Managing User Accounts

Adding Local Users for Cisco UCS C-Series M7 and Later Servers

The Cisco IMC now implements a strong password policy wherein you are required to follow guidelines and set a strong password when you first log on to the server for the first time. The Local User tab displays a Disable Strong Password button which allows you to disable the strong password policy and set a password of your choice by ignoring the guidelines. Once you disable the strong password, an Enable Strong Password button is displayed. By default, the strong password policy is enabled.

Before you begin

You must log in as a user with admin privileges to add local user accounts.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the User Management tab.

Step 4

To add a local user account, click Add User.

Step 5

In the Local User Details dialog box, update the following properties:

Table 1. User Name and Role

Name

Description

User Name field

Enter a username for the user.

Username can be maximum of 32 characters for CIMC and SNMP user type (any combination) and maximum 16 characters for IPMI user type (any combination). For more information on User Type see User Type check box description.

Role Played drop-down list

The role assigned to the user. This can be one of the following:

  • read-only—A user with this role can view information but cannot make any changes.

  • user—A user with this role can perform the following tasks:

    • View all information

    • Manage the power control options such as power on, power cycle, and power off

    • Launch the KVM console and virtual media

    • Clear all logs

    • Ping

  • admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

  • snmponly—A user with only SNMP role.

Enabled toggle button

If checked, the user is enabled on the Cisco IMC.

CIMC/IPMI/SNMP toggle buttons

You may create the following types of user:

  • CIMC

  • SNMP

  • IPMI

Table 2. CIMC

Name

Description

Password field

Enter a suitable password. To know more about password requirements, hover the cursor over ? icon beside the Suggest button.

Confirm Password field

The password repeated for confirmation.

Suggest button

You may use this option for a system generated password.
Table 3. IPMI

Name

Description

Password field

Enter a suitable password. To know more about password requirements, hover the cursor over ? icon beside the Suggest button.

Confirm Password field

The password repeated for confirmation.

Suggest button

You may use this option for a system generated password.
Table 4. SNMP

Name

Description

Security Level drop-down list

The security level for this user. This can be one of the following:

  • no auth, no priv—The user does not require an authorization or privacy password.

  • auth, no priv—The user requires an authorization password but not a privacy password. If you select this option, Cisco IMC enables the Auth fields described below.

  • auth, priv—The user requires both an authorization password and a privacy password. If you select this option, Cisco IMC enables the Auth and Privacy fields.

Auth Type drop-down list

The authorization type. This can be one of the following:

  • HMAC_SHA96

  • HMAC128_SHA224

  • HMAC192_SHA256

  • HMAC256_SHA384

  • HMAC384_SHA512

Auth Password field

The authorization password for this SNMP user.

Enter between 8 and 64 characters or spaces.

Note

 

Cisco IMC automatically trims leading or trailing spaces.

Confirm Auth Password field

The authorization password again for confirmation purposes.

Privacy Type drop-down list

The privacy type. This can be one of the following:

  • CFB128_AES128

Privacy Password field

The privacy password for this SNMP user.

Enter between 8 and 64 characters or spaces.

Note

 

Cisco IMC automatically trims leading or trailing spaces.

Confirm Privacy Password

The authorization password again for confirmation purposes.

Step 6

Click Save.

Modifying Local Users for Cisco UCS C-Series M7 and Later Servers

The Cisco IMC now implements a strong password policy wherein you are required to follow guidelines and set a strong password when you first log on to the server for the first time. The Local User tab displays a Disable Strong Password button which allows you to disable the strong password policy and set a password of your choice by ignoring the guidelines. Once you disable the strong password, an Enable Strong Password button is displayed. By default, the strong password policy is enabled.

Before you begin

You must log in as a user with admin privileges to configure or modify local user accounts.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the User Management tab.

Step 4

To modify a local user account, click a row and click Modify User.

Step 5

In the Modify user Details dialog box, update the following properties:

Table 5. User Details

Name

Description

ID

System assigned user ID. You cannot edit this ID

User Name field

Enter a username for the user.

Username can be maximum of 32 characters for CIMC and SNMP user type (any combination) and maximum 16 characters for IPMI user type (any combination). For more information on User Type see User Type check box description.

Role Played drop-down list

The role assigned to the user. This can be one of the following:

  • read-only—A user with this role can view information but cannot make any changes.

  • user—A user with this role can perform the following tasks:

    • View all information

    • Manage the power control options such as power on, power cycle, and power off

    • Launch the KVM console and virtual media

    • Clear all logs

    • Ping

  • admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

  • snmponly—A user with only SNMP role.

Enabled toggle button

If checked, the user is enabled on the Cisco IMC.

CIMC/IPMI/SNMP toggle buttons

You may create the following types of user:

  • CIMC

  • SNMP

  • IPMI

Note

 

You cannot uncheck the default user type for the user, which you are modifying.

Change Password toggle button

Allows you to change the local user password.

