Cisco UCS Central CLI Configuration Guide, Release 1.0
Configuring Authentication
Downloads: This chapterpdf (PDF - 607.0KB) The complete bookPDF (PDF - 2.17MB) | The complete bookePub (ePub - 408.0KB) | Feedback

Configuring Authentication

Contents

Configuring Authentication

This chapter includes the following sections:

Authentication Services

Cisco UCS Central uses LDAP for remote authentication, but excludes RADIUS and TACACS+ authentication in this release. However, RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.

Guidelines and Recommendations for Remote Authentication Providers

If a system is configured for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Central can communicate with it. In addition, you need to be aware of the following guidelines that impact user authorization:

User Accounts in Remote Authentication Services

User accounts can exist locally in Cisco UCS Central or in the remote authentication server. The temporary sessions for users who log in through remote authentication services can be viewed through Cisco UCS Central GUI or Cisco UCS Central CLI.

User Roles in Remote Authentication Services

If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles those users require for working in Cisco UCS Central and that the names of those roles match the names used in Cisco UCS Central. Depending on the role policy, a user may not be allowed to log in or will be granted only read-only privileges.

Local and Remote User Authentication Support

Cisco UCS Central uses LDAP for remote authentication, but excludes RADIUS and TACACS+ authentication in this release. However, RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.

User Attributes in Remote Authentication Providers

When a user logs in, Cisco UCS Central does the following:

  1. Queries the remote authentication service.
  2. Validates the user.
  3. If the user is validated, checks for the roles and locales assigned to that user.
The following table contains a comparison of the user attribute requirements for the remote authentication providers supported by Cisco UCS Central.

Table 1 Comparison of User Attributes by Remote Authentication Provider
Authentication Provider Custom Attribute Schema Extension Attribute ID Requirements

LDAP

Optional

Optional. You can choose to do either of the following:

  • Do not extend the LDAP schema and configure an existing, unused attribute that meets the requirements.
  • Extend the LDAP schema and create a custom attribute with a unique name, such as CiscoAVPair.

The Cisco LDAP implementation requires a unicode type attribute.

If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1

A sample OID is provided in the following section.

Sample OID for LDAP User Attribute

The following is a sample OID for a custom CiscoAVPair attribute:

CN=CiscoAVPair,CN=Schema,
CN=Configuration,CN=X
objectClass: top
objectClass: attributeSchema
cn: CiscoAVPair
distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X
instanceType: 0x4
uSNCreated: 26318654
attributeID: 1.3.6.1.4.1.9.287247.1
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: CiscoAVPair
adminDescription: UCS User Authorization Field
oMSyntax: 64
lDAPDisplayName: CiscoAVPair
name: CiscoAVPair
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X

LDAP Group Rule

The LDAP group rule is used to determine whether Cisco UCS should use LDAP groups when assigning user roles and locales to a remote user.

Configuring LDAP Providers

Configuring Properties for LDAP Providers

The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.

If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.

Procedure
      Command or Action Purpose
    Step 1 UCSC# connect policy-mgr  

    Enters policy manager mode.

     
    Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

     
    Step 3 UCSC(policy-mgr) /domain-group # scope security  

    Enters security mode.

     
    Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

    Enters security LDAP mode.

     
    Step 5 UCSC(policy-mgr) /domain-group/security/ldap # set attribute attribute  

    Restricts database searches to records that contain the specified attribute.

     
    Step 6 UCSC(policy-mgr) /domain-group/security/ldap* # set basedn distinguished-name  

    Restricts database searches to records that contain the specified distinguished name.

     
    Step 7 UCSC(policy-mgr) /domain-group/security/ldap* # set filter filter  

    Restricts database searches to records that contain the specified filter.

     
    Step 8 UCSC(policy-mgr) /domain-group/security/ldap* # set timeout seconds  

    Sets the time interval the system waits for a response from the LDAP server before noting the server as down.

     
    Step 9 UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

    Commits the transaction to the system configuration.

     

    The following example shows how to set the LDAP attribute to CiscoAvPair, the base distinguished name to "DC=cisco-ucsm-aaa3,DC=qalab,DC=com", the filter to sAMAccountName=$userid, and the timeout interval to 5 seconds, and commit the transaction:

    UCSC # connect policy-mgr
    UCSC(policy-mgr)# scope domain-group
    UCSC(policy-mgr) /domain-group # scope security
    UCSC(policy-mgr) /domain-group/security # scope ldap
    UCSC(policy-mgr) /domain-group/security/ldap # set attribute CiscoAvPair
    UCSC(policy-mgr) /domain-group/security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
    UCSC(policy-mgr) /domain-group/security/ldap* # set filter sAMAccountName=$userid
    UCSC(policy-mgr) /domain-group/security/ldap* # set timeout 5
    UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
    UCSC(policy-mgr) /domain-group/security/ldap # 
    
    What to Do Next

    Create an LDAP provider.

    Creating an LDAP Provider

    Cisco UCS Central supports a maximum of 16 LDAP providers.

    Before You Begin

    If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.

    • In the LDAP server, perform one of the following configurations:
      • Configure LDAP groups. LDAP groups contain user role and locale information.
      • Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose whether to extend the LDAP schema for this attribute. If you do not want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair attribute. The Cisco LDAP implementation requires a unicode type attribute. If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1
      • For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
    • If you want to use secure communications, create a trusted point containing the certificate of the root certificate authority (CA) of the LDAP server in Cisco UCS Central.
    Procedure
        Command or Action Purpose
      Step 1 UCSC# connect policy-mgr  

      Enters policy manager mode.

       
      Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

       
      Step 3 UCSC(policy-mgr) /domain-group # scope security  

      Enters security mode.

       
      Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

      Enters security LDAP mode.

       
      Step 5 UCSC(policy-mgr) /domain-group/security/ldap # create server server-name  

      Creates an LDAP server instance and enters security LDAP server mode. If SSL is enabled, the server-name , typically an IP address or FQDN, must exactly match a Common Name (CN) in the LDAP server's security certificate. If you use a hostname rather than an IP address, you must configure a DNS server. If the Cisco UCS domain is not registered with Cisco UCS Central or DNS management is set to local, configure a DNS server in Cisco UCS Manager. If the Cisco UCS domain is registered with Cisco UCS Central and DNS management is set to global, configure a DNS server in Cisco UCS Central..

