User Accounts for Management AccessThe Firepower Management Center and managed devices include a default admin account for management access. This chapter discusses how to create custom user accounts for supported models. See Logging into the Firepower System for detailed information about logging into the Firepower Management Center or a managed device with a user account. Show
This chapter also describes Cisco Security Manager (CSM) single sign-on when you manage an ASA with CSM and the FirePOWER services module with the Firepower Management Center. About User AccountsYou can add custom user accounts on the Firepower Management Center and on managed devices, either as internal users or, if supported for your model, as external users on a LDAP or RADIUS server. Each Firepower Management Center and each managed device maintains separate user accounts. For example, when you add a user to the Firepower Management Center, that user only has access to the FMC; you cannot then use that username to log directly into a managed device. You must separately add a user on the managed device. Internal and External UsersFirepower devices support two types of users:
Web Interface and CLI or Shell AccessWhen you configure user accounts, you enable web interface access and CLI or shell access separately. Firepower devices include a Firepower CLI that runs on top of Linux. CLI users can also access the Linux shell under TAC supervision or when explicitly instructed by Firepower user documentation. For detailed information about the management UIs, see Firepower System User Interfaces.
Each device type supports different forms of access as detailed here:
User RolesUser privileges are based on the assigned user role. For example, you can grant analysts predefined roles such as Security Analyst and Discovery Admin and reserve the Administrator role for the security administrator managing the device. You can also create custom user roles with access privileges tailored to your organization’s needs. Web Interface User RolesThe 7000 and 8000 Series devices have access to the following user roles: Administrator, Maintenance User, and Security Analyst. The Firepower Management Center includes the following predefined user roles: Access AdminProvides access to access control policy and associated features in the Policies menu. Access Admins cannot deploy policies. AdministratorAdministrators have access to everything in the product; their sessions present a higher security risk if compromised, so you cannot make them exempt from login session timeouts. You should limit use of the Administrator role for security reasons. Discovery AdminProvides access to network discovery, application detection, and correlation features in the Policies menu. Discovery Admins cannot deploy policies. External Database UserProvides read-only access to the Firepower System database using an application that supports JDBC SSL connections. For the third-party application to authenticate to the Firepower System appliance, you must enable database access in the system settings. On the web interface, External Database Users have access only to online help-related options in the Help menu. Because this role’s function does not involve the web interface, access is provided only for ease of support and password changes. Intrusion AdminProvides access to all intrusion policy, intrusion rule, and network analysis policy features in the Policies and Objects menus. Intrusion Admins cannot deploy policies. Maintenance UserProvides access to monitoring and maintenance features. Maintenance Users have access to maintenance-related options in the Health and System menus. Network AdminProvides access to access control, SSL inspection, DNS policy, and identity policy features in the Policies menu, as well as device configuration features in the Devices menus. Network Admins can deploy configuration changes to devices. Security AnalystProvides access to security event analysis features, and read-only access to health events, in the Overview, Analysis, Health, and System menus. Security Analyst (Read Only)Provides read-only access to security event analysis features and health event features in the Overview, Analysis, Health, and System menus. Security ApproverProvides limited access to access control and associated policies and network discovery policies in the Policies menu. Security Approvers can view and deploy these policies, but cannot make policy changes. Threat Intelligence Director (TID) UserProvides access to Threat Intelligence Director configurations in the Intelligence menu. Threat Intelligence Director (TID) Users can view and configure TID. CLI User RolesOn managed devices, user access to commands in the CLI depends on the role you assign.
The user cannot log into the device on the command line. ConfigThe user can access all commands, including configuration commands. Exercise caution in assigning this level of access to users. BasicThe user can access non-configuration commands only.
