User Accounts
You must provide a username and password to obtain local access
to the web interface or CLI on management center or a managed device. On managed devices, CLI users with Config level access can use
the expert
command to access the Linux shell. On the management center, all CLI users can use the expert
command. The threat
defense and management center can be configured to use external authentication, storing user credentials on an
external LDAP or RADIUS server; you can withhold or provide CLI access rights to
external users. The management center can be configured to support Single Sign-On (SSO) using any SSO provider
conforming to the Security Assertion Markup Language (SAML) 2.0 open standard
for authentication and authorization.
The management center CLI provides a single admin user who has access to all commands. The features management center web interface users can access are controlled by the privileges an administrator grants to the user account. On managed devices, the features that users can access for both the CLI and the web interface are controlled by the privileges an administrator grants to the user account.
Note |
The system audits user activity based on user accounts; make sure that users log into the system with the correct account. |
Caution |
All management center CLI users and, on managed devices, users with Config level CLI access can obtain root privileges in the Linux shell, which can present a security risk. For system security reasons, we strongly recommend:
|
Caution |
We strongly recommend that you do not use the Linux shell unless directed by Cisco TAC or explicit instructions in the Secure Firewall user documentation. |
Different appliances support different types of user accounts, each with different capabilities.
Secure Firewall Management Centers
Secure Firewall Management Centers support the following user account types:
-
A pre-defined admin account for web interface access, which has the administrator role and can be managed through the web interface.
-
Custom user accounts, which provide web interface access and which admin users and users with administrator privileges can create and manage.
-
A pre-defined admin account for CLI access. Users logging in with this account can use the
expert
command to gain access to the Linux shell.During initial configuration, the passwords for the CLI admin account and the web interface admin account are synchronized but, optionally, thereafter you can configure separate passwords for the two admin accounts.
Caution |
For system security reasons, Cisco strongly recommends that you not establish additional Linux shell users on any appliance. |
Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual Devices
Secure Firewall Threat Defense and Secure Firewall Threat Defense Virtual devices support the following user account types:
-
A pre-defined admin account which can be used for all forms of access to the device.
-
Custom user accounts, which admin users and users with Config access can create and manage.
The Secure Firewall Threat Defense supports external authentication for SSH users.