       
      Step 6 UCSC(policy-mgr) /domain-group/security/ldap/server* # set attribute attribute   (Optional)

      An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

      If you do not want to extend your LDAP schema, you can configure an existing, unused LDAP attribute with the Cisco UCS roles and locales. Alternatively, you can create an attribute named CiscoAVPair in the remote authentication service with the following attribute ID: 1.3.6.1.4.1.9.287247.1

      This value is required unless a default attribute has been set on the LDAP General tab.

       
      Step 7 UCSC(policy-mgr) /domain-group/security/ldap/server* # set basedn basedn-name   (Optional)

      The specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the user's DN based on their username. The length of the base DN plus the remote Cisco UCS Manager username cannot exceed 255 characters.

      This value is required unless a default base DN has been set on the LDAP General tab.

       
      Step 8 UCSC(policy-mgr) /domain-group/security/ldap/server* # set binddn binddn-name   (Optional)

      The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN.

      The maximum supported string length is 255 ASCII characters.

       
      Step 9 UCSC(policy-mgr) /domain-group/security/ldap/server* # set filter filter-value   (Optional)

      The LDAP search is restricted to those usernames that match the defined filter.

      This value is required unless a default filter has been set on the LDAP General tab.

       
      Step 10 UCSC(policy-mgr) /domain-group/security/ldap/server* # set password  

      The password for the LDAP database account specified in the Bind DN field. You can enter any standard ASCII characters except for space, § (section sign), ? (question mark), or = (equal sign).

      To set the password, press Enter after typing the set password command and enter the key value at the prompt.

       
      Step 11 UCSC(policy-mgr) /domain-group/security/ldap/server* # set order order-num   (Optional)

      The order in which Cisco UCS uses this provider to authenticate users.

       
      Step 12 UCSC(policy-mgr) /domain-group/security/ldap/server* # set port port-num   (Optional)

      The port through which Cisco UCS communicates with the LDAP database. The standard port number is 389.

       
      Step 13 UCSC(policy-mgr) /domain-group/security/ldap/server* # set ssl {yes | no}  

      Enables or disables the use of encryption when communicating with the LDAP server. The options are as follows:

      • yes —Encryption is required. If encryption cannot be negotiated, the connection fails.
      • no —Encryption is disabled. Authentication information is sent as clear text.

      LDAP uses STARTTLS. This allows encrypted communication using port 389.

       
      Step 14 UCSC(policy-mgr) /domain-group/security/ldap/server* # set timeout timeout-num  

      The length of time in seconds the system should spend trying to contact the LDAP database before it times out.

      Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the global timeout value specified on the LDAP General tab. The default is 30 seconds.

       
      Step 15 UCSC(policy-mgr) /domain-group/security/ldap/server* # commit-buffer  

      Commits the transaction to the system configuration.

       

      The following example shows how to create an LDAP server instance named 10.193.169.246, configure the binddn, password, order, port, and SSL settings, and commit the transaction:

      UCSC # connect policy-mgr
      UCSC(policy-mgr)# scope domain-group
      UCSC(policy-mgr) /domain-group # scope security
      UCSC(policy-mgr) /domain-group/security # scope ldap
      UCSC(policy-mgr) /domain-group/security/ldap # create server 10.193.169.246
      UCSC(policy-mgr) /domain-group/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
      UCSC(policy-mgr) /domain-group/security/ldap/server* # set password
      Enter the password:
      Confirm the password:
      UCSC(policy-mgr) /domain-group/security/ldap/server* # set order 2
      UCSC(policy-mgr) /domain-group/security/ldap/server* # set port 389
      UCSC(policy-mgr) /domain-group/security/ldap/server* # set ssl yes
      UCSC(policy-mgr) /domain-group/security/ldap/server* # set timeout 30
      UCSC(policy-mgr) /domain-group/security/ldap/server* # commit-buffer
      UCSC(policy-mgr) /domain-group/security/ldap/server # 
      
      What to Do Next

      • For implementations involving a single LDAP database, select LDAP as the authentication service.
      • For implementations involving multiple LDAP databases, configure an LDAP provider group.

      Changing the LDAP Group Rule for an LDAP Provider

      Procedure
          Command or Action Purpose
        Step 1 UCSC# connect policy-mgr  

        Enters policy manager mode.

         
        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

         
        Step 3 UCSC(policy-mgr) /domain-group # scope security  

        Enters security mode.

         
        Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

        Enters security LDAP mode.

         
        Step 5 UCSC(policy-mgr) /domain-group/security/ldap # scope server ldap-provider  

        Enters security LDAP provider mode.

         
        Step 6 UCSC(policy-mgr) /domain-group/security/ldap/server # scope ldap-group-rule  

        Enters LDAP group rule mode.

         
        Step 7 UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule # set authorization {enable | disable}  

        Specifies whether Cisco UCS searches LDAP groups when assigning user roles and locales to a remote user.

        • disableCisco UCS does not access any LDAP groups.
        • enableCisco UCS searches the LDAP provider groups mapped in this Cisco UCS domain. If the remote user is found, Cisco UCS assigns the user roles and locales defined for that LDAP group in the associated LDAP group map.
        Note   

        Role and locale assignment is cumulative. If a user is included in multiple groups, or has a role or locale specified in the LDAP attribute, Cisco UCS assigns that user all the roles and locales mapped to any of those groups or attributes.

         
        Step 8 UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set member-of-attribute attr-name  

        The attribute Cisco UCS uses to determine group membership in the LDAP database.

        The supported string length is 63 characters. The default string is memberOf.

         
        Step 9 UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set traversal {non-recursive | recursive}  

        Specifies whether Cisco UCS takes the settings for a group member's parent group, if necessary. This can be:

        • non-recursiveCisco UCS only searches those groups that the user belongs to.
        • recursiveCisco UCS searches all the ancestor groups belonging to the user.
         
        Step 10 UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # commit-buffer  

        Commits the transaction to the system configuration.

