Managing User Accounts

This chapter includes the following sections:

Configuring Local Users

Before You Begin

You must log in as a user with admin privileges to configure or modify local user accounts.

Procedure
     Command or ActionPurpose
    Step 1Server# scope user usernumber  

    Enters user command mode for user number usernumber.

     
    Step 2Server /user # set enabled {yes | no}  

    Enables or disables the user account on the Cisco IMC.

     
    Step 3Server /user # set name username  

    Specifies the username for the user.

     
    Step 4Server /user # set password  

    You are prompted to enter the password twice.

    Note   
    When strong password is enabled, you must follow these guidelines while setting a password:

    • The password must have a minimum of 8 and a maximum of 14 characters.

    • The password must not contain the User's Name.

    • The password must contain characters from three of the following four categories:

      • English uppercase characters (A through Z)

      • English lowercase characters (a through z)

      • Base 10 digits (0 through 9)

      • Non-alphabetic characters (!, @, #, $, %, ^, &, *, -, _, +, =)

    when strong password is disabled, you can set a password using characters of your choice (alphanumeric, special characters, or integers) within the range 1-20.

     
    Step 5Server /user # set role {readonly | user | admin}  
    Specifies the role assigned to the user. The roles are as follows:

    • readonly—This user can view information but cannot make any changes.

    • user—This user can do the following:

      • View all information

      • Manage the power control options such as power on, power cycle, and power off

      • Launch the KVM console and virtual media

      • Clear all logs

      • Toggle the locator LED

      • Set the time zone

      • Ping an IP address

    • admin—This user can perform all actions available through the GUI, CLI, and IPMI.

     
    Step 6Server /user # commit  

    Commits the transaction to the system configuration.

     

    This example configures user 5 as an admin: 

    Server# scope user 5
Server /user # set enabled yes
Server /user *# set name john
Server /user *# set password
Warning:
Strong Password Policy is enabled!
 
For CIMC protection your password must meet the following requirements:
        The password must have a minimum of 8 and a maximum of 14 characters.
        The password must not contain the User's Name.
        The password must contain characters from three of the following four categories.
            English uppercase characters (A through Z)
            English lowercase characters (a through z)
            Base 10 digits (0 through 9)
Please enter password:
Please confirm password:
Server /user *# set role readonly
Server /user *# commit
Server /user #  show
User   Name             Role     Enabled  
------ ---------------- -------- -------- 
5      john             readonly yes

    Disabling Strong Password

    The Cisco IMC now implements a strong password policy wherein you are required to follow guidelines and set a strong password when you first log on to the server for the first time. The Cisco IMC CLI provides you option which allows you to disable the strong password policy and set a password of your choice by ignoring the guidelines. Once you disable the strong password, an Enable Strong Password button is displayed. By default, the strong password policy is enabled.

    Before You Begin

    You must log in as a user with admin privileges to perform this action.

    Procedure
       Command or ActionPurpose
      Step 1Server# scope user-policy  

      Enters user policy command mode.

       
      Step 2Server /user-policy # set password-policy {enabled | disabled}  

      At the confirmation prompt, enter y to complete the action or n to cancel the action. Enables or disables the strong password.

       
      Step 3Server /user-policy # commit  

      Commits the transaction to the system configuration.

       

      This example shows how to disable strong password: 

      Server# scope user-policy
Server /user-policy # set password-policy disabled
Warning: Strong password policy is being disabled.
Do you wish to continue? [y/N] y
Server /user-policy *# commit
Server /user-policy #

      LDAP Servers

      Cisco IMC supports directory services that organize information in a directory, and manage access to this information. Cisco IMC supports Lightweight Directory Access Protocol (LDAP), which stores and maintains directory information in a network. In addition, Cisco IMC supports Microsoft Active Directory (AD). Active Directory is a technology that provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The Cisco IMC utilizes the Kerberos-based authentication service of LDAP.

      When LDAP is enabled in the Cisco IMC, user authentication and role authorization is performed by the LDAP server for user accounts not found in the local user database. The LDAP user authentication format is username@domain.com.

      By enabling encryption in the configuration of Active Directory on the server, you can require the server to encrypt data sent to the LDAP server.

