The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Cisco UCS supports two methods to authenticate user logins:
If a system is configured for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Manager can communicate with it. In addition, you need to be aware of the following guidelines that impact user authorization:
User accounts can exist locally in Cisco UCS Manager or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through Cisco UCS Manager GUI or Cisco UCS Manager CLI.
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles those users require for working in Cisco UCS Manager and that the names of those roles match the names used in Cisco UCS Manager. Depending on the role policy, a user may not be allowed to log in or will be granted only read-only privileges.
For RADIUS and TACACS+ configurations, you must configure a user attribute for Cisco UCS in each remote authentication provider through which users log in to Cisco UCS Manager. This user attribute holds the roles and locales assigned to each user.
Note |
This step is not required for LDAP configurations that use LDAP Group Mapping to assign roles and locales. |
When a user logs in, Cisco UCS Manager does the following:
The following is a sample OID for a custom CiscoAVPair attribute:
CN=CiscoAVPair,CN=Schema, CN=Configuration,CN=X objectClass: top objectClass: attributeSchema cn: CiscoAVPair distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X instanceType: 0x4 uSNCreated: 26318654 attributeID: 1.3.6.1.4.1.9.287247.1 attributeSyntax: 2.5.5.12 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: CiscoAVPair adminDescription: UCS User Authorization Field oMSyntax: 64 lDAPDisplayName: CiscoAVPair name: CiscoAVPair objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X
The LDAP group rule is used to determine whether Cisco UCS should use LDAP groups when assigning user roles and locales to a remote user.
Configuring LDAP Providers
The properties that you configure in this task apply to all LDAP provider connections.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
The following example sets the LDAP attribute to CiscoAvPair, the base distinguished name to "DC=cisco-ucsm-aaa3,DC=qalab,DC=com", the filter to sAMAccountName=$userid, and the timeout interval to 5 seconds, and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # set attribute CiscoAvPair UCS-A /security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCS-A /security/ldap* # set filter sAMAccountName=$userid UCS-A /security/ldap* # set timeout 5 UCS-A /security/ldap* # commit-buffer UCS-A /security/ldap #
Create an LDAP provider.
Cisco UCS Manager supports a maximum of 16 LDAP providers.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
The following example creates an LDAP server instance named 10.193.169.246, configures the binddn, password, order, port, and SSL settings, and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap* # create server 10.193.169.246 UCS-A /security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCS-A /security/ldap/server* # set password Enter the password: Confirm the password: UCS-A /security/ldap/server* # set order 2 UCS-A /security/ldap/server* # set port 389 UCS-A /security/ldap/server* # set ssl yes UCS-A /security/ldap/server* # set timeout 30 UCS-A /security/ldap/server* # commit-buffer UCS-A /security/ldap/server #
For implementations involving a single LDAP database, select LDAP as the authentication service.
For implementations involving multiple LDAP databases, configure an LDAP provider group.
The following example sets the LDAP group rule to enable authorization, sets the member of attribute to ldapdb1, sets the traversal to non-recursive, and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # scope server ldapprovider UCS-A /security/ldap/server # scope ldap-group-rule UCS-A /security/ldap/server/ldap-group-rule # set authorization enable UCS-A /security/ldap/server/ldap-group-rule* # set member-of-attribute ldapdb1 UCS-A /security/ldap/server/ldap-group-rule* # set traversal non-recursive UCS-A /security/ldap/server/ldap-group-rule* # commit-buffer UCS-A /security/ldap/server/ldap-group-rule #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode |
Step 2 | UCS-A /security # scope ldap | Enters security LDAP mode |
Step 3 | UCS-A /security/ldap # delete server serv-name | Deletes the specified server. |
Step 4 | UCS-A /security/ldap # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the LDAP server called ldap1 and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # delete server ldap1 UCS-A /security/ldap* # commit-buffer UCS-A /security/ldap #
For organizations that already use LDAP groups to restrict access to LDAP databases, group membership information can be used by UCSM to assign a role or locale to an LDAP user during login. This eliminates the need to define role or locale information in the LDAP user object when Cisco UCS Manager is deployed.
When a user logs in to Cisco UCS Manager, information about the user's role and locale are pulled from the LDAP group map. If the role and locale criteria match the information in the policy, access is granted.
Role and locale definitions are configured locally in UCSM and do not update automatically based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, it is important that you update your Cisco UCS Manager instance with the change.