         

        The following example shows how to set the LDAP group rule to enable authorization, set the member of attribute to memberOf, set the traversal to non-recursive, and commit the transaction:

        UCSC # connect policy-mgr
        UCSC(policy-mgr)# scope domain-group
        UCSC(policy-mgr) /domain-group # scope security
        UCSC(policy-mgr) /domain-group/security # scope ldap
        UCSC(policy-mgr) /domain-group/security/ldap # scope server ldapprovider
        UCSC(policy-mgr) /domain-group/security/ldap/server # scope ldap-group-rule
        UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule # set authorization enable
        UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set member-of-attribute memberOf
        UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set traversal non-recursive
        UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # commit-buffer
        UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule #

        Deleting an LDAP Provider

        Procedure
            Command or Action Purpose
          Step 1 UCSC# connect policy-mgr  

          Enters policy manager mode.

           
          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

           
          Step 3 UCSC(policy-mgr) /domain-group # scope security  

          Enters security mode.

           
          Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

          Enters security LDAP mode.

           
          Step 5 UCSC(policy-mgr) /domain-group/security/ldap # delete server serv-name  

          Deletes the specified server.

           
          Step 6 UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

          Commits the transaction to the system configuration.

           

          The following example shows how to delete the LDAP server called ldap1 and commit the transaction:

          UCSC # connect policy-mgr
          UCSC(policy-mgr)# scope domain-group
          UCSC(policy-mgr) /domain-group # scope security
          UCSC(policy-mgr) /domain-group/security # scope ldap
          UCSC(policy-mgr) /domain-group/security/ldap # delete server ldap1
          UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
          UCSC(policy-mgr) /domain-group/security/ldap #

          LDAP Group Mapping

          For organizations that already use LDAP groups to restrict access to LDAP databases, group membership information can be used by Cisco UCS domains to assign a role or locale to an LDAP user during login. This eliminates the need to define role or locale information in the LDAP user object when Cisco UCS Central is deployed.


          Note


          LDAP group mapping is not supported for Cisco UCS Central for this release. However, LDAP group maps are supported for locally managed Cisco UCS domains from the Cisco UCS Central Domain Group root.


          When a user logs in to Cisco UCS Central, information about the user's role and locale are pulled from the LDAP group map. If the role and locale criteria match the information in the policy, access is granted.

          Role and locale definitions are configured locally in Cisco UCS Central and do not update automatically based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, it is important that you update Cisco UCS Central with the change.

          An LDAP group map can be configured to include any of the following combinations of roles and locales:
          • Roles only
          • Locales only
          • Both roles and locales
          For example, consider an LDAP group representing a group of server administrators at a specific location. The LDAP group map might be configured to include user roles like server-profile and server-equipment. To restrict access to server administrators at a specific location, the locale could be set to a particular site name.

          Note


          Cisco UCS Central includes many out-of-the-box user roles but does not include any locales. Mapping an LDAP provider group to a locale requires that you create a custom locale.


          Creating an LDAP Group Map

          Before You Begin
          • Create an LDAP group in the LDAP server.
          • Configure the distinguished name for the LDAP group in the LDAP server.
          • Create locales in Cisco UCS Central (optional).
          • Create custom roles in Cisco UCS Central (optional).
          Procedure
              Command or Action Purpose
            Step 1 UCSC# connect policy-mgr  

            Enters policy manager mode.

             
            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

             
            Step 3 UCSC(policy-mgr) /domain-group # scope security  

            Enters security mode.

             
            Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

            Enters security LDAP mode.

             
            Step 5 UCSC(policy-mgr) /domain-group/security/ldap # create ldap-group group-dn  

            Creates an LDAP group map for the specified DN.

             
            Step 6 UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create locale locale-name  

            Maps the LDAP group to the specified locale.

             
            Step 7 UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create role role-name  

            Maps the LDAP group to the specified role.

             
            Step 8 UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # commit-buffer  

            Commits the transaction to the system configuration.

             

            The following example shows how to map the LDAP group mapped to a DN, set the locale to pacific, set the role to admin, and commit the transaction:

            UCSC # connect policy-mgr
            UCSC(policy-mgr)# scope domain-group
            UCSC(policy-mgr) /domain-group # scope security
            UCSC(policy-mgr) /domain-group/security # scope ldap
            UCSC(policy-mgr) /domain-group/security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com
            UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create locale pacific
            UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create role admin
            UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # commit-buffer
            UCSC(policy-mgr) /domain-group/security/ldap/ldap-group #
            What to Do Next

            Set the LDAP group rule.

            Deleting an LDAP Group Map

            Procedure
                Command or Action Purpose
              Step 1 UCSC# connect policy-mgr  

              Enters policy manager mode.

               
              Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

               
              Step 3 UCSC(policy-mgr) /domain-group # scope security  

              Enters security mode.

               
              Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

              Enters security LDAP mode.

               
              Step 5 UCSC(policy-mgr) /domain-group/security/ldap # delete ldap-group group-dn  

              Deletes the LDAP group map for the specified DN.

               
              Step 6 UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

              Commits the transaction to the system configuration.

               

              The following example shows how to delete an LDAP group map and commit the transaction:

              UCSC # connect policy-mgr
              UCSC(policy-mgr)# scope domain-group
              UCSC(policy-mgr) /domain-group # scope security
              UCSC(policy-mgr) /domain-group/security # scope ldap
              UCSC(policy-mgr) /domain-group/security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com
              UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
              UCSC(policy-mgr) /domain-group/security/ldap #

              Configuring RADIUS Providers

              Configuring Properties for RADIUS Providers

              The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.


              Note


              RADIUS native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central under the Domain Group root and domain groups. RADIUS may be used to create global policies for Cisco UCS domains.


              Procedure
                  Command or Action Purpose
                Step 1 UCSC# connect policy-mgr  

                Enters policy manager mode.

                 
                Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                 
                Step 3 UCSC(policy-mgr) /domain-group # scope security  

                Enters security mode.

                 
                Step 4 UCSC(policy-mgr) /domain-group/security # scope radius  

                Enters security RADIUS mode.

                 
                Step 5 UCSC(policy-mgr) /domain-group/security/radius # set retries retry-num  

                Sets the number of times to retry communicating with the RADIUS server before noting the server as down.

                 
                Step 6 UCSC(policy-mgr) /domain-group/security/radius* # set timeout seconds  

                Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down.

                 
                Step 7 UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer  

                Commits the transaction to the system configuration.

