Define a user group, which serves as another set of users for whom we specify access rights.

On all devices, users with CLI Config level access or shell access can obtain sudoers privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly recommend:

• If you establish external authentication, make sure that you restrict the list of users with CLI/shell access appropriately.

• When granting CLI access privileges, restrict the list of users with Config level access.

• Do not add users directly in the Linux shell; only use the procedures in this chapter.

• Do not access Firepower devices using the Linux shell or CLI expert mode unless directed by Cisco TAC or by explicit instructions in the Firepower user documentation.

The username must comply with the following restrictions:

• Maximum 32 alphanumeric characters, plus hyphen (-), underscore (_) and period (.).

• Letters may be upper or lower case.

• Cannot include any punctuation or special characters other than hyphen (-), underscore (_) and period (.).

The values must conform to the password options you set for this user.

Enter an integer, without spaces, that determines the maximum number of times each user can try to log in after a failed login attempt before the account is locked. The default setting is 5 tries; use 0 to allow an unlimited number of failed logins. The admin account is exempt from being locked out after a maximum number of failed logins unless you enabled security certification compliance.

Enter an integer, without spaces, that determines the minimum required length, in characters, of a user’s password. The default setting is 8. A value of 0 indicates that no minimum length is required.

Enter the number of days after which the user’s password expires. The default setting is 0, which indicates that the password never expires. If you change from the default, then the Password Lifetime column of the Users list indicates the days remaining on each user’s password.

Enter the number of warning days users have to change their password before their password actually expires. The default setting is 0 days.

• Force Password Reset on Login—Forces users to change their passwords the next time they log in.

• Check Password Strength—Requires strong passwords. A strong password must be at least eight alphanumeric characters of mixed case and must include at least 1 numeric character and 1 special character. It cannot be a word that appears in a dictionary or include consecutive repeating characters.

• Exempt from Browser Session Timeout—Exempts a user’s login sessions from termination due to inactivity. Users with the Administrator role cannot be made exempt.

For external users, if the user role is assigned through group membership (LDAP) or based on a user attribute (RADIUS), you cannot remove the minimum access rights. You can, however, assign additional rights. If the user role is the default user role that you set on the device, then you can modify the role in the user account without limitations. When you modify the user role, the Authentication Method column on the Users tab provides a status of External - Locally Modified.

The options you see depend on whether the device is in a single domain or multidomain (Firepower Management Center only) deployment.

• Single domain—Check the user role(s) you want to assign the user.

• Multidomain (Firepower Management Center only)—In a multidomain deployment, you can create user accounts in any domain in which you have been assigned Administrator access. Users can have different privileges in each domain. You can assign user roles in both ancestor and descendant domains. For example, you can assign read-only privileges to a user in the Global domain, but Administrator privileges in a descendant domain. See the following steps:

  1. Click Add Domain.

  2. Choose a domain from the Domain drop-down list.

  3. Check the user roles you want to assign the user.

  4. Click Save.

The admin user account has the required privileges, but any account with Config privileges will work. You can use an SSH session or the Console port.

For certain FTD models, the Console port puts you into the FXOS CLI. Use the connect ftd command to get to the FTD CLI.

configure user add username {basic | config}

• username—Sets the username. The username must be Linux-valid:

  • Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

  • All lowercase

  • Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

• basic—Gives the user basic access. This role does not allow the user to enter configuration commands.

• config—Gives the user configuration access. This role gives the user full administrator rights to all commands.

The following example adds a user account named johncrichton with Config access rights. The password is not shown as you type it.

> configure user add johncrichton config
Enter new password for user johncrichton: newpassword
Confirm new password for user johncrichton: newpassword
> show user
Login              UID   Auth Access  Enabled Reset    Exp Warn  Str Lock Max
admin             1000  Local Config  Enabled    No  Never  N/A  Dis   No N/A
johncrichton      1001  Local Config  Enabled    No  Never  N/A  Dis   No   5

You can use the following commands to change the default account behavior.