Requirements and Prerequisites for User AccountsModel SupportExternal user authentication is supported for the following models:
Guidelines and Limitations for User AccountsDefaultsAll devices include an admin user as a local user account for all forms of access; you cannot delete the admin user. The default initial password is Admin123; the system forces you to change this during the initialization process. See the Getting Started Guide for your model for more information about system initialization. Global SettingsBy default the following settings apply to all user accounts on the Firepower Management Center:
You can change these settings for all users as a system configuration. () See Global User Configuration Settings. Add an Internal User AccountEach device maintains separate user accounts. The Firepower Management Center and 7000 and 8000 Series have similar web interfaces. For the Firepower Threat Defense, NGIPSv, and ASA FirePOWER, you must add internal users at the CLI. You cannot add users at the CLI on the Firepower Management Center and 7000 and 8000 Series. Add an Internal User at the Web Interface
This procedure describes how to add custom internal user accounts at the web interface of a Firepower Management Center or 7000 & 8000 Series device. The shows both internal users that you added manually and external users that were added automatically when a user logged in with LDAP or RADIUS authentication. For external users, you can modify the user role on this screen if you assign a role with higher privileges; you cannot modify the password settings. In a multidomain deployment on the Firepower Management Center, users are only visible in the domain in which they are created. Note that if you add a user in the Global domain, but then assign a user role for a leaf domain, then that user still shows on the Global Users page where it was added, even though the user "belongs" to a leaf domain. If you enable security certifications compliance or Lights-Out Management (LOM) on a device, different password restrictions apply. For more information on security certifications compliance, see Security Certifications Compliance. When you add a user in a leaf domain, that user is not visible from the global domain.
Procedure
Add an Internal User at the CLI
Use the CLI to create internal users on the FTD, ASA FirePOWER, and NGIPSv devices. These devices do not have a web interface, so internal (and external) users can only access the CLI for management. Procedure
Configure External AuthenticationTo enable external authentication, you need to add one or more external authentication objects. About External AuthenticationWhen you enable external authentication for management and administrative users of your Firepower system, the device verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object. External authentication objects can be used by the Firepower Management Center, 7000 and 8000 Series, and FTD devices. You can share the same object between the different appliance/device types, or create separate objects.
For the FMC, enable the external authentication objects directly on the tab; this setting only affects FMC usage, and it does not need to be enabled on this tab for managed device usage. For the 7000 and 8000 Series and FTD devices, you must enable the external authentication object in the platform settings that you deploy to the devices. Web interface users are defined separately from CLI/shell users in the external authentication object. For CLI/shell users on RADIUS, you must pre-configure the list of RADIUS usernames in the external authentication object. For LDAP, you can specify a filter to match CLI users on the LDAP server. You cannot use an LDAP object for CLI/shell access that is also configured for CAC authentication.
External Authentication for the Firepower Management Center and 7000 and 8000 SeriesYou can configure multiple external authentication objects for web interface access. For example, if you have 5 external authentication objects, users from any of them can be authenticated to access the web interface. You can use only one external authentication object for CLI or shell access. If you have more than one external authentication object enabled, then users can authenticate using only the first object in the list. External CLI users on 7000 or 8000 Series devices always have Config privileges; other user roles are not supported. External Authentication for the Firepower Threat DefenseFor the FTD, you can only activate one external authentication object. Only a subset of fields in the external authentication object are used for FTD SSH access. If you fill in additional fields, they are ignored. If you also use this object for other device types, those fields will be used.