Note

 

CIMC, IPMI, or SNMP properties are visible only when Change Password is enabled.

Table 6. CIMC

Name

Description

Password field

Enter a suitable password. To know more about password requirements, hover the cursor over ? icon beside the Suggest button.

Confirm Password field

The password repeated for confirmation.

Suggest button

You may use this option for a system generated password.
Table 7. IPMI

Name

Description

Password field

Enter a suitable password. To know more about password requirements, hover the cursor over ? icon beside the Suggest button.

Confirm Password field

The password repeated for confirmation.

Suggest button

You may use this option for a system generated password.
Table 8. SNMP

Name

Description

Security Level drop-down list

The security level for this user. This can be one of the following:

  • no auth, no priv—The user does not require an authorization or privacy password.

  • auth, no priv—The user requires an authorization password but not a privacy password. If you select this option, Cisco IMC enables the Auth fields described below.

  • auth, priv—The user requires both an authorization password and a privacy password. If you select this option, Cisco IMC enables the Auth and Privacy fields.

Auth Type drop-down list

The authorization type. This can be one of the following:

  • HMAC_SHA96

  • HMAC128_SHA224

  • HMAC192_SHA256

  • HMAC256_SHA384

  • HMAC384_SHA512

Auth Password field

The authorization password for this SNMP user.

Enter between 8 and 64 characters or spaces.

Note

 

Cisco IMC automatically trims leading or trailing spaces.

Confirm Auth Password field

The authorization password again for confirmation purposes.

Privacy Type drop-down list

The privacy type. This can be one of the following:

  • CFB128_AES128

Privacy Password field

The privacy password for this SNMP user.

Enter between 8 and 64 characters or spaces.

Note

 

Cisco IMC automatically trims leading or trailing spaces.

Confirm Privacy Password

The authorization password again for confirmation purposes.

Step 6

Click Save.

Managing SSH Keys in User Accounts

Configuring SSH Keys

You must log in as a user with admin privileges to view the SSH keys for all the users. If you are a non-admin user, you can view the SSH keys only for your account.

The Cisco IMC sessions authenticated using public SSH keys will be active even if the password has expired. You can also start new sessions using the public SSH key even after the password has expired.

Account lockout option does not apply to the accounts that use public key authentication.

Before you begin

  • You must log in as a user with admin privileges to configure SSH keys for all the users.

  • Ensure that you have created a pair of SSH RSA keys, public and private.

  • Ensure that the SSH keys are in .pem or .pub format.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the User Management tab.

Step 4

To view the details of the SSH keys for an account, select the a row in the pane and click SSH Keys.

The SSH Keys window is displayed.

Step 5

In the SSH Keys window, view the following properties:

Table 9. SSH Keys

Name

Description

ID checkbox

Allows you to select the SSH key.

Comment column

Displays the content describing the key.

Key column

Displays the key text.

Add icon

Allows you to add new SSH key.

Check the ID checkbox for an empty SSH key row and click Add. You can then paste the key or upload a key from local or remote location.

Edit icon

Allows you to edit the SSH key.

Check the ID checkbox for SSH key, which you wish to edit. Click the edit icon. You can then paste the key or upload a key from local or remote location.

Delete icon

Allows you to delete the SSH key. Click OK to proceed.

What to do next

Add or modify the SSH keys.

Adding SSH Keys

Before you begin

  • You must log in as a user with admin privileges to add SSH keys for all users.

  • If you are a non-admin user, you can add SSH keys only for your account.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the User Management tab.

Step 4

To add SSH keys for an account, select the a row in the pane and click SSH Keys.

The SSH Keys window is displayed.

Step 5

To add the SSH key, review the list of SSH keys and select the desired row in the SSH Keys window.

Note

 

Add Keys icon is activated only for empty slots.

Step 6

Click Add Keys icon in the SSH Keys window to add the SSH key.

Step 7

Use one of the following information to upload the key:

Table 10. Paste

Name

Description

Paste SSH Key field

Allows you to copy the entire content of the key and paste it in the Paste text field.

Upload button

Allows you to upload the key.

Table 11. Local

Name

Description

Browse button

Click Browse and navigate to the key that you want to upload.

Upload button

Allows you to upload the key.

Table 12. Remote

Name

Description

Server IP/Hostname field

Server details from where you want to upload the key.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the key file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Upload button

Allows you to upload the key.

What to do next

Modify or delete the SSH keys.

Modifying SSH Keys

Before you begin

  • You must log in as a user with admin privileges to modify the SSH keys for all the users.

  • If you are a non-admin user, you can modify the SSH keys only for your account.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the User Management tab.

Step 4

To modify an SSH keys for an account, select the a row in the pane and click SSH Keys.

The SSH Keys window is displayed.

Step 5

To modify the SSH key, review the list of SSH keys and select the desired row in the SSH Keys window.

Step 6

Click Edit Keys icon in the SSH Keys window to edit the SSH key.

