Cisco Cisco Firepower Management Center 4000
48-34
FireSIGHT System User Guide
Chapter 48 Managing Users
Managing Authentication Objects
Configuring Administrative Shell Access
License:
Any
You can also use the RADIUS server to authenticate accounts for shell access on your local appliance
(managed device or Defense Center). Specify user names for users you want to grant shell access. Note
that you can only configure shell access for the first authentication object in your system policy. For
more information on managing authentication object order, see
(managed device or Defense Center). Specify user names for users you want to grant shell access. Note
that you can only configure shell access for the first authentication object in your system policy. For
more information on managing authentication object order, see
Note
IPv6 addresses are not supported for shell authentication. If you configure a primary RADIUS server
with an IPv6 address and also configure administrative shell access, the shell access settings are ignored.
To allow shell authentication when using an IPv6 address for your primary RADIUS server, set up
another authentication object using an IPv4 address for the server and use that object as the first
authentication object in your system policy.
with an IPv6 address and also configure administrative shell access, the shell access settings are ignored.
To allow shell authentication when using an IPv6 address for your primary RADIUS server, set up
another authentication object using an IPv4 address for the server and use that object as the first
authentication object in your system policy.
With the exception of the admin account, the shell access list you set on the RADIUS authentication
object entirely controls shell access on the appliance. Shell users are configured as local users on the
appliance when the system policy is applied. Note that when a user authenticated on a RADIUS server
using attribute matching attempts to log in for the first time, the login is rejected as the user account is
created. The user must log in a second time.
object entirely controls shell access on the appliance. Shell users are configured as local users on the
appliance when the system policy is applied. Note that when a user authenticated on a RADIUS server
using attribute matching attempts to log in for the first time, the login is rejected as the user account is
created. The user must log in a second time.
Note that a home directory for each shell user is created on login, and when an RADIUS shell access
user account is disabled (by disabling the RADIUS connection), the directory remains, but the user shell
is set to
user account is disabled (by disabling the RADIUS connection), the directory remains, but the user shell
is set to
/bin/false
in
/etc/password
to disable the shell. If the user then is re-enabled, the shell is
reset, using the same home directory.
Shell users can log in using user names with lowercase, uppercase, or mixed case letters. Login
authentication for the shell is case sensitive.
authentication for the shell is case sensitive.
Caution
On Series 3 Defense Centers, all shell users have
sudoers
privileges. Make sure that you restrict the list
of users with shell access appropriately. On Series 3 and virtual devices, shell access granted to
externally authenticated users defaults to the
externally authenticated users defaults to the
Configuration
level of command line access, which also
grants
sudoers
privileges.
To configure shell account authentication:
Access:
Admin
Step 1
Type the user names, separated by commas, in the
Administrator Shell Access User List
field.
Note
If you choose not to specify a shell access filter, a warning displays when you save the
authentication object to confirm that you meant to leave the filter blank.
authentication object to confirm that you meant to leave the filter blank.
Step 2
Continue with
.
Defining Custom RADIUS Attributes
License:
Any