External users always have Config privileges; other user roles are not supported. About LDAPThe Lightweight Directory Access Protocol (LDAP) allows you to set up a directory on your network that organizes objects, such as user credentials, in a centralized location. Multiple applications can then access those credentials and the information used to describe them. If you ever need to change a user's credentials, you can change them in one place. Microsoft has announced that Active Directory servers will start enforcing LDAP binding and LDAP signing in 2020. Microsoft is making these a requirement because when using default settings, an elevation of privilege vulnerability exists in Microsoft Windows that could allow a man-in-the-middle attacker to successfully forward an authentication request to a Windows LDAP server. For more information, see 2020 LDAP channel binding and LDAP signing requirement for Windows on the Microsoft support site. If you have not done so already, we recommend you start using TLS/SSL encryption to authenticate with an Active Directory server. About RADIUSRemote Authentication Dial In User Service (RADIUS) is an authentication protocol used to authenticate, authorize, and account for user access to network resources. You can create an authentication object for any RADIUS server that conforms to RFC 2865. Firepower devices support the use of SecurID tokens. When you configure authentication by a server using SecurID, users authenticated against that server append the SecurID token to the end of their SecurID PIN and use that as their password when they log in. You do not need to configure anything extra on the Firepower device to support SecurID. Add an LDAP External Authentication Object
Add an LDAP server to support external users for device management. For the FTD, only a subset of fields are used for CLI access. See Configure External Authentication for SSH for details about which fields are used. In a multidomain deployment, external authentication objects are only available in the domain in which they are created. Before you begin
Procedure
ExamplesBasic Example The following figures illustrate a basic configuration of an LDAP login authentication object for a Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4. The connection uses port 389 for access. This example shows a connection using a base distinguished name of However, because this server is a Microsoft Active Directory server, it uses the In addition, a Shell Access Attribute of Note that because no base filter is applied to this server, the Firepower System checks attributes for all objects in the directory indicated by the base distinguished name. Connections to the server time out after the default time period (or the timeout period set on the LDAP server). Advanced Example This example illustrates an advanced configuration of an LDAP login authentication object for a Microsoft Active Directory Server. The LDAP server in this example has an IP address of 10.11.3.4. The connection uses port 636 for access. This example shows a
connection using a base distinguished name of The connection to the server is encrypted using SSL and a certificate named Because this server is a Microsoft Active Directory server,
it uses the In addition, a Shell Access Attribute of This example also has group settings in place. The Maintenance User role is automatically assigned to all members of the group with a The shell access filter is set to be the same as the base filter, so the same users can access the appliance through the shell or CLI as through the web interface. Add a RADIUS External Authentication Object
Add a RADIUS server to support external users for device management. For the FTD, only a subset of fields are used for CLI access. See Configure External Authentication for SSH for details about which fields are used. In a multidomain deployment, external authentication objects are only available in the domain in which they are created. Procedure
ExamplesSimple User Role Assignments The following figure illustrates a sample RADIUS login authentication object for a server running Cisco Identity Services Engine (ISE) with an IP address of 10.10.10.98 on port 1812. No backup server is defined. The following example shows RADIUS-specific parameters, including the timeout (30 seconds) and number of failed retries before the Firepower System attempts to contact the backup server, if any. This example illustrates important aspects of RADIUS user role configuration: Users The user The user The user The following graphic depicts the role configuration for the example: Roles for Users Matching an Attribute-Value Pair You can use an attribute-value pair to identify users who should receive a particular user role. If the attribute you use is a custom attribute, you must define the custom attribute. The following figure illustrates the role configuration and custom attribute definition in a sample RADIUS login authentication object for the same ISE server as in the previous example. In this example, however, the Enable External Authentication for Users on the Firepower Management Center
When you enable external authentication for management users, the Firepower Management Center verifies the user credentials with an LDAP or RADIUS server as specified in an External Authentication object. Before you beginAdd 1 or more external authentication objects according to Add an LDAP External Authentication Object and Add a RADIUS External Authentication Object. Procedure
Enable External Authentication for Users on Managed DevicesEnable External Authentication in the device Platform Settings, and then deploy the settings to the managed devices. See the following procedures for your managed device type:
Configure Common Access Card Authentication with LDAP
If your organization uses Common Access Cards (CACs), you can configure LDAP authentication to authenticate FMC or 7000 and 8000 Seriesusers logging into the web interface. With CAC authentication, users have the option to log in directly without providing a separate username and password for the device. CAC-authenticated users are identified by their electronic data interchange personal identifier (EDIPI) numbers. After 24 hours of inactivity, the device deletes CAC-authenticated users from the Users tab. The users are re-added after each subsequent login, but you must reconfigure any manual changes to their user roles. Before you beginYou must have a valid user certificate present in your browser (in this case, a certificate passed to your browser via your CAC) to enable user certificates as part of the CAC configuration process. After you configure CAC authentication and authorization, users on your network must maintain the CAC connection for the duration of their browsing session. If you remove or replace a CAC during a session, your web browser terminates the session and the system logs you out of the web interface. Procedure
Customize User Roles for the Web InterfaceEach user account must be defined with a user role. This section describes how to manage user roles and how to configure a custom user role for web interface access. For default user roles, see Web Interface User Roles.
Create Custom User Roles
Custom user roles can have any set of menu-based and system permissions, and may be completely original, copied from a predefined or another custom user role, or imported from another device.