      Configuring the LDAP Server

      The Cisco IMC can be configured to use LDAP for user authentication and authorization. To use LDAP, configure users with an attribute that holds the user role and locale information for the Cisco IMC. You can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales or you can modify the LDAP schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1.

      Important:

      For more information about altering the schema, see the article at http:/​/​technet.microsoft.com/​en-us/​library/​bb727064.aspx.


      Note

      This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales.

      The following steps must be performed on the LDAP server.

      Procedure
        Step 1   Ensure that the LDAP schema snap-in is installed.
        Step 2   Using the schema snap-in, add a new attribute with the following properties:

        Properties

        Value

        Common Name

        CiscoAVPair

        LDAP Display Name

        CiscoAVPair

        Unique X500 Object ID

        1.3.6.1.4.1.9.287247.1

        Description

        CiscoAVPair

        Syntax

        Case Sensitive String

        Step 3   Add the CiscoAVPair attribute to the user class using the snap-in:
        1. Expand the Classes node in the left pane and type U to select the user class.
        2. Click the Attributes tab and click Add.
        3. Type C to select the CiscoAVPair attribute.
        4. Click OK.
        Step 4   Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to Cisco IMC:

        Role

        CiscoAVPair Attribute Value

        admin

        shell:roles="admin"

        user

        shell:roles="user"

        read-only

        shell:roles="read-only"

        Note   

        For more information about adding values to attributes, see the article at http:/​/​technet.microsoft.com/​en-us/​library/​bb727064.aspx.

        What to Do Next

        Use the Cisco IMC to configure the LDAP server.

        Configuring LDAP in Cisco IMC

        Configure LDAP in Cisco IMC when you want to use an LDAP server for local user authentication and authorization.

        Before You Begin

        You must log in as a user with admin privileges to perform this task.

        Procedure
           Command or ActionPurpose
          Step 1Server# scope ldap  

          Enters the LDAP command mode.

           
          Step 2Server /ldap # set enabled {yes | no}  

          Enables or disables LDAP security. When enabled, user authentication and role authorization is performed by LDAP for user accounts not found in the local user database.

           
          Step 3Server /ldap # set domainLDAP domain name  

          Specifies an LDAP domain name.

           
          Step 4Server /ldap # set timeout seconds  

          Specifies the number of seconds the Cisco IMC waits until the LDAP search operation times out. The value must be between 0 and 1800 seconds.

           
          Step 5Server /ldap # set encrypted {yes | no}  

          If encryption is enabled, the server encrypts all information sent to AD.

           
          Step 6Server /ldap # set base-dn domain-name  

          Specifies the Base DN that is searched on the LDAP server.

           
          Step 7Server /ldap # set attribute name  

          Specify an LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

          You can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales or you can create a custom attribute, such as the CiscoAVPair attribute, which has the following attribute ID: 

          1.3.6.1.4.1.9.287247.1
          Note   

          If you do not specify this property, user access is denied.

           
          Step 8Server /ldap # set filter-attribute  

          Specifies the account name attribute. If Active Directory is used, then specify sAMAccountName for this field.

           
          Step 9Server /ldap # commit  

          Commits the transaction to the system configuration.

           
          Step 10Server /ldap # show [detail]  

          (Optional) Displays the LDAP configuration.

           

          This example configures LDAP using the CiscoAVPair attribute: 

          Server# scope ldap
Server /ldap # set enabled yes
Server /ldap *# set domain sample-domain
Server /ldap *# set timeout 60
Server /ldap *# set encrypted yes
Server /ldap *# set base-dn example.com
Server /ldap *# set attribute CiscoAVPair
Server /ldap *# set filter-attribute sAMAccountName
Server /ldap *# commit
Server /ldap # show detail
LDAP Settings:
    Enabled: yes
    Encrypted: yes
    Domain: sample-domain
    BaseDN: example.com
    Timeout: 60
    Filter-Attribute: sAMAccountName
    Attribute: CiscoAvPair
Server /ldap #
          What to Do Next

          If you want to use LDAP groups for group authorization, see Configuring LDAP Groups in Cisco IMC.

