The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Cisco UCS Central supports the following methods for authenticating user logins:
Each locally authenticated user account requires a password. Cisco recommends that each user have a strong password. A user with admin, aaa, or domain-group-management privileges can configure Cisco UCS Central to perform a password strength check on user passwords. If you enabled the password strength check, each user must use a strong password.
Cisco UCS Central rejects any password that does not meet the following requirements:
Must contain a minimum of 8 characters and a maximum of 80 characters.
Must contain at least three of the following:
Must not contain a character that is repeated more than 3 times consecutively, such as aaabbb.
Must not be identical to the username or the reverse of the username.
Must pass a password dictionary check. Meaning, the password must not be based on a standard dictionary word.
Must not contain the following symbols: $ (dollar sign), ? (question mark), and = (equals sign).
Should not be blank for local user and admin accounts.
The password profile contains the password history and the password change interval properties for all locally authenticated users of Cisco UCS Central. You cannot specify a different password profile for locally authenticated users.
Note | You must have admin, aaa, or domain-group-management privileges to change the password profile properties. Except for the password history, these properties do not apply to users with these administrative privileges. |
The password history count prevents locally authenticated users from reusing the same password. When you configure the password history count, Cisco UCS Central stores up to a maximum of 15 previously used passwords. The password history count stores the passwords in reverse chronological order with the most recent password first. This ensures that the user can only reuse the oldest password when the history count reaches its threshold.
A user can create and use the number of passwords configured in the password history count before reusing a password. For example, if you set the password history count to 8, a user cannot reuse the first password until the ninth password expires.
By default, the password history is set to 0. This value disables the history count and allows users to reuse previously used passwords at any time.
You can clear the password history count for a locally authenticated user and enable reuse of previous passwords.
The password change interval restricts the number of password changes that a locally authenticated user can make within a specific number of hours. The following table describes the two interval configuration options for the password change interval.
Interval Configuration | Description | Example |
---|---|---|
No password change allowed |
Does not allow changing passwords for locally authenticated user within a specified number of hours after a password change. You can specify a no change interval between 1 and 745 hours. By default, the no change interval is 24 hours. |
To prevent the user from changing passwords within 48 hours after a password change: |
Password changes allowed within change interval |
Specifies the maximum number of times that a locally authenticated user password change can occur within a pre-defined interval. You can specify a change interval between 1 and 745 hours and a maximum number of password changes between 0 and 10. By default, a locally authenticated user is permitted a maximum of two password changes within a 48-hour interval. |
To allow a password change for a maximum of one time within 24 hours after a password change: |
Cisco UCS Central release 2.0 uses Windows passthrough authentication for remote user logins to add a level of security to account logins. Windows Passthrough authentication provides a streamlined method to sign into Cisco UCS Central without entering user credentials again, after you to log on to a computer residing on a domain.
A check box present at the login prompt enables Windows passthrough authentication. However, you cannot click the check box initially to sign on using the Windows credentials. Cisco UCS Central prompts you to download an external plugin. After you download, install, and enable the plugin, you can sign on using the Windows passthrough authentication.
Note |
Windows Passthrough authentication on Cisco UCS Central 2.0 has the following prerequisites:
Your Windows client system must be connected to an Active Directory Domain and you must be logged in with Active Directory credentials
Active Directory deployment must support Active Directory Federation Services
Your environment must have a minimum .NET Framework Version 4.0.30319
Windows Passthrough authentication has the following limitations:
Cisco UCS Central supports Windows passthrough authentication only on Microsoft Internet Explorer versions 11.
You must download and install a Cisco plugin.
Windows passthrough authentication is currently only supported when authentication realm is set to LDAP and not RADIUS or TACAS+. The LDAP realm name has to match the domain name. For example, if an LDAP realm name is CISCO/username, the LDAP realm would be CISCO as well.