Cisco Baseboard Management Controller 2.0 GUI Configuration Guide, Release 2.0

Adding a User

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the User management tab.

Step 3

Click Add user.

Add user window is displayed.

Step 4

In the Add user window update the following properties:


Name	Description
Account status radio button	Select the Enabled radio button to activate the account immediately. Select the Disabled radio button to create the account without activation.
Username field	Enter the desired username. Follow the UI instructions for username rules.
User password field	Enter the password for the user. Follow the UI instructions for password rules.
Confirm user password field	Re-enter the password to confirm.
Privilege drop-down list	From the Privilege drop-down list, choose the appropriate role: Administrator—Full access and control. Operator—Limited operational access. ReadOnly—View-only access.
Password Change Required radio button	Select Enabled to require the user to change their password upon first login. Select Disabled to allow the user to retain the initial password.
VMedia Access radio button	Select Enabled to allow the user access to virtual media functionality (e.g., mounting ISO files). Select Disabled to restrict the user's access to virtual media functionality.

Step 5

Click Add user.

Editing a User

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the User management tab.

Step 3

To edit a user, click the edit icon corresponding to the user row you want to edit.

Edit user window is displayed.

Step 4

In the Edit user window update the following properties:


Name	Description
Account status radio button	Select the Enabled radio button to activate the account immediately. Select the Disabled radio button to create the account without activation.
Username field	Enter the desired username. Follow the UI instructions for username rules.
User password field	Enter the password for the user. Follow the UI instructions for password rules.
Confirm user password field	Re-enter the password to confirm.
Privilege drop-down list	From the Privilege drop-down list, choose the appropriate role: Administrator—Full access and control. Operator—Limited operational access. ReadOnly—View-only access.
Password Change Required radio button	Select Enabled to require the user to change their password upon first login. Select Disabled to allow the user to retain the initial password.
VMedia Access radio button	Select Enabled to allow the user access to virtual media functionality (e.g., mounting ISO files). Select Disabled to restrict the user's access to virtual media functionality.

Step 5

Click Save.

Enabling or Disabling a User

Procedure

Step 1	From the Navigation Pane, click Administration > User management.
Step 2	Select the User management tab.
Step 3	To enable/disable a user, check the check box corresponding to the user row you want to enable/disable. When you check the check box, a new header row with additional options appears at the top of the table.
Step 4	Click Enable/Disable.

Managing Account Policy Settings

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the User management tab.

Step 3

Click Account policy settings.

Account policy settings window is displayed.

Step 4

In the Account policy settings window update the following properties:


Name	Description
Max failed login attempts field	Enter a value between 0 and 65535.
User unlock method radio button	Select one of the following options: Manual—Choose the Manual radio button to require manual intervention for unlocking. Automatic After Timeout—Choose the Automatic After Timeout radio button to unlock automatically after a specified timeout.
Timeout duration (seconds) field	If Automatic After Timeout is selected, enter the duration in seconds in the Timeout duration (seconds) field.

Step 5

Click Save.

Deleting a User

Procedure

Step 1	From the Navigation Pane, click Administration > User management.
Step 2	Select the User management tab.
Step 3	To delete a user, check the check box corresponding to the user row you want to delete. When you check the check box, a new header row with additional options appears at the top of the table.
Step 4	Click Delete.
Step 5	Alternatively, you can click the delete icon against the user row you want to delete.

Managing Password Settings

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the User management tab.

Step 3

Under Password Settings, update the following properties:

Name

Description

Complexity drop-down list

Use the Complexity drop-down list to define the required password complexity level for users. The following options are available:

Disabled—No restrictions on password complexity are applied.

Low—Requires passwords to meet basic complexity requirements, such as including both letters and numbers.

Medium—Requires passwords to meet more stringent complexity rules, such as including a combination of letters, numbers, and special characters.

High—Enforces the strictest password rules, including the use of uppercase and lowercase letters, numbers, special characters, and a minimum length.

Note

Password length cannot exceed 20 bytes due to IPMI 2.0 restrictions.

Password History drop-down list

Use the Password History drop-down list to specify the number of previous passwords that will be stored for each user. This prevents users from reusing recently used passwords. The following options are available:

0—No password history is enforced. Users can reuse any previous password.

1—The system remembers the last 1 password. Users cannot reuse their most recent password.

2—The system remembers the last 2 passwords.

3—The system remembers the last 3 passwords.

4—The system remembers the last 4 passwords.

5—The system remembers the last 5 passwords, providing the highest level of password reuse prevention.

Enabling LDAP Authentication

In the Cisco BMC 2.0, the SSH, Redfish, Webserver, and Host Console interfaces allow authentication against an LDAP directory. However, the IPMI interface cannot authenticate against LDAP, as it requires the password in clear text during session setup. PAM-based authentication is implemented, ensuring that the authentication flow is the same for both LDAP users and local users.

For LDAP user accounts, there is no LDAP attribute type corresponding to the Cisco BMC 2.0 privilege roles. The preferred method is to group LDAP user accounts into LDAP groups. Privilege roles can then be assigned to the LDAP group using Redfish and the GUI.

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the LDAP tab.

Step 3

Under LDAP authentication, update the following properties:


Name	Description
Enable check box	Check the Enable check box to activate LDAP authentication options.
Secure LDAP using SSL check box	Enable Secure LDAP over SSL to encrypt LDAP communications. Ensure you have both a CA certificate and an LDAP certificate before enabling this option.
Service Type radio button	Choose the appropriate service type by selecting a radio button: OpenLDAP—Select to use OpenLDAP as the directory service. Active Directory—Select to use Microsoft's Active Directory service.
Server URI field	Enter the URI for the server.
Bind DN field	Enter the Base Distinguished Name.
Bind Password field	Enter the password for the Bind DN.
Base DN field	Enter the Base Distinguished Name.
User ID Attribute (optional) field	Enter the attribute for user identification.
Group ID Attribute (optional) field	Enter the attribute for group identification.
Manage SSL Certificate link	Click Adding a New Certificate for more information.

Step 4

Click Save settings.

Adding a Role Group

Group roles determine the first-level authorization for users, establishing whether access to the required interface is permitted. For example, a user should not be able to log in to SSH if they only belong to the webserver group and not to the SSH group. Having group roles within common user management allows different applications to create roles for each other. For instance, an administrative user can create a new user through the webserver, granting them the ability to log in to webserver, Redfish, IPMI, and other interfaces.

Before you begin

Ensure that LDAP authentication is enabled.

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the LDAP tab.

Step 3

Click Add role group.

Add new role group window is displayed.

Step 4

In the Add new role group window update the following properties:


Name	Description
Group Name field	Enter the name of the role group to identify it within the system.
Group Privilege field	Select the appropriate level of access for the group from the drop-down list: Administrator—Full access and control. Operator—Limited operational access. ReadOnly—View-only access.

Step 5

Click Add.

Active Directory

The Cisco BMC 2.0 can be configured to use Active Directory for user authentication and authorization. To use Active Directory, configure users with an attribute that holds the user role and locale information for the Cisco BMC 2.0. You can use an existing LDAP attribute that is mapped to the Cisco BMC 2.0 user roles and locales or you can modify the Active Directory schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1. For more information about altering the Active Directory schema, see http://technet.microsoft.com/en-us/library/bb727064.aspx.

Configuring the Active Directory Server

Use this procedure to create a custom attribute on the Active Directory server.

Note

This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the Cisco BMC 2.0 user roles and locales.

Procedure

Step 1

Ensure that the Active Directory schema snap-in is installed.

Step 2

Using the Active Directory schema snap-in, add a new attribute with the following properties:


Property	Value
Common Name	CiscoAVPair
LDAP Display Name	CiscoAVPair
Unique X500 Object ID	1.3.6.1.4.1.9.287247.1
Description	CiscoAVPair
Syntax	Case Sensitive String

Step 3

Add the CiscoAVPair attribute to the user class using the Active Directory snap-in:

Expand the Classes node in the left pane and type U to select the user class.
Click the Attributes tab and click Add.
Type C to select the CiscoAVPair attribute.
Click OK.

This step ensures the new attribute is associated with the user class, allowing it to be used effectively within the system.

Step 4

Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to Cisco BMC 2.0:


Role	CiscoAVPair Attribute Value
admin	shell:roles="admin"
user	shell:roles="user"
read-only	shell:roles="read-only"\

Note

For more information about adding values to attributes, see http://technet.microsoft.com/en-us/library/bb727064.aspx.

What to do next

Use the Cisco BMC 2.0 to configure Active Directory.

Viewing User Sessions

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the Session Management tab.

Step 3

You can view the following properties:


Name	Description
Session ID column	A unique identifier assigned to each active web user session for tracking and management purposes.
Session Type column	Indicates the type of session being used, such as Redfish, Web UI, or CLI.
User ID column	A numerical identifier assigned to the user, distinct from the Username.
Username column	The account name associated with the server login session.
IP address column	The network address of the device accessing the server during the session.
Privilege column	Specifies the level of access or permissions assigned to the session, such as Administrator, Operator, or ReadOnly.

Disconnecting a Session

Procedure

Step 1

From the Navigation Pane, click Administration > User management.

Step 2

Select the Session Management tab.

Step 3

You can delete a single sessions or multiple sessions together:

To delete a session, click the delete icon against the session row you want to delete.
To delete multiple sessions, check the check box corresponding to the session rows you want to delete.

When you check the check box, a new header row with additional options appears at the top of the table.

Click Delete.

Bias-Free Language

Book Title

Managing User Accounts

Results

Chapter: Managing User Accounts

Managing User Accounts

User Management

Adding a User

Procedure

Editing a User

Procedure

Enabling or Disabling a User

Procedure

Managing Account Policy Settings

Procedure

Deleting a User

Procedure

Managing Password Settings

Procedure

LDAP Configuration

Enabling LDAP Authentication

Procedure

Adding a Role Group

Before you begin

Procedure

Active Directory

Configuring the Active Directory Server

Procedure

What to do next

User Session

Viewing User Sessions

Procedure

Disconnecting a Session

Procedure

Was this Document Helpful?

Contact Cisco