Step 7

Use one of the following information to upload the key:

Table 13. Paste

Name

Description

Paste SSH Key field

Allows you to copy the entire content of the key and paste it in the Paste text field.

Upload button

Allows you to upload the key.

Table 14. Local

Name

Description

Browse button

Click Browse and navigate to the key that you want to upload.

Upload button

Allows you to upload the key.

Table 15. Remote

Name

Description

Server IP/Hostname field

Server details from where you want to upload the key.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the key file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Upload button

Allows you to upload the key.

Deleting SSH Keys

Before you begin

  • You must log in as a user with admin privileges to delete the SSH keys for all the users.

  • If you are a non-admin user, you can delete the SSH keys only for your account.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the User Management tab.

Step 4

To delete an SSH keys for an account, select the a row in the pane and click SSH Keys.

The SSH Keys window is displayed.

Step 5

To delete the SSH key, review the list of SSH keys and select the desired row in the SSH Keys window.

Step 6

Click the Delete Key icon.

A pop-up window is displayed.

Step 7

Click OK to confirm the deletion.

Password Expiry

You can set a shelf life for a password, after which it expires. As an administrator, you can set this time in days. This configuration would be common to all users. Upon password expiry, the user is notified on login and would not be allowed to login unless the password is reset.


Note
When you downgrade to an older database, existing users are deleted. The database returns to default settings. Previously configured users are cleared and the database is empty, that is, the database has the default username - 'admin' and password - 'password'. Since the server is left with the default user database, the change default credential feature is enabled. This means that when the 'admin' user logs on to the database for the first time after a downgrade, the user must mandatorily change the default credential.

Password Set Time

A 'Password set time' is configured for every existing user, to the time when the migration or upgrade occurred. For new users (users created after an upgrade), the Password Set time is configured to the time when the user was created, and the password is set. For users in general (new and existing), the Password Set Time is updated whenever the password is changed.

Enabling and Configuring Password Expiry Duration

Before you begin

You must enable password expiry.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

From the Actions drop-down list, select User Management > Password Expiration Details.

Password Expiration Details dialog box is displayed.

Step 4

In the Password Expiration Details dialog box, update the following properties:

Table 16. Password Expiration Details

Name

Description

Enable Password Expiry toggle button

Allows you to enable or disable the password expiry duration

Password Expiry Duration field

The time period that you can set for the existing password to expire (from the time you set a new password or modify an existing one). The range is between 1 to 3650 days.

Note

 

Password expiry once set by the admin is applicable for all users that are subsequently created.

Password History field

The number of occurrences when a password was entered. When this is enabled, you cannot repeat a password. Enter a value between 0 to 5. Entering 0 disables this field.

Notification Period field

Notifies the time by when the password expires. Enter a value between 0 to 15 days. Entering 0 disables this field.

Note

 

The notification period time must be lesser than the password expiry duration.

Grace Period field

Time period till when the existing password can still be used, after it expires. Enter a value between 0 to 5 days. Entering 0 disables this field.

Note

 

The grace period time must be lesser than the password expiry duration.

Reset button

Allows you to reset the values.

Restore Defaults button

Allows you to restore factory default settings.

Step 5

Click Save Changes.

Changing Password as a Non-Admin User

Before you begin

You must log in as a non-admin user to change password.

Procedure

Step 1

From the right upper corner of the Cisco IMC GUI, click Cisco IMC info panel.

Step 2

From the Cisco IMC info panel, click Reset.

Note

 

This option is available only for non-admin user.

Change password dialog box is displayed.

Step 3

In the Change password dialog box, update the following properties:

Table 17. Change Password

Name

Description

User Name field

Displays the user name. You cannot edit this field.

User Type toggle button

Displays the user type. If you disable this, you cannot edit the password.

Current Password field

Enter the current password.

New Password field

Enter the new password.

Confirm New Password field

Enter the new password again.

Save button

Click to save the new password.

Configuring Account Lockout Details

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

From the Actions drop-down list, select User Management > Account Lockout Details.

Account Lockout Details dialog box is displayed.

Step 4

In the Account Lockout Details dialog box, update the following properties:

Table 18. Account Lockout Details

Name

Description

Allowed Attempts field

Allows you to set the maximum number of allowed failed login attempts due to incorrect password. 0 is the default value (Disabled).

Enter an integer between 0 and 20.

Lockout Period field

Allows you to set the time in minutes for which you will be locked out. This happens when you exceed the allowed number of login attempts. 0 is the default value (Disabled).

Enter an integer between 0 and 60.

Disable User on Lockout toggle button

When the Disable User on Lockout check box is selected, the user account is disabled on lockout.

Note

 

Disable User on Lockout is not applicable for default user (admin).

Beginning with the release 6.0, the number of attempts remaining to enter the passoword is not displayed anymore when the user tries to login to Cisco IMC. Also the message that the account is locked is also not displayed anymore during the login. The administrator can refer the IMC audit log to know about the number