                 

                The following example shows how to set the RADIUS retries to 4, set the timeout interval to 30 seconds, and commit the transaction:

                UCSC # connect policy-mgr
                UCSC(policy-mgr)# scope domain-group
                UCSC(policy-mgr) /domain-group # scope security
                UCSC(policy-mgr) /domain-group/security # scope radius
                UCSC(policy-mgr) /domain-group/security/radius # set retries 4
                UCSC(policy-mgr) /domain-group/security/radius* # set timeout 30
                UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer
                UCSC(policy-mgr) /domain-group/security/radius # 
                
                What to Do Next

                Create a RADIUS provider.

                Creating a RADIUS Provider

                Cisco UCS Central supports a maximum of 16 RADIUS providers. RADIUS native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central under the Domain Group root and domain groups. RADIUS may be used to create global policies for Cisco UCS domains.

                Before You Begin

                Perform the following configuration in the RADIUS server:

                • Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose whether to extend the RADIUS schema for this attribute. If you do not want to extend the schema, use an existing RADIUS attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the cisco-avpair attribute. The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001. The following syntax example shows how to specify multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.
                • For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
                Procedure
                    Command or Action Purpose
                  Step 1 UCSC# connect policy-mgr  

                  Enters policy manager mode.

                   
                  Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                   
                  Step 3 UCSC(policy-mgr) /domain-group # scope security  

                  Enters security mode.

                   
                  Step 4 UCSC(policy-mgr) /domain-group/security # scope radius  

                  Enters security RADIUS mode.

                   
                  Step 5 UCSC(policy-mgr) /domain-group/security/radius # create server server-name  

                  Creates a RADIUS server instance and enters security RADIUS server mode

                   
                  Step 6 UCSC(policy-mgr) /domain-group/security/radius/server* # set authport authport-num   (Optional)

                  Specifies the port used to communicate with the RADIUS server.

                   
                  Step 7 UCSC(policy-mgr) /domain-group/security/radius/server* # set key  

                  Sets the RADIUS server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt.

                   
                  Step 8 UCSC(policy-mgr) /domain-group/security/radius/server* # set order order-num   (Optional)

                  Specifies when in the order this server will be tried.

                   
                  Step 9 UCSC(policy-mgr) /domain-group/security/radius/server* # set retries retry-num   (Optional)

                  Sets the number of times to retry communicating with the RADIUS server before noting the server as down.

                   
                  Step 10 UCSC(policy-mgr) /domain-group/security/radius/server* # set timeout seconds   (Optional)

                  Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down.

                   
                  Step 11 UCSC(policy-mgr) /domain-group/security/radius/server* # commit-buffer  

                  Commits the transaction to the system configuration.

                   

                  The following example shows how to create a server instance named radiusserv7, set the authentication port to 5858, set the key to radiuskey321, set the order to 2, set the retries to 4, set the timeout to 30, and commit the transaction:

                  UCSC # connect policy-mgr
                  UCSC(policy-mgr)# scope domain-group
                  UCSC(policy-mgr) /domain-group # scope security
                  UCSC(policy-mgr) /domain-group/security # scope radius
                  UCSC(policy-mgr) /domain-group/security/radius # create server radiusserv7
                  UCSC(policy-mgr) /domain-group/security/radius/server* # set authport 5858
                  UCSC(policy-mgr) /domain-group/security/radius/server* # set key
                  Enter the key: radiuskey321
                  Confirm the key: radiuskey321
                  UCSC(policy-mgr) /domain-group/security/radius/server* # set order 2
                  UCSC(policy-mgr) /domain-group/security/radius/server* # set retries 4
                  UCSC(policy-mgr) /domain-group/security/radius/server* # set timeout 30
                  UCSC(policy-mgr) /domain-group/security/radius/server* # commit-buffer
                  UCSC(policy-mgr) /domain-group/security/radius/server # 
                  
                  What to Do Next

                  • For implementations involving a single RADIUS database, select RADIUS as the primary authentication service.
                  • For implementations involving multiple RADIUS databases, configure a RADIUS provider group.

                  Deleting a RADIUS Provider

                  Procedure
                      Command or Action Purpose
                    Step 1 UCSC# connect policy-mgr  

                    Enters policy manager mode.

                     
                    Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                     
                    Step 3 UCSC(policy-mgr) /domain-group # scope security  

                    Enters security mode.

                     
                    Step 4 UCSC(policy-mgr) /domain-group/security # scope radius  

                    Enters security RADIUS mode.

                     
                    Step 5 UCSC(policy-mgr) /domain-group/security/radius # delete server serv-name  

                    Deletes the specified server.

                     
                    Step 6 UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer  

                    Commits the transaction to the system configuration.

                     

                    The following example shows how to delete the RADIUS server called radius1 and commit the transaction:

                    UCSC # connect policy-mgr
                    UCSC(policy-mgr)# scope domain-group
                    UCSC(policy-mgr) /domain-group # scope security
                    UCSC(policy-mgr) /domain-group/security # scope radius
                    UCSC(policy-mgr) /domain-group/security/radius # delete server radius1
                    UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer
                    UCSC(policy-mgr) /domain-group/security/radius #

                    Configuring TACACS+ Providers

                    Configuring Properties for TACACS+ Providers

                    The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.


                    Note


                    TACACS+ native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central. TACACS+ may be used to create global policies for Cisco UCS domains.


                    Procedure
                        Command or Action Purpose
                      Step 1 UCSC# connect policy-mgr  

                      Enters policy manager mode.

                       
                      Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                       
                      Step 3 UCSC(policy-mgr) /domain-group # scope security  

                      Enters security mode.

                       
                      Step 4 UCSC(policy-mgr) /domain-group/security # scope tacacs  

                      Enters security TACACS+ mode. The TACACS+ related settings will be applicable only for the Cisco UCS domains under the Domain Group root and child domain groups.

                       
                      Step 5 UCSC(policy-mgr) /domain-group/security/tacacs # set key  

                      Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt.

                       
                      Step 6 UCSC(policy-mgr) /domain-group/security/tacacs* # set order order-num  

                      Specifies when in the order this server will be tried.

                       
                      Step 7 UCSC(policy-mgr) /domain-group/security/tacacs* # set timeout seconds  

                      Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down.

                       
                      Step 8 UCSC(policy-mgr) /domain-group/security/tacacs* # set port port-num  

                      Specifies the port used to communicate with the TACACS+ server.

                       
                      Step 9 UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer  

                      Commits the transaction to the system configuration.