Note |
Cisco UCS Manager includes many out-of-the-box user roles but does not include any locales. Mapping an LDAP provider group to a locale requires that you create a custom locale. |
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope ldap | Enters security LDAP mode. |
Step 3 | UCS-A /security/ldap # create ldap-group group-dn | Creates an LDAP group map for the specified DN. |
Step 4 | UCS-A /security/ldap/ldap-group # create locale locale-name | Maps the LDAP group to the specified locale. |
Step 5 | UCS-A /security/ldap/ldap-group # create role role-name | Maps the LDAP group to the specified role. |
Step 6 | UCS-A /security/ldap/ldap-group # commit-buffer | Commits the transaction to the system configuration. |
The following example maps the LDAP group mapped to a DN, sets the locale to pacific, sets the role to admin, and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com UCS-A /security/ldap/ldap-group* # create locale pacific UCS-A /security/ldap/ldap-group* # create role admin UCS-A /security/ldap/ldap-group* # commit-buffer UCS-A /security/ldap/ldap-group #
Set the LDAP group rule.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope ldap | Enters security LDAP mode. |
Step 3 | UCS-A /security/ldap # delete ldap-group group-dn | Deletes the LDAP group map for the specified DN. |
Step 4 | UCS-A /security/ldap # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes an LDAP group map and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com UCS-A /security/ldap* # commit-buffer UCS-A /security/ldap #
Configuring RADIUS Providers
The properties that you configure in this task apply to all RADIUS provider connections.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope radius | Enters security RADIUS mode. |
Step 3 | UCS-A /security/radius # set retries retry-num | (Optional) Sets the number of times to retry communicating with the RADIUS server before noting the server as down. |
Step 4 | UCS-A /security/radius # set timeout seconds | (Optional) Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down. |
Step 5 | UCS-A /security/radius # commit-buffer | Commits the transaction to the system configuration. |
The following example sets the RADIUS retries to 4, sets the timeout interval to 30 seconds, and commits the transaction:
UCS-A# scope security UCS-A /security # scope radius UCS-A /security/radius # set retries 4 UCS-A /security/radius* # set timeout 30 UCS-A /security/radius* # commit-buffer UCS-A /security/radius #
Create a RADIUS provider.
Cisco UCS Manager supports a maximum of 16 RADIUS providers.
Perform the following configuration in the RADIUS server:
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope radius | Enters security RADIUS mode. |
Step 3 | UCS-A /security/radius # create server server-name | Creates a RADIUS server instance and enters security RADIUS server mode |
Step 4 | UCS-A /security/radius/server # set authport authport-num | (Optional) Specifies the port used to communicate with the RADIUS server. |
Step 5 | UCS-A /security/radius/server # set key | Sets the RADIUS server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 6 | UCS-A /security/radius/server # set order order-num | (Optional) Specifies when in the order this server will be tried. |
Step 7 | UCS-A /security/radius # set retries retry-num | (Optional) Sets the number of times to retry communicating with the RADIUS server before noting the server as down. |
Step 8 | UCS-A /security/radius # set timeout seconds | (Optional) Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down. |
Step 9 | UCS-A /security/radius/server # commit-buffer | Commits the transaction to the system configuration. |
The following example creates a server instance named radiusserv7, sets the authentication port to 5858, sets the key to radiuskey321, sets the order to 2, sets the retries to 4, sets the timeout to 30, and commits the transaction:
UCS-A# scope security UCS-A /security # scope radius UCS-A /security/radius # create server radiusserv7 UCS-A /security/radius/server* # set authport 5858 UCS-A /security/radius/server* # set key Enter the key: radiuskey321 Confirm the key: radiuskey321 UCS-A /security/radius/server* # set order 2 UCS-A /security/radius/server* # set retries 4 UCS-A /security/radius/server* # set timeout 30 UCS-A /security/radius/server* # commit-buffer UCS-A /security/radius/server #
For implementations involving a single RADIUS database, select RADIUS as the primary authentication service.