Procedure
ExampleYou can create custom user roles for access control-related features to designate whether users can view and modify access control and associated policies. The following table lists custom roles that you could create and user permissions granted for each example. The table lists the privileges required for each custom role. In this example, Policy Approvers can view (but not modify) access control and intrusion policies. They can also deploy configuration changes to devices. Table 1. Example Access Control Custom Roles
Deactivate User Roles
Deactivating a role removes that role and all associated permissions from any user who is assigned that role. You cannot delete predefined user roles, but you can deactivate them. In a multidomain deployment, the system displays custom user roles created in the current domain, which you can edit. It also displays custom user roles created in ancestor domains, which you cannot edit. To view and edit custom user roles in a lower domain, switch to that domain. Procedure
Enable User Role EscalationFor the Firepower Management Center, you can give custom user roles the permission, with a password, to temporarily gain the privileges of another, targeted user role in addition to those of the base role. This feature allows you to easily substitute one user for another during an absence, or to more closely track the use of advanced user privileges. Default user roles do not support escalation. For example, a user whose base role has very limited privileges can escalate to the Administrator role to perform administrative actions. You can configure this feature so that users can use their own passwords, or so they use the password of another user that you specify. The second option allows you to easily manage one escalation password for all applicable users. To configure user role escalation, see the following workflow. ProcedureSet the Escalation Target Role
You can assign any of your user roles, predefined or custom, to act as the system-wide escalation target role. This is the role to which a custom role can escalate, if it has the ability. Only one user role at a time can be the escalation target role. Each escalation lasts for the duration of a login session and is recorded in the audit log. Procedure
Configure a Custom User Role for Escalation
Users for whom you want to enable escalation must belong to a custom user role with escalation enabled. This procedure describes how to enable escaltion for a custom user role. Consider the needs of your organization when you configure the escalation password for a custom role. If you want to easily manage many escalating users, you might want to choose another user whose password serves as the escalation password. If you change that user’s password or deactivate that user, all escalating users who require that password are affected. This action allows you to manage user role escalation more efficiently, especially if you choose an externally-authenticated user that you can manage centrally. Before you beginSet a target user role according to Set the Escalation Target Role. Procedure
Escalate Your User Role
When a user has an assigned custom user role with permission to escalate, that user can escalate to the target role’s permissions at any time. Note that escalation has no effect on user preferences. Procedure
Configure Cisco Security Manager Single Sign-on
Single sign-on enables integration between Cisco Security Manager (CSM) Version 4.7 or higher and the Firepower Management Center, which allows you to access the Firepower Management Center from CSM without additional authentication to log in. When managing an ASA with the ASA FirePOWER module, you may want to modify the policies deployed to the module. You can select the managing Firepower Management Center in CSM and launch it in a web browser.
Before you begin
Procedure
Troubleshooting LDAP Authentication ConnectionsIf you create an LDAP authentication object and it either does not succeed in connecting to the server you select, or does not retrieve the list of users you want, you can tune the settings in the object. If the connection fails when you test it, try the following suggestions to troubleshoot your configuration:
If you can test your connection successfully but authentication does not work after you deploy a platform settings policy, check that authentication and the object you want to use are both enabled in the platform settings policy that is applied to the device. If you connect successfully but want to adjust the list of users retrieved by your connection, you can add or change a base filter or shell access filter or use a more restrictive or less restrictive base DN. History for User Accounts
What is SuperBob a Windows user described in section 4.1 2?What is "SuperBob," a Windows user described in Section 4.1. 2? A list of access rights for each file where each entry identifies a specific user and contains a list of access rights granted to that user.
What is the principle behind Microsoft's operating systems using a UAC user account control )? Group of answer choices?what is the principle behind microsoft's operating systems using a UAC (user account control)? Windows does not deny an access right by omitting it, but it allows you to explicitly deny a right.
Is another name applied to IDE connections?IDE is also sometimes called IBM Disc Electronics or just ATA (Parallel ATA).
Are base secrets the same as credentials?Are base secrets the same as credentials? Some base secrets are also credentials, while others are not. What does authentication do? We need to create a three-factor authentication system.
|