• configure user agingusername max_days warn_days

  Sets an expiration date for the user's password. Specify the maximum number of days for the password to be valid followed by the number of days before expiration the user will be warned about the upcoming expiration. Both values are 1 to 9999, but the warning days must be less than the maximum days. When you create the account, there is no expiration date for the password.

• configure user forceresetusername

  Forces the user to change the password on the next login.

• configure user maxfailedloginsusername number

  Sets the maximum number of consecutive failed logins you will allow before locking the account, from 1 to 9999. Use the configure user unlock command to unlock accounts. The default for new accounts is 5 consecutive failed logins.

• configure user minpasswdlenusername number

  Sets a minimum password length, which can be from 1 to 127.

• configure user strengthcheckusername { enable | disable}

  Enables or disables password strength checking, which requires a user to meet specific password criteria when changing their password. When a user’s password expires or if the configure user forcereset command is used, this requirement is automatically enabled the next time the user logs in.

Users can get locked out of their accounts, or you might need to remove accounts or fix other issues. Use the following commands to manage the user accounts on the system.

• configure user access username { basic | config}

  Changes the privileges for a user account.

• configure user deleteusername

  Deletes the specified account.

• configure user disableusername

  Disables the specified account without deleting it. The user cannot log in until you enable the account.

• configure user enableusername

  Enables the specified account.

• configure user passwordusername

  Changes the password for the specified user. Users should normally change their own password using the configure password command.

• configure user unlockusername

  Unlocks a user account that was locked due to exceeding the maximum number of consecutive failed login attempts.

External authentication is not supported on FTD virtual devices.

• restrict the list of users with Linux shell access

• do not create Linux shell users

You must also follow the procedure in Configure Common Access Card Authentication with LDAP to fully configure CAC authentication and authorization. You cannot use this object for CLI users.

If you are using a certificate to connect via TLS or SSL, the host name in the certificate must match the host name used in this field. In addition, IPv6 addresses are not supported for encrypted connections.

• Enter a UI Access Attribute, or click Fetch Attrs to retrieve a list of available attributes. For example, on a Microsoft Active Directory Server, you may want to use the UI Access Attribute to retrieve users, because there may not be a uid attribute on Active Directory Server user objects. Instead, you can search the userPrincipalName attribute by typing userPrincipalName in the UI Access Attribute field.

  This field is required for CAC authentication.

• Set the Shell Access Attribute if you want to use a shell access attribute other than the user distinguished type. For example, on a Microsoft Active Directory Server, use the sAMAccountName shell access attribute to retrieve CLI/shell access users by typing sAMAccountName.

Group controlled access roles allows you to grant privileges to the users belonging to the specified groups. If you do not configure a user’s privileges using group-controlled access roles, a user has only the privileges granted by default in the external authentication policy.

If you change a user's role, you must save/deploy the changed external authentication object and also remove the user from the Users screen. The user will be re-added automatically the next time they log in.

To prevent LDAP authentication of CLI/shell access, leave this field blank. To specify CLI/shell users, choose one of the following methods:

• To use the same filter you specified when configuring authentication settings, choose Same as Base Filter.

• To retrieve administrative user entries based on attribute value, enter the attribute name, a comparison operator, and the attribute value you want to use as a filter, enclosed in parentheses (maximum 450 characters, including the enclosing parentheses). For example, if all network administrators have a manager attribute which has an attribute value of shell, you can set a base filter of (manager=shell).

The usernames must be Linux-valid:

• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

• All lowercase

• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

The test output lists valid and invalid user names. Valid user names are unique, and can include underscores (_), periods (.), hyphens (-), and alphanumeric characters. Note that testing the connection to servers with more than 1000 users only returns 1000 users because of UI page size limitations. If the test fails, see Troubleshooting LDAP Authentication Connections.

If you are connecting to a Microsoft Active Directory Server and supplied a UI access attribute in place of uid, use the value for that attribute as the user name. You can also specify a fully qualified distinguished name for the user.

To test if you can retrieve the JSmith user credentials at the Example company, enter JSmith and the correct password.