For implementations involving multiple RADIUS databases, configure a RADIUS provider group.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope RADIUS | Enters security RADIUS mode. |
Step 3 | UCS-A /security/radius # delete server serv-name | Deletes the specified server. |
Step 4 | UCS-A /security/radius # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the RADIUS server called radius1 and commits the transaction:
UCS-A# scope security UCS-A /security # scope radius UCS-A /security/radius # delete server radius1 UCS-A /security/radius* # commit-buffer UCS-A /security/radius #
Configuring TACACS+ Providers
The properties that you configure in this task apply to all TACACS+ provider connections.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope tacacs | Enters security TACACS+ mode. |
Step 3 | UCS-A /security/tacacs # set timeout seconds | (Optional) Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down. |
Step 4 | UCS-A /security/tacacs # commit-buffer | Commits the transaction to the system configuration. |
The following example sets the TACACS+ timeout interval to 45 seconds and commits the transaction:
UCS-A# scope security UCS-A /security # scope tacacs UCS-A /security/tacacs # set timeout 45 UCS-A /security/tacacs* # commit-buffer UCS-A /security/tacacs #
Create a TACACS+ provider.
Cisco UCS Manager supports a maximum of 16 TACACS+ providers.
Perform the following configuration in the TACACS+ server:
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope tacacs | Enters security TACACS+ mode. |
Step 3 | UCS-A /security/tacacs # create server server-name | Creates an TACACS+ server instance and enters security TACACS+ server mode |
Step 4 | UCS-A /security/tacacs/server # set key | (Optional) Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 5 | UCS-A /security/tacacs/server # set order order-num | (Optional) Specifies when in the order this server will be tried. |
Step 6 | UCS-A /security/tacacs/server # set port port-num | Specifies the port used to communicate with the TACACS+ server. |
Step 7 | UCS-A /security/tacacs/server # commit-buffer | Commits the transaction to the system configuration. |
The following example creates a server instance named tacacsserv680, sets the key to tacacskey321, sets the order to 4, sets the authentication port to 5859, and commits the transaction:
UCS-A# scope security UCS-A /security # scope tacacs UCS-A /security/tacacs # create server tacacsserv680 UCS-A /security/tacacs/server* # set key Enter the key: tacacskey321 Confirm the key: tacacskey321 UCS-A /security/tacacs/server* # set order 4 UCS-A /security/tacacs/server* # set port 5859 UCS-A /security/tacacs/server* # commit-buffer UCS-A /security/tacacs/server #
For implementations involving a single TACACS+ database, select TACACS+ as the primary authentication service.
For implementations involving multiple TACACS+ databases, configure a TACACS+ provider group.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope tacacs | Enters security TACACS mode. |
Step 3 | UCS-A /security/tacacs # delete server serv-name | Deletes the specified server. |
Step 4 | UCS-A /security/tacacs # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes the TACACS server called tacacs1 and commits the transaction:
UCS-A# scope security UCS-A /security # scope tacacs UCS-A /security/tacacs # delete server TACACS1 UCS-A /security/tacacs* # commit-buffer UCS-A /security/tacacs #
Configuring Multiple Authentication Systems
You can configure Cisco UCS to use multiple authentication systems by configuring the following features:
Once provider groups and authentication domains have been configured in Cisco UCS Manager, the following syntax can be used to log in to the system using Cisco UCS Manager CLI: ucs: auth-domain \ user-name
When multiple authentication domains and native authentication are configured with a remote authentication service, use one of the following syntax examples to log in with SSH or Putty:
From a Linux terminal:
From a Putty client:
A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco UCS Manager allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.
During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Manager automatically falls back to the local authentication method using the local username and password.