                       

                      The following example shows how to set the key to tacacskey321, set the order to 4, set the timeout interval to 45 seconds, set the authentication port to 5859, and commit the transaction:

                      UCSC # connect policy-mgr
                      UCSC(policy-mgr)# scope domain-group
                      UCSC(policy-mgr) /domain-group # scope security
                      UCSC(policy-mgr) /domain-group/security # scope tacacs
                      UCSC(policy-mgr) /domain-group/security/tacacs # set key
                      Enter the key: tacacskey321
                      Confirm the key: tacacskey321
                      UCSC(policy-mgr) /domain-group/security/tacacs* # set order 4
                      UCSC(policy-mgr) /domain-group/security/tacacs* # set timeout 45
                      UCSC(policy-mgr) /domain-group/security/tacacs* # set port 5859
                      UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer
                      UCSC(policy-mgr) /domain-group/security/tacacs # 
                      
                      What to Do Next

                      Create a TACACS+ provider.

                      Creating a TACACS+ Provider

                      Cisco UCS Central supports a maximum of 16 TACACS+ providers. TACACS+ native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central. TACACS+ may be used to create global policies for Cisco UCS domains.

                      Before You Begin

                      Perform the following configuration in the TACACS+ server:

                      • Create the cisco-av-pair attribute. You cannot use an existing TACACS+ attribute. The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider. The following syntax example shows how to specify multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales*"L1 abc". Using an asterisk (*) in the cisco-av-pair attribute syntax flags the locale as optional, preventing authentication failures for other Cisco devices that use the same authorization profile. Use a space as the delimiter to separate multiple values.
                      • For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
                      Procedure
                          Command or Action Purpose
                        Step 1 UCSC# connect policy-mgr  

                        Enters policy manager mode.

                         
                        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                         
                        Step 3 UCSC(policy-mgr) /domain-group # scope security  

                        Enters security mode.

                         
                        Step 4 UCSC(policy-mgr) /domain-group/security # scope tacacs  

                        Enters security TACACS+ mode.

                         
                        Step 5 UCSC(policy-mgr) /domain-group/security/tacacs # create server server-name  

                        Creates an TACACS+ server instance and enters security TACACS+ server mode

                         
                        Step 6 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set key   (Optional)

                        Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt.

                         
                        Step 7 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set order order-num   (Optional)

                        Specifies when in the order this server will be tried.

                         
                        Step 8 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set timeout seconds   (Optional)

                        Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down.

                         
                        Step 9 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set port port-num  

                        Specifies the port used to communicate with the TACACS+ server.

                         
                        Step 10 UCSC(policy-mgr) /domain-group/security/tacacs/server* # commit-buffer  

                        Commits the transaction to the system configuration.

                         

                        The following example shows how to create a server instance named tacacsserv680, set the key to tacacskey321, set the order to 4, set the authentication port to 5859, and commit the transaction:

                        UCSC # connect policy-mgr
                        UCSC(policy-mgr)# scope domain-group
                        UCSC(policy-mgr) /domain-group # scope security
                        UCSC(policy-mgr) /domain-group/security # scope tacacs
                        UCSC(policy-mgr) /domain-group/security/tacacs # create server tacacsserv680
                        UCSC(policy-mgr) /domain-group/security/tacacs/server* # set key
                        Enter the key: tacacskey321
                        Confirm the key: tacacskey321
                        UCSC(policy-mgr) /domain-group/security/tacacs/server* # set order 4
                        UCSC(policy-mgr) /domain-group/security/tacacs/server* # set timeout 45
                        UCSC(policy-mgr) /domain-group/security/tacacs/server* # set port 5859
                        UCSC(policy-mgr) /domain-group/security/tacacs/server* # commit-buffer
                        UCSC(policy-mgr) /domain-group/security/tacacs/server # 
                        
                        What to Do Next

                        • For implementations involving a single TACACS+ database, select TACACS+ as the primary authentication service.
                        • For implementations involving multiple TACACS+ databases, configure a TACACS+ provider group.

                        Deleting a TACACS+ Provider

                        Procedure
                            Command or Action Purpose
                          Step 1 UCSC# connect policy-mgr  

                          Enters policy manager mode.

                           
                          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                           
                          Step 3 UCSC(policy-mgr) /domain-group # scope security  

                          Enters security mode.

                           
                          Step 4 UCSC(policy-mgr) /domain-group/security # scope tacacs  

                          Enters security TACACS+ mode.

                           
                          Step 5 UCSC(policy-mgr) /domain-group/security/tacacs # delete server serv-name  

                          Deletes the specified server.

                           
                          Step 6 UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer  

                          Commits the transaction to the system configuration.

                           

                          The following example shows how to delete the TACACS server called tacacs1 and commit the transaction:

                          UCSC # connect policy-mgr
                          UCSC(policy-mgr)# scope domain-group
                          UCSC(policy-mgr) /domain-group # scope security
                          UCSC(policy-mgr) /domain-group/security # scope tacacs
                          UCSC(policy-mgr) /domain-group/security/tacacs # delete server TACACS1
                          UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer
                          UCSC(policy-mgr) /domain-group/security/tacacs #

                          Configuring Multiple Authentication Systems

                          Multiple Authentication Systems

                          You can configure Cisco UCS to use multiple authentication systems by configuring the following features:

                          • Provider groups
                          • Authentication domains

                          Once provider groups and authentication domains have been configured in Cisco UCS Central GUI, the following syntax can be used to log in to the system using Cisco UCS Central CLI: ucs- auth-domain

                          When multiple authentication domains and native authentication are configured with a remote authentication service, use one of the following syntax examples to log in with SSH or Putty:

                          From a Linux terminal:

                          • ssh ucs-auth-domain\\username@Cisco UCS domain-ip-address ssh ucs-example\\jsmith@192.0.20.11
                          • ssh -l ucs-auth-domain\\username {Cisco UCS domain-ip-address | Cisco UCS domain-host-name} ssh -l ucs-example\\jsmith 192.0.20.11
                          • ssh {Cisco UCS domain-ip-address | Cisco UCS domain-host-name} -l ucs-auth-domain\\username ssh 192.0.20.11 -l ucs-example\\jsmith

                          From a Putty client:

                          • Login as: ucs-auth-domain\\username Login as: ucs-example\\jsmith

                          From a SSH client:

                          • Host Name: Cisco UCS domain-ip-address User Name: ucs-auth-domain\\username Host Name: 192.0.20.11 User Name: ucs-example\\jsmith

                          Provider Groups

                          A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco UCS Central allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.