• Firepower Management Center—Enable External Authentication for Users on the Firepower Management Center

• FTD—Configure External Authentication for SSH

• 7000 and 8000 Series—About External Authentication for 7000/8000 Series Devices

If you change a user's role, you must save/deploy the changed external authentication object and also remove the user from the Users screen. The user will be re-added automatically the next time they log in.

If your RADIUS server returns values for attributes not included in the dictionary file in /etc/radiusclient/, and you plan to use those attributes to set roles for users with those attributes, you need to define those attributes. You can locate the attributes returned for a user by looking at the user’s profile on your RADIUS server.

When you create a RADIUS authentication object, a new dictionary file for that object is created on the device in the /var/sf/userauth directory. Any custom attributes you add are added to the dictionary file.

If a RADIUS server is used on a network with a Cisco router, you might want to use the Ascend-Assign-IP-Pool attribute to grant a specific role to all users logging in from a specific IP address pool. Ascend-Assign-IP-Pool is an integer attribute that defines the address pool where the user is allowed to log in, with the integer indicating the number of the assigned IP address pool.

To declare that custom attribute, you create a custom attribute with an attribute name of Ascend-IP-Pool-Definition, an attribute ID of 218, and an attribute type of integer.

You could then enter Ascend-Assign-IP-Pool=2 in the Security Analyst (Read Only) field to grant read-only security analyst rights to all users with an Ascend-IP-Pool-Definition attribute value of 2.

Make sure that these usernames match usernames on the RADIUS server. The names must be Linux-valid usernames:

• Maximum 32 alphanumeric characters, plus hyphen (-) and underscore (_)

• All lowercase

• Cannot start with hyphen (-); cannot be all numbers; cannot include a period (.), at sign (@), or slash (/)

To prevent RADIUS authentication of CLI/shell access for , leave the field blank.

This function can only test FMC connectivity to the RADIUS server; there is no test function for managed device connectivity to the RADIUS server.

To test if you can retrieve the JSmith user credentials at the Example company, enter JSmith and the correct password.

• Firepower Management Center—Enable External Authentication for Users on the Firepower Management Center

• FTD—Configure External Authentication for SSH

• 7000 and 8000 Series—About External Authentication for 7000/8000 Series Devices

Users without a role cannot perform any actions. Any user roles defined in the external authentication object overrides this default user role.

If you enable shell authentication, you must enable an external authentication object that includes a Shell Access Filter. Also, CLI/shell access users can only authenticate against the server whose authentication object is highest in the list.

The first external authentication object name is shown next to the Enabled option to remind you that only the first object is used for CLI/shell

External authentication is not supported on FTD virtual devices.

• CAC check box.

• .

• .

The same certificate authority (CA) must issue the HTTPS server certificate and the user certificates on the CACs you plan to use.

• Click Create User Role.

• Click the Copy (

  
  ) next to the user role you want to copy.

• Import a custom user role from another device:

  1. On the old device, click the Export (

     
     ) to save the role to your PC.

  2. On the new device, choose .

  3. Click Upload Package, then follow the instructions to import the saved user role to the new device.

When you choose a permission, all of its children are chosen, and the multi-value permissions use the first value. If you clear a high-level permission, all of its children are cleared also. If you choose a permission but not its children, it appears in italic text.

Copying a predefined user role to use as the base for your custom role preselects the permissions associated with that predefined role.

You can apply restrictive searches to a custom user role. These searches constrain the data a user can see in the tables on the pages available under the Analysis menu. You can configure a restrictive search by first creating a private saved search and selecting it from the Restrictive Search drop-down menu under the appropriate menu-based permission.

This option provides read-only access to the database using an application that supports JDBC SSL connections. For the third-party application to authenticate to the device, you must enable database access in the system settings.

If the controls are dimmed, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

If you deactivate, then reactivate, a role with Lights-Out Management while a user with that role is logged in, or restore a user or user role from a backup during that user’s login session, that user must log back into the web interface to regain access to IPMItool commands.