Note |
Authenticating with a single LDAP database does not require you to set up an LDAP provider group. |
Create one or more LDAP providers.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope ldap | Enters security LDAP mode. |
Step 3 | UCS-A /security/ldap # create auth-server-group auth-server-group-name | Creates an LDAP provider group and enters authentication server group security LDAP mode. |
Step 4 | UCS-A /security/ldap/auth-server-group # create server-ref ldap-provider-name | Adds the specified LDAP provider to the LDAP provider group and enters server reference authentication server group security LDAP mode. |
Step 5 | UCS-A /security/ldap/auth-server-group/server-ref # set order order-num | Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 6 | UCS-A /security/ldap/auth-server-group/server-ref # commit-buffer | Commits the transaction to the system configuration. |
The following example creates an LDAP provider group called ldapgroup, adds two previously configured providers called ldap1 and ldap2 to the provider group, sets the order, and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # create auth-server-group ldapgroup UCS-A /security/ldap/auth-server-group* # create server-ref ldap1 UCS-A /security/ldap/auth-server-group/server-ref* # set order 1 UCS-A /security/ldap/auth-server-group/server-ref* # up UCS-A /security/ldap/auth-server-group* # create server-ref ldap2 UCS-A /security/ldap/auth-server-group/server-ref* # set order 2 UCS-A /security/ldap/auth-server-group/server-ref* # commit-buffer UCS-A /security/ldap/auth-server-group/server-ref #
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope ldap | Enters security LDAP mode. |
Step 3 | UCS-A /security/ldap # delete auth-server-group auth-server-group-name | Deletes the LDAP provider group. |
Step 4 | UCS-A /security/ldap # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes an LDAP provider group called ldapgroup and commits the transaction:
UCS-A# scope security UCS-A /security # scope ldap UCS-A /security/ldap # delete auth-server-group ldapgroup UCS-A /security/ldap* # commit-buffer UCS-A /security/ldap #
Note |
Authenticating with a single RADIUS database does not require you to set up a RADIUS provider group. |
Create one or more RADIUS providers.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope radius | Enters security RADIUS mode. |
Step 3 | UCS-A /security/radius # create auth-server-group auth-server-group-name | Creates a RADIUS provider group and enters authentication server group security RADIUS mode. |
Step 4 | UCS-A /security/RADIUS/auth-server-group # create server-ref radius-provider-name | Adds the specified RADIUS provider to the RADIUS provider group and enters server reference authentication server group security RADIUS mode. |
Step 5 | UCS-A /security/radius/auth-server-group/server-ref # set order order-num | Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 6 | UCS-A /security/radius/auth-server-group/server-ref # commit-buffer | Commits the transaction to the system configuration. |
The following example creates a RADIUS provider group called radiusgroup, adds two previously configured providers called radius1 and radius2 to the provider group, sets the order, and commits the transaction:
UCS-A# scope security UCS-A /security # scope radius UCS-A /security/radius # create auth-server-group radiusgroup UCS-A /security/radius/auth-server-group* # create server-ref radius1 UCS-A /security/radius/auth-server-group/server-ref* # set order 1 UCS-A /security/radius/auth-server-group/server-ref* # up UCS-A /security/radius/auth-server-group* # create server-ref radius2 UCS-A /security/radius/auth-server-group/server-ref* # set order 2 UCS-A /security/radius/auth-server-group/server-ref* # commit-buffer UCS-A /security/radius/auth-server-group/server-ref #
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope radius | Enters security RADIUS mode. |
Step 3 | UCS-A /security/radius # delete auth-server-group auth-server-group-name | Deletes the RADIUS provider group. |
Step 4 | UCS-A /security/radius # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes a RADIUS provider group called radiusgroup and commits the transaction:
UCS-A# scope security UCS-A /security # scope radius UCS-A /security/radius # delete auth-server-group radiusgroup UCS-A /security/radius* # commit-buffer UCS-A /security/radius #
Note |
Authenticating with a single TACACS+ database does not require you to set up a TACACS+ provider group. |
Create a TACACS provider.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope tacacs | Enters security TACACS mode. |
Step 3 | UCS-A /security/tacacs # create auth-server-group auth-server-group-name | Creates a TACACS provider group and enters authentication server group security TACACS mode. |
Step 4 | UCS-A /security/tacacs/auth-server-group # create server-ref tacacs-provider-name | Adds the specified TACACS provider to the TACACS provider group and enters server reference authentication server group security TACACS mode. |
Step 5 | UCS-A /security/tacacs/auth-server-group/server-ref # set order order-num | Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 6 | UCS-A /security/tacacs/auth-server-group/server-ref # commit-buffer | Commits the transaction to the system configuration. |
The following example creates a TACACS provider group called tacacsgroup, adds two previously configured providers called tacacs1 and tacacs2 to the provider group, sets the order, and commits the transaction:
UCS-A# scope security UCS-A /security # scope tacacs UCS-A /security/tacacs # create auth-server-group tacacsgroup UCS-A /security/tacacs/auth-server-group* # create server-ref tacacs1 UCS-A /security/tacacs/auth-server-group/server-ref* # set order 1 UCS-A /security/tacacs/auth-server-group/server-ref* # up UCS-A /security/tacacs/auth-server-group* # create server-ref tacacs2 UCS-A /security/tacacs/auth-server-group/server-ref* # set order 2 UCS-A /security/tacacs/auth-server-group/server-ref* # commit-buffer UCS-A /security/tacacs/auth-server-group/server-ref #
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope tacacs | Enters security TACACS mode. |
Step 3 | UCS-A /security/tacacs # delete auth-server-group auth-server-group-name | Deletes the TACACS provider group. |
Step 4 | UCS-A /security/tacacs # commit-buffer | Commits the transaction to the system configuration. |
The following example deletes a TACACS provider group called tacacsgroup and commits the transaction:
UCS-A# scope security UCS-A /security # scope tacacs UCS-A /security/tacacs # delete auth-server-group tacacsgroup UCS-A /security/tacacs* # commit-buffer UCS-A /security/tacacs #
Authentication domains are used by Cisco UCS Manager to leverage multiple authentication systems. Each authentication domain is specified and configured during login. If no authentication domain is specified, the default authentication service configuration is used.
