The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Cisco UCS supports two methods to authenticate user logins:
Note |
You can only use one authentication method. For example, if you select LDAP as your authentication provider, you cannot use local, RADIUS, or TACACS+ for authentication. |
If a system is configured for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Manager can communicate with it. In addition, you need to be aware of the following guidelines that impact user authorization:
You can create user accounts in Cisco UCS Manager or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through Cisco UCS Manager GUI or Cisco UCS Manager CLI.
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles those users require for working in Cisco UCS Manager and that the names of those roles match the names used in Cisco UCS Manager. If an account does not have the required roles, the user is granted only read-only privileges.
The following table contains the name of the attribute that contains the value of the roles. Cisco UCS Manager checks for the value of this attribute when it queries the remote authentication service during login.
Note |
You cannot use any other attribute in the remote authentication service for the Cisco UCS roles. You must create the attribute required for that specific remote authentication service. |
Remote Authentication Protocol |
Attribute Name |
---|---|
LDAP |
CiscoAVPair |
RADIUS |
cisco-av-pair |
TACACS+ |
cisco-av-pair |
For LDAP, the following is the full definition for the CiscoAVPair OID:
CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X objectClass: top objectClass: attributeSchema cn: CiscoAVPair distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X instanceType: 0x4 uSNCreated: 26318654 attributeID: 1.3.6.1.4.1.9.287247.1 attributeSyntax: 2.5.5.12 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: CiscoAVPair adminDescription: UCS User Authorization Field oMSyntax: 64 lDAPDisplayName: CiscoAVPair name: CiscoAVPair objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X
Creating a Remote Authentication Provider
Perform the following configuration in the LDAP server:
Create a CiscoAVPair attribute with an attribute ID of 1.3.6.1.4.1.9.287247.1. You cannot use an existing LDAP attribute.
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All log-in requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Manager.
Select LDAP as the primary authentication service. For more information, see Selecting a Primary Authentication Service.
Perform the following configuration in the RADIUS server:
Create the cisco-av-pairs attribute. You cannot use an existing RADIUS attribute.
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All log-in requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Manager.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||||
Step 2 | In the Admin tab, expand . | ||||||||||||
Step 3 |
Complete the following fields in the Properties area:
|
||||||||||||
Step 4 | In the Actions area of the General tab, click Create RADIUS Provider. | ||||||||||||
Step 5 |
In the Create RADIUS Provider dialog box:
|
||||||||||||
Step 6 | Click Save Changes. |
Select RADIUS as the primary authentication service. For more information, see Selecting a Primary Authentication Service.
Perform the following configuration in the TACACS+ server:
Create the cisco-av-pairs attribute. You cannot use an existing TACACS+ attribute.
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All log-in requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Manager.
Step 1 | In the Navigation pane, click the Admin tab. | ||||
Step 2 | In the Admin tab, expand . | ||||
Step 3 |
Complete the following field in the Properties area:
|
||||
Step 4 | In the Actions area of the General tab, click Create TACACS Provider. | ||||
Step 5 |
In the Create TACACS+ Provider dialog box:
|
||||
Step 6 | Click Save Changes. |
Select TACACS as the primary authentication service. For more information, see Selecting a Primary Authentication Service.
Deleting a Remote Authentication Provider
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Right-click the LDAP provider you want to delete and choose Delete. |
Step 4 | If Cisco UCS Manager displays a confirmation dialog box, click Yes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Right-click the RADIUS provider you want to delete and choose Delete. |
Step 4 | If Cisco UCS Manager displays a confirmation dialog box, click Yes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Right-click the TACACS+ provider you want to delete and choose Delete. |
Step 4 | If Cisco UCS Manager displays a confirmation dialog box, click Yes. |
If the system uses a remote authentication service, create a provider for that authentication service. If you chose console, you do not need to create a provider first.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | On the General tab, click the radio button for the primary authentication method you want to use. |
Step 4 | Click Save Changes. |