                          During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.

                          Creating an LDAP Provider Group

                          Creating an LDAP provider group allows you to authenticate using multiple LDAP databases.

                          Note


                          Authenticating with a single LDAP database does not require you to set up an LDAP provider group.


                          Before You Begin

                          Create one or more LDAP providers.

                          Procedure
                              Command or Action Purpose
                            Step 1 UCSC# connect policy-mgr  

                            Enters policy manager mode.

                             
                            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                             
                            Step 3 UCSC(policy-mgr) /domain-group # scope security  

                            Enters security mode.

                             
                            Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

                            Enters security LDAP mode.

                             
                            Step 5 UCSC(policy-mgr) /domain-group/security/ldap # create auth-server-group auth-server-group-name  

                            Creates an LDAP provider group and enters authentication server group security LDAP mode.

                             
                            Step 6 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap-provider-name  

                            Adds the specified LDAP provider to the LDAP provider group and enters server reference authentication server group security LDAP mode.

                             
                            Step 7 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # set order order-num  

                            Specifies the order in which Cisco UCS uses this provider to authenticate users.

                            Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                             
                            Step 8 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # commit-buffer  

                            Commits the transaction to the system configuration.

                             

                            The following example shows how to create an LDAP provider group called ldapgroup, add two previously configured providers called ldap1 and ldap2 to the provider group, set the order, and commit the transaction:

                            UCSC # connect policy-mgr
                            UCSC(policy-mgr)# scope domain-group
                            UCSC(policy-mgr) /domain-group # scope security
                            UCSC(policy-mgr) /domain-group/security # scope ldap
                            UCSC(policy-mgr) /domain-group/security/ldap # create auth-server-group ldapgroup
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap1
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # set order 1
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # up
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap2
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # set order 2
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # commit-buffer
                            UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref #
                            What to Do Next

                            Configure an authentication domain or select a default authentication service.

                            Deleting an LDAP Provider Group

                            Before You Begin

                            Remove the provider group from an authentication configuration.

                            Procedure
                                Command or Action Purpose
                              Step 1 UCSC# connect policy-mgr  

                              Enters policy manager mode.

                               
                              Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                               
                              Step 3 UCSC(policy-mgr) /domain-group # scope security  

                              Enters security mode.

                               
                              Step 4 UCSC(policy-mgr) /domain-group/security # scope ldap  

                              Enters security LDAP mode.

                               
                              Step 5 UCSC(policy-mgr) /domain-group/security/ldap # delete auth-server-group auth-server-group-name  

                              Deletes the LDAP provider group.

                               
                              Step 6 UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

                              Commits the transaction to the system configuration.

                               

                              The following example shows how to delete an LDAP provider group called ldapgroup and commit the transaction:

                              UCSC # connect policy-mgr
                              UCSC(policy-mgr)# scope domain-group
                              UCSC(policy-mgr) /domain-group # scope security
                              UCSC(policy-mgr) /domain-group/security # scope ldap
                              UCSC(policy-mgr) /domain-group/security/ldap # delete auth-server-group ldapgroup
                              UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
                              UCSC(policy-mgr) /domain-group/security/ldap #

                              Creating a RADIUS Provider Group

                              Creating a RADIUS provider group allows you to authenticate using multiple RADIUS databases.

                              Note


                              Authenticating with a single RADIUS database does not require you to set up a RADIUS provider group.


                              Before You Begin

                              Create one or more RADIUS providers.

                              Procedure
                                  Command or Action Purpose
                                Step 1 UCSC# connect policy-mgr  

                                Enters policy manager mode.

                                 
                                Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                 
                                Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                Enters security mode.

                                 
                                Step 4 UCSC(policy-mgr) /domain-group/security # scope radius  

                                Enters security RADIUS mode.

                                 
                                Step 5 UCSC(policy-mgr) /domain-group/security/radius # create auth-server-group auth-server-group-name  

                                Creates a RADIUS provider group and enters authentication server group security RADIUS mode.

                                 
                                Step 6 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref ldap-provider-name  

                                Adds the specified RADIUS provider to the RADIUS provider group and enters server reference authentication server group security RADIUS mode.

                                 
                                Step 7 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # set order order-num  

                                Specifies the order in which Cisco UCS uses this provider to authenticate users.

                                Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                                 
                                Step 8 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # commit-buffer  

                                Commits the transaction to the system configuration.

                                 

                                The following example shows how to create a RADIUS provider group called radiusgroup, add two previously configured providers called radius1 and radius2 to the provider group, set the order, and commit the transaction:

                                UCSC # connect policy-mgr
                                UCSC(policy-mgr)# scope domain-group
                                UCSC(policy-mgr) /domain-group # scope security
                                UCSC(policy-mgr) /domain-group/security # scope radius
                                UCSC(policy-mgr) /domain-group/security/radius # create auth-server-group radiusgroup
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref radius1
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # set order 1
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # up
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref radius2
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # set order 2
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # commit-buffer
                                UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref #
                                What to Do Next

                                Configure an authentication domain or select a default authentication service.

                                Deleting a RADIUS Provider Group

                                Remove the provider group from an authentication configuration.

                                Procedure
                                    Command or Action Purpose
                                  Step 1 UCSC# connect policy-mgr  

                                  Enters policy manager mode.

                                   
                                  Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                   
                                  Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                  Enters security mode.

                                   
                                  Step 4 UCSC(policy-mgr) /domain-group/security # scope radius  

                                  Enters security RADIUS mode.

                                   
                                  Step 5 UCSC(policy-mgr) /domain-group/security/radius # delete auth-server-group auth-server-group-name  

                                  Deletes the RADIUS provider group.

                                   
                                  Step 6 UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer  

                                  Commits the transaction to the system configuration.

                                   

                                  The following example shows how to delete a RADIUS provider group called radiusgroup and commit the transaction:

                                  UCSC # connect policy-mgr
                                  UCSC(policy-mgr)# scope domain-group
                                  UCSC(policy-mgr) /domain-group # scope security
                                  UCSC(policy-mgr) /domain-group/security # scope radius
                                  UCSC(policy-mgr) /domain-group/security/radius # delete auth-server-group radiusgroup
                                  UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer
                                  UCSC(policy-mgr) /domain-group/security/radius #

                                  Creating a TACACS+ Provider Group

                                  Creating a TACACS+ provider group allows you to authenticate using multiple TACACS+ databases.