You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Manager. If no provider group is specified, all servers within the realm are used.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
||
Step 2 | UCS-A /security # create auth-domain domain-name | Creates an authentication domain and enters authentication domain mode.
|
||
Step 3 | UCS-A /security/auth-domain # create default-auth | Creates a default authentication for the specified authentication domain. |
||
Step 4 | UCS-A /security/auth-domain/default-auth # set auth-server-group auth-serv-group-name | (Optional) Specifies the provider group for the specified authentication domain. |
||
Step 5 | UCS-A /security/auth-domain/default-auth # set realm {ldap | local | radius | tacacs} | Specifies the realm for the specified authentication domain. |
||
Step 6 | UCS-A /security/auth-domain/default-auth # commit-buffer | Commits the transaction to the system configuration. |
UCS-A# scope security UCS-A /security # create auth-domain domain1 UCS-A /security/auth-domain* # create default-auth UCS-A /security/auth-domain/auth-domain* # set auth-server-group ldapgroup1 UCS-A /security/auth-domain/auth-domain* # set realm ldap UCS-A /security/auth-domain/auth-domain* # commit-buffer UCS-A /security/auth-domain/auth-domain #
Selecting an Authentication Service
If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope console-auth | Enters console authorization security mode. |
Step 3 | UCS-A /security/console-auth # set realm auth-type | Specifies the console authentication, where the auth-type argument is one of the following keywords: |
Step 4 | UCS-A /security/console-auth # set auth-server-group auth-serv-group-name | (Optional) The associated provider group, if any. |
Step 5 | UCS-A /security/console-auth # commit-buffer | Commits the transaction to the system configuration. |
The following example sets the authentication to LDAP, sets the console authentication provider group to provider1, and commits the transaction:
UCS-A# scope security UCS-A /security # scope console-auth UCS-A /security/console-auth # set realm local UCS-A /security/console-auth # set auth-server-group provider1 UCS-A /security/console-auth* # commit-buffer UCS-A /security/console-auth #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # scope default-auth | Enters default authorization security mode. |
Step 3 | UCS-A /security/default-auth # set realm auth-type | Specifies the default authentication, where the auth-type argument is one of the following keywords: |
Step 4 | UCS-A /security/default-auth # set auth-server-group auth-serv-group-name | (Optional) The associated provider group, if any. |
Step 5 | UCS-A /security/default-auth # commit-buffer | Commits the transaction to the system configuration. |
The following example sets the default authentication to LDAP, sets the default authentication provider group to provider1, and commits the transaction:
UCS-A# scope security UCS-A /security # scope default-auth UCS-A /security/default-auth # set realm ldap UCS-A /security/default-auth # set auth-server-group provider1 UCS-A /security/default-auth* # commit-buffer UCS-A /security/default-auth #
By default, if user roles are not configured in Cisco UCS Manager read-only access is granted to all users logging in to Cisco UCS Manager from a remote server using the LDAP, RADIUS, or TACACS protocols. For security reasons, it might be desirable to restrict access to those users matching an established user role in Cisco UCS Manager.
Does not restrict user access to Cisco UCS Manager based on user roles. Read-only access is granted to all users unless other user roles have been defined in Cisco UCS Manager.
This is the default behavior.
Restricts user access to Cisco UCS Manager based on user roles. If user roles have not been assigned for the remote authentication system, access is denied.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCS-A# scope security | Enters security mode. |
Step 2 | UCS-A /security # set remote-user default-role {assign-default-role | no-login} | Specifies whether user access to Cisco UCS Manager is restricted based on user roles. |
Step 3 | UCS-A /security # commit-buffer | Commits the transaction to the system configuration. |
UCS-A# scope security UCS-A /security # set remote-user default-role assign-default-role UCS-A /security* # commit-buffer UCS-A /security #