          Configuring LDAP Groups in Cisco IMC


          Note

          When Active Directory (AD) group authorization is enabled and configured, user authentication is also done on the group level for users that are not found in the local user database or who are not individually authorized to use Cisco IMC in the Active Directory.

          Before You Begin

          • You must log in as a user with admin privileges to perform this task.

          • Active Directory (or LDAP) must be enabled and configured.

          Procedure
             Command or ActionPurpose
            Step 1Server# scope ldap  

            Enters the LDAP command mode for AD configuration.

             
            Step 2Server /ldap# scope ldap-group-rule  

            Enters the LDAP group rules command mode for AD configuration.

             
            Step 3Server /ldap/ldap-group-rule # set group-auth {yes | no}  

            Enables or disables LDAP group authorization.

             
            Step 4Server /ldap # scope role-group index  

            Selects one of the available group profiles for configuration, where index is a number between 1 and 28.

             
            Step 5Server /ldap/role-group # set name group-name  

            Specifies the name of the group in the AD database that is authorized to access the server.

             
            Step 6Server /ldap/role-group # set domain domain-name  

            Specifies the AD domain the group must reside in.

             
            Step 7Server /ldap/role-group # set role {admin | user | readonly}  

            Specifies the permission level (role) assigned to all users in this AD group. This can be one of the following:

            • admin—The user can perform all actions available.

            • user—The user can perform the following tasks:

              • View all information

              • Manage the power control options such as power on, power cycle, and power off

              • Launch the KVM console and virtual media

              • Clear all logs

              • Toggle the locator LED

            • readonly—The user can view information but cannot make any changes.

             
            Step 8Server /ldap/role-group # commit  

            Commits the transaction to the system configuration.

             

            This example shows how to configure LDAP group authorization: 

            Server# scope ldap
Server /ldap # scope ldap-group-rule
Server /ldap/ldap-group-rule # set group-auth yes
Server /ldap *# scope role-group 5
Server /ldap/role-group # set name Training
Server /ldap/role-group* # set domain example.com
Server /ldap/role-group* # set role readonly
Server /ldap/role-group* # commit
ucs-c250-M2 /ldap # show role-group
Group  Group Name       Domain Name      Assigned Role     
------ -----------     --------------   -------------- 
1      (n/a)            (n/a)            admin    
2      (n/a)            (n/a)            user     
3      (n/a)            (n/a)            readonly 
4      (n/a)            (n/a)            (n/a)    
5      Training         example.com      readonly 

Server /ldap/role-group #

            Configuring Nested Group Search Depth in LDAP Groups

            You can search for an LDAP group nested within another defined group in an LDAP group map.

            • You must log in as a user with admin privileges to perform this task.

            • Active Directory (or LDAP) must be enabled and configured.

            Procedure
               Command or ActionPurpose
              Step 1Server# scope ldap  

              Enters the LDAP command mode for AD configuration.

               
              Step 2Server /ldap# scope ldap-group-rule  

              Enters the LDAP group rules command mode for AD configuration.

               
              Step 3Server /ldap/ldap-group-rule # set group-search-depth value  

              Enables search for a nested LDAP group.

               
              Step 4Server /ldap/role-group-rule # commit  

              Commits the transaction to the system configuration.

               

              This example shows how to search for run a search for an LDAP group nested within another defined group. 

              Server# scope ldap
Server /ldap # scope ldap-group-rule
Server /ldap/ldap-group-rule # set group-search-depth 10
Server /ldap/role-group-rule* # commit
Server /ldap/role-group-rule # show detail
Group rules for LDAP:
    Group search attribute: memberOf
    Enable Group Authorization: yes
    Nested group search depth: 10
Server/ldap/ldap-group-rule #

              LDAP Certificates Overview

              Cisco C-series servers allow an LDAP client to validate a directory server certificate against an installed CA certificate or chained CA certificate during an LDAP binding step. This feature is introduced in the event where anyone can duplicate a directory server for user authentication and cause a security breach due to the inability to enter a trusted point or chained certificate into the Cisco IMC for remote user authentication.

              An LDAP client needs a new configuration option to validate the directory server certificate during the encrypted TLS/SSL communication.