                                  Note


                                  Authenticating with a single TACACS+ database does not require you to set up a TACACS+ provider group.


                                  Before You Begin

                                  Create a TACACS+ provider.

                                  Procedure
                                      Command or Action Purpose
                                    Step 1 UCSC# connect policy-mgr  

                                    Enters policy manager mode.

                                     
                                    Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                     
                                    Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                    Enters security mode.

                                     
                                    Step 4 UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                    Enters security TACACS+ mode.

                                     
                                    Step 5 UCSC(policy-mgr) /domain-group/security/tacacs # create auth-server-group auth-server-group-name  

                                    Creates a TACACS+ provider group and enters authentication server group security TACACS+ mode.

                                     
                                    Step 6 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref ldap-provider-name  

                                    Adds the specified TACACS+ provider to the TACACS+ provider group and enters server reference authentication server group security TACACS+ mode.

                                     
                                    Step 7 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # set order order-num  

                                    Specifies the order in which Cisco UCS uses this provider to authenticate users.

                                    Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                                     
                                    Step 8 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # commit-buffer  

                                    Commits the transaction to the system configuration.

                                     

                                    The following example shows how to create a TACACS+ provider group called tacacsgroup, add two previously configured providers called tacacs1 and tacacs2 to the provider group, set the order, and commit the transaction:

                                    UCSC # connect policy-mgr
                                    UCSC(policy-mgr)# scope domain-group
                                    UCSC(policy-mgr) /domain-group # scope security
                                    UCSC(policy-mgr) /domain-group/security # scope tacacs
                                    UCSC(policy-mgr) /domain-group/security/tacacs # create auth-server-group tacacsgroup
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref tacacs1
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # set order 1
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # up
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref tacacs2
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # set order 2
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # commit-buffer
                                    UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref #
                                    What to Do Next

                                    Configure an authentication domain or select a default authentication service.

                                    Deleting a TACACS+ Provider Group

                                    Remove the provider group from an authentication configuration.

                                    Procedure
                                        Command or Action Purpose
                                      Step 1 UCSC# connect policy-mgr  

                                      Enters policy manager mode.

                                       
                                      Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                       
                                      Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                      Enters security mode.

                                       
                                      Step 4 UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                      Enters security TACACS+ mode.

                                       
                                      Step 5 UCSC(policy-mgr) /domain-group/security/tacacs # delete auth-server-group auth-server-group-name  

                                      Deletes the TACACS+ provider group.

                                       
                                      Step 6 UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer  

                                      Commits the transaction to the system configuration.

                                       

                                      The following example shows how to delete a TACACS+ provider group called tacacsgroup and commit the transaction:

                                      UCSC # connect policy-mgr
                                      UCSC(policy-mgr)# scope domain-group
                                      UCSC(policy-mgr) /domain-group # scope security
                                      UCSC(policy-mgr) /domain-group/security # scope tacacs
                                      UCSC(policy-mgr) /domain-group/security/tacacs # delete auth-server-group tacacsgroup
                                      UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer
                                      UCSC(policy-mgr) /domain-group/security/tacacs #

                                      Authentication Domains

                                      Authentication domains are used by Cisco UCS Domain to leverage multiple authentication systems. Each authentication domain is specified and configured during login. If no authentication domain is specified, the default authentication service configuration is used.

                                      You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Domain. If no provider group is specified, all servers within the realm are used.


                                      Note


                                      Authentication domains for LDAP are not supported for Cisco UCS Central for this release. However, Authentication domains are supported for managed Cisco UCS domains from the Cisco UCS Central Domain Group root.


                                      Creating an Authentication Domain

                                      Procedure
                                          Command or Action Purpose
                                        Step 1 UCSC# connect policy-mgr  

                                        Enters policy manager mode.

                                         
                                        Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                         
                                        Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                        Enters security mode.

                                         
                                        Step 4 UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                        Enters authentication realm mode.

                                         
                                        Step 5 UCSC(policy-mgr) /domain-group/security/auth-realm # create auth-domain domain-name  

                                        Creates an authentication domain and enters authentication domain mode. The Radius related settings will be applicable only for the Cisco UCS domains under the Domain Group root and child domain groups.

                                        Note   

                                        For systems using RADIUS as their preferred authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32 character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the combined total of the domain name plus the user name is more than 27 characters.

                                         
                                        Step 6 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set refresh-period seconds   (Optional)

                                        When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain.

                                        If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session.

                                        Specify an integer between 60 and 172800. The default is 600 seconds.

                                         
                                        Step 7 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set session-timeout seconds   (Optional)

                                        The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session.

                                        Specify an integer between 60 and 172800. The default is 7200 seconds.

                                         
                                        Step 8 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # create default-auth   (Optional)

                                        Creates a default authentication for the specified authentication domain.

                                         
                                        Step 9 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set auth-server-group auth-serv-group-name   (Optional)

                                        Specifies the provider group for the specified authentication domain.

                                         
                                        Step 10 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set realm {ldap | local | radius | tacacs}  

                                        Specifies the realm for the specified authentication domain.

                                         
                                        Step 11 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # commit-buffer  

                                        Commits the transaction to the system configuration.

                                         
                                        The following example shows how to create an authentication domain called domain1 with a web refresh period of 3600 seconds (1 hour) and a session timeout period of 14400 seconds (4 hours), configure domain1 to use the providers in ldapgroup1, set the realm type to ldap, and commit the transaction.
                                        UCSC # connect policy-mgr
                                        UCSC(policy-mgr)# scope domain-group
                                        UCSC(policy-mgr) /domain-group # scope security
                                        UCSC(policy-mgr) /domain-group/security # scope auth-realm
                                        UCSC(policy-mgr) /domain-group/security/auth-realm # create auth-domain domain1
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set refresh-period 3600
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set session-timeout 14400
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # create default-auth
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set auth-server-group ldapgroup1
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set realm ldap
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # commit-buffer
                                        UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth #

                                        Selecting a Primary Authentication Service

                                        Selecting the Console Authentication Service

                                        Before You Begin

                                        If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.

                                        Procedure
                                            Command or Action Purpose
                                          Step 1 UCSC# connect policy-mgr  

                                          Enters policy manager mode.

                                           
                                          Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                           
                                          Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                          Enters security mode.

                                           
                                          Step 4 UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                          Enters authentication realm security mode.

                                           
                                          Step 5 UCSC(policy-mgr) /domain-group/security/auth-realm # scope console-auth  

                                          Enters console authorization security mode.

                                           
                                          Step 6 UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # set realm auth-type  

                                          Specifies the console authentication, where the auth-type argument is one of the following keywords:

                                          • ldap —Specifies LDAP authentication
                                          • local —Specifies local authentication
                                          • none —Allows local users to log on without specifying a password
                                          • radius —Specifies RADIUS authentication
                                          • tacacs —Specifies TACACS+ authentication
                                           
                                          Step 7 UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # set auth-server-group auth-serv-group-name  

                                          The associated provider group, if any.

                                           
                                          Step 8 UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # commit-buffer  

                                          Commits the transaction to the system configuration.

                                           

                                          The following example shows how to set the authentication to LDAP, set the console authentication provider group to provider1, and commit the transaction:

                                          UCSC # connect policy-mgr
                                          UCSC(policy-mgr)# scope domain-group
                                          UCSC(policy-mgr) /domain-group # scope security
                                          UCSC(policy-mgr) /domain-group/security # scope auth-realm
                                          UCSC(policy-mgr) /domain-group/security/auth-realm # scope console-auth
                                          UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # set realm local
                                          UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # set auth-server-group provider1
                                          UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # commit-buffer
                                          UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # 
                                          

                                          Selecting the Default Authentication Service

                                          Procedure
                                              Command or Action Purpose
                                            Step 1 UCSC# connect policy-mgr  

                                            Enters policy manager mode.

                                             
                                            Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                             
                                            Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                            Enters security mode.

                                             
                                            Step 4 UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                            Enters authentication realm security mode.

                                             
                                            Step 5 UCSC(policy-mgr) /domain-group/security/auth-realm # scope default-auth  

                                            Enters default authorization security mode.

                                             
                                            Step 6 UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth # set realm auth-type  

                                            Specifies the default authentication, where auth-type is one of the following keywords:

                                            • ldap—Specifies LDAP authentication
                                            • local—Specifies local authentication
                                            • none—Allows local users to log on without specifying a password
                                            • radius—Specifies RADIUS authentication
                                            • tacacs—Specifies TACACS+ authentication
                                             
                                            Step 7 UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set auth-server-group auth-serv-group-name   (Optional)

                                            The associated provider group, if any.

                                             
                                            Step 8 UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set refresh-period seconds   (Optional)

                                            When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain.

                                            If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session.

                                             
                                            Step 9 UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set session-timeout seconds   (Optional)

                                            The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session.

                                            Specify an integer between 60 and 172800. The default is 7200 seconds.

                                             
                                            Step 10 UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # commit-buffer  

                                            Commits the transaction to the system configuration.

                                             

                                            The following example shows how to set the default authentication to LDAP, set the default authentication provider group to provider1, set the refresh period to 7200 seconds (2 hours), set the session timeout period to 28800 seconds (8 hours), and commit the transaction.

                                            UCSC # connect policy-mgr
                                            UCSC(policy-mgr)# scope domain-group
                                            UCSC(policy-mgr) /domain-group # scope security
                                            UCSC(policy-mgr) /domain-group/security # scope auth-realm
                                            UCSC(policy-mgr) /domain-group/security/auth-realm # scope default-auth
                                            UCSC(policy-mgr) /domain-group/security/default-auth # set realm ldap
                                            UCSC(policy-mgr) /domain-group/security/default-auth* # set auth-server-group provider1
                                            UCSC(policy-mgr) /domain-group/security/default-auth* # set refresh-period 7200
                                            UCSC(policy-mgr) /domain-group/security/default-auth* # set session-timeout 28800
                                            UCSC(policy-mgr) /domain-group/security/default-auth* # commit-buffer
                                            UCSC(policy-mgr) /domain-group/security/default-auth # 
                                            

                                            Role Policy for Remote Users

                                            By default, if user roles are not configured in Cisco UCS Central read-only access is granted to all users logging in to Cisco UCS Central from a remote server using the LDAP protocol (excluding RADIUS and TACACS+ authentication in this release).


                                            Note


                                            RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.


                                            You can configure the role policy for remote users in the following ways:
                                            • assign-default-role Does not restrict user access to Cisco UCS Central based on user roles. Read-only access is granted to all users unless other user roles have been defined in Cisco UCS Central. This is the default behavior.
                                            • no-login Restricts user access to Cisco UCS Central based on user roles. If user roles have not been assigned for the remote authentication system, access is denied.

                                            For security reasons, it might be desirable to restrict access to those users matching an established user role in Cisco UCS Central.

                                            Configuring the Role Policy for Remote Users

                                            Procedure
                                                Command or Action Purpose
                                              Step 1 UCSC# connect policy-mgr  

                                              Enters policy manager mode.

                                               
                                              Step 2 UCSC(policy-mgr)# scope domain-group domain-group  

                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                               
                                              Step 3 UCSC(policy-mgr) /domain-group # scope security  

                                              Enters security mode.

                                               
                                              Step 4 UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                              Enters authentication realm security mode.

                                               
                                              Step 5 UCSC(policy-mgr) /domain-group/security/auth-realm # set remote-user default-role {assign-default-role | no-login}  

                                              Specifies whether user access to Cisco UCS Central is restricted based on user roles.

                                               
                                              Step 6 UCSC(policy-mgr) /domain-group/security/auth-realm* # commit-buffer  

                                              Commits the transaction to the system configuration.

                                               
                                              The following example shows how to set the role policy for remote users and commit the transaction:
                                              UCSC # connect policy-mgr
                                              UCSC(policy-mgr)# scope domain-group
                                              UCSC(policy-mgr) /domain-group # scope security
                                              UCSC(policy-mgr) /domain-group/security # scope auth-realm
                                              UCSC(policy-mgr) /domain-group/security/auth-realm # set remote-user default-role assign-default-role
                                              UCSC(policy-mgr) /domain-group/security/auth-realm* # commit-buffer
                                              UCSC(policy-mgr) /domain-group/security/auth-realm #