-01-2021 12:44 AM

IF you setup your FMC to be able to use external authentication (RADIUS or LDAP) then you can also let those externally-authenticated users login to cl via ssh. You do have to create a shadow account in the FMC GUI but the actual authentication happens via the defined external identity source. Make sure you include "shell authentication" when you add the external identity source.

FMC External Identity SourceFMC External Identity SourceFMC Shadow user and login exampleFMC Shadow user and login example

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card