              Exporting LDAP CA Certificate

              Before You Begin

              You must log in as a user with admin privileges to perform this task.

              Procedure
                 Command or ActionPurpose
                Step 1Server# scope ldap  

                Enters the LDAP command mode.

                 
                Step 2Server# /ldap scope binding-certificate  

                Enters the LDAP CA certificate binding command mode.

                 
                Step 3Server /ldap/binding-certificate # export-ca-certificate remote-protocol IP Adderss LDAP CA Certificate file  
                Specifies the protocol to connect to the remote server. It can be of the following types:

                • TFTP

                • FTP

                • SFTP

                • SCP

                • HTTP

                Note   

                The Cisco UCS C-Series server now supports fingerprint confirmation of the server when you update firmware through a remote server. This option is available only if you choose SCP or SFTP as the remote server type.

                If you chose SCP or SFTP as the remote server type while performing this action, a prompt with the message Server (RSA) key fingerprint is <server_finger_print _ID> Do you wish to continue? Click y or n depending on the authenticity of the server fingerprint.

                The fingerprint is based on the host's public key and helps you to identify or verify the host you are connecting to.

                Initiates the export of the certificate.

                 

                This example exports the LDAP certificate: 

                Server # scope ldap
Server /ldap # scope binding-certificate
Server /ldap/binding-certificate #  export-ca-certificate tftp 172.22.141.66 test.csv
 Initiating Export
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1262    0     0  100  1262      0   1244  0:00:01  0:00:01 --:--:--  1653
100  1262    0     0  100  1262      0   1237  0:00:01  0:00:01 --:--:--  1237
LDAP CA Certificate is exported successfully
Server /ldap/binding-certificate #

                Downloading LDAP CA Certificate Content by Copying Content

                Before You Begin

                You must log in as a user with admin privileges to perform this task.

                Procedure
                   Command or ActionPurpose
                  Step 1Server# scope ldap  

                  Enters the LDAP command mode.

                   
                  Step 2Server# /ldap scope binding-certificate  

                  Enters the LDAP CA certificate binding command mode.

                   
                  Step 3Server# /ldap/binding-certificate set enabled {yes | no}  

                  Enables or disables LDAP CA certificate binding.

                   
                  Step 4Server /ldap/binding-certificate* # commit  

                  Commits the transaction to the system configuration.

                   
                  Step 5Server /ldap/binding-certificate # paste-ca-certificate  

                  Prompts you to paste the certificate content.

                   
                  Step 6Paste the certificate content and press CTRL+D.  

                  Confirmation prompt appears.

                   
                  Step 7At the confirmation prompt, enter y.  

                  This begins the download of the LDAP CA certificate.

                   

                  This example downloads the LDAP certificate: 

                  Server # scope ldap
Server /ldap # scope binding-certificate
Server /ldap/binding-certificate # set enabled yes
Server /ldap/binding-certificate *# commit
Server /ldap/binding-certificate # show detail
LDAP binding with Certificate:
    Enabled: yes 
Server /ldap/binding-certificate # paste-ca-certificate
 Please paste your certificate here, when finished, press CTRL+D.
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIQV06yJcJPAYNO8Cp+FYQttjANBgkqhkiG9w0BAQsFADBO
MRIwEAYKCZImiZPyLGQBGRYCaW4xGzAZBgoJkiaJk/IsZAEZFgs0T0JKUkEySkhC
UTEbMBkGA1UEAxMSV0lOLTRPQkpSQTJKSEJRLUNBMB4XDTE2MDIyNTE3MDczNloX
DTIxMDIyNTE3MTczM1owTjESMBAGCgmSJomT8ixkARkWAmluMRswGQYKCZImiZPy
LGQBGRYLNE9CSlJBMkpIQlExGzAZBgNVBAMTEldJTi00T0JKUkEySkhCUS1DQTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM2cdgmrPTkZe4K2zI+EbeZ
mfQnjfiUz8OIY97w8lC/2S4qK46T+fnX13rXe8vvVHAO5wgPDVQTGS4nlF46A6Ba
FK+krKcIgFrQB1gnF74qs/ln1YtKHNBjrvg5KyeWFrA7So6Mi2XEw8w/zMPL0d8T
b+LM1YnhnuXA9G8gVCJ/iUhXfMpB20L8sv30Mek7bw8x2cxJYTuJAviVIrjSwU5j
fO3WKttRuyFpeOIi00weklpF0+8D3Z9mBinoTbL2pl0U32am6wTI+8WmtJ+8W68v
jH4Y8YBY/kzMHdpwjpdZkC5pE9BcM0rL9xKoIu6X0kSNEssoGnepFyNaH3t8vnMC
AwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
FBAUulHTAWBT1OBz8IgAEzXsfcCsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3
DQEBCwUAA4IBAQAzUMZr+0r1dWkVfFNBd7lu8tQbAEJf/A7PIKnJGNoUq8moAGs4
pMndoxdpNGZhYCWDWX3GWdeF1HqZHhb38gGQ9ylu0pIK7tgQufZmeCBH6T7Tzq/w
Dq+TMFGIjXF84xW3N665y4ePgUcUI7e/6aBGcGkGeUYodBPtExe28tQyeuYwD4Zj
nLuZKkT+I4PAYygVCqxDGsvfRHDpGneb3R+GeonOf4ED/0tn5PLSL9khb9qkHu/V
dO3/HmKVzUhloTDBuAMq/wES2WZAWhGr3hBc4nWQNjZWEMOKDpYZVK/GhBmNF+xi
eRcFqgh64oEmH9qAp0caGS1e7UyYaN+LtPRe
-----END CERTIFICATE-----
CTRL+D
  You are going to overwrite the LDAP CA Certificate.
  Are you sure you want to proceed and overwrite the LDAP CA Certificate? [y|N]
y
Server /ldap/binding-certificate #

                  Downloading LDAP CA Certificate Using Remote Server

                  Before You Begin

                  You must log in as a user with admin privileges to perform this task.

                  Procedure
                     Command or ActionPurpose
                    Step 1Server# scope ldap  

                    Enters the LDAP command mode.

                     
                    Step 2Server# /ldap scope binding-certificate  

                    Enters the LDAP CA certificate binding command mode.

                     
                    Step 3Server# /ldap/binding-certificate set enabled {yes | no}  

                    Enables or disables LDAP CA certificate binding.

                     
                    Step 4Server /ldap/binding-certificate* # commit  

                    Commits the transaction to the system configuration.

                     
                    Step 5Server /ldap/binding-certificate # download-ca-certificate remote-protocol IP Address LDAP CA Certificate file  
                    Specifies the protocol to connect to the remote server. It can be of the following types:

                    • TFTP

                    • FTP

                    • SFTP

                    • SCP

                    • HTTP

                    Note   

                    The Cisco UCS C-Series server now supports fingerprint confirmation of the server when you update firmware through a remote server. This option is available only if you choose SCP or SFTP as the remote server type.

                    If you chose SCP or SFTP as the remote server type while performing this action, a prompt with the message Server (RSA) key fingerprint is <server_finger_print _ID> Do you wish to continue? Click y or n depending on the authenticity of the server fingerprint.

                    The fingerprint is based on the host's public key and helps you to identify or verify the host you are connecting to.

                     
                    Step 6At the confirmation prompt, enter y.  

                    This begins the download of the LDAP CA certificate.

                     

                    This example downloads the LDAP certificate: 

                    Server # scope ldap
Server /ldap # scope binding-certificate
Server /ldap/binding-certificate # set enabled yes
Server /ldap/binding-certificate *# commit
Server /ldap/binding-certificate # show detail
LDAP binding with Certificate:
    Enabled: yes 
Server /ldap/binding-certificate #  download-ca-certificate tftp 172.22.141.66 
new_com_chain.cer
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1282  100  1282    0     0   1247      0  0:00:01  0:00:01 --:--:--  1635
100  1282  100  1282    0     0   1239      0  0:00:01  0:00:01 --:--:--  1239
  You are going to overwrite the LDAP CA Certificate.
  Are you sure you want to proceed and overwrite the LDAP CA Certificate? [y|N]y
LDAP CA Certificate is downloaded successfully
Server /ldap/binding-certificate #

                    Testing LDAP Binding

                    Before You Begin

                    You must log in as a user with admin privileges to perform this task.


                    Note

                    If you checked the Enable Encryption and the Enable Binding CA Certificate check boxes, enter the fully qualified domain name (FQDN) of the LDAP server in the LDAP Server field. To resolve the FQDN of the LDAP server, configure the preferred DNS of Cisco IMC network with the appropriate DNS IP address.

                    Procedure
                       Command or ActionPurpose
                      Step 1Server# scope ldap  

                      Enters the LDAP command mode.

                       
                      Step 2Server# /ldap scope binding-certificate  

                      Enters the LDAP CA certificate binding command mode.

                       
                      Step 3Server /ldap/binding-certificate # test-ldap-binding username  

                      Password prompt appears.

                       
                      Step 4Enter the corresponding password.  

                      Authenticates the user.

                       

                      This example tests the LDAP user binding: 

                      Server # scope ldap
Server /ldap # scope binding-certificate
Server /ldap/binding-certificate # test-ldap-binding user 
Password:
diagldapbinding: Authenticated by LDAP
User user authenticated successfully.
Server /ldap/binding-certificate #

                      Deleting LDAP CA Certificate

                      Before You Begin

                      You must log in as a user with admin privileges to perform this task.

                      Procedure
                         Command or ActionPurpose
                        Step 1Server# scope ldap  

                        Enters the LDAP command mode.

                         
                        Step 2Server# /ldap scope binding-certificate  

                        Enters the LDAP CA certificate binding command mode.

                         
                        Step 3Server /ldap/binding-certificate # delete-ca-certificate  

                        Confirmation prompt appears.

                         
                        Step 4At the confirmation prompt, enter y.  

                        This deletes the LDAP CA certificate.

                         

                        This example deletes the LDAP certificate: 

                        Server # scope ldap
Server /ldap # scope binding-certificate
Server /ldap/binding-certificate # delete-ca-certificate 
You are going to delete the LDAP CA Certificate.
	Are you sure you want to proceed and delete the LDAP CA Certificate? [y|N]y
LDAP CA Certificate is deleted successfully
Server /ldap/binding-certificate #

                        Viewing User Sessions

                        Procedure
                           Command or ActionPurpose
                          Step 1Server# show user-session  

                          Displays information about current user sessions.

                           

                          The command output displays the following information about current user sessions:

                          Name Description

                          Terminate Session button

                          If your user account is assigned the admin user role, this option enables you to force the associated user session to end.

                          Note   

                          You cannot terminate your current session from this tab.

                          Session ID column

                          The unique identifier for the session.

                          User name column

                          The username for the user.

                          IP Address column

                          The IP address from which the user accessed the server. If this is a serial connection, it displays N/A.

                          Type column

                          The type of session the user chose to access the server. This can be one of the following:

                          • webgui— indicates the user is connected to the server using the web UI.

                          • CLI— indicates the user is connected to the server using CLI.

                          • serial— indicates the user is connected to the server using the serial port.

                          This example displays information about current user sessions:

                          Server# show user-session
ID     Name             IP Address        Type         Killable 
------ ---------------- ----------------- ------------ -------- 
15     admin            10.20.30.138      CLI          yes      

Server /user #

                          Terminating a User Session

                          Before You Begin

                          You must log in as a user with admin privileges to terminate a user session.

                          Procedure
                             Command or ActionPurpose
                            Step 1Server# show user-session  

                            Displays information about current user sessions. The user session to be terminated must be eligible to be terminated (killable) and must not be your own session.

                             
                            Step 2Server /user-session # scope user-session session-number  

                            Enters user session command mode for the numbered user session that you want to terminate.

                             
                            Step 3Server /user-session # terminate  

                            Terminates the user session.

                             

                            This example shows how the admin at user session 10 terminates user session 15:

                            Server# show user-session
ID     Name             IP Address        Type         Killable 
------ ---------------- ----------------- ------------ -------- 
10     admin            10.20.41.234      CLI          yes  
15     admin            10.20.30.138      CLI          yes      
Server# scope user-session 15
Server /user-session # terminate
User session 15 terminated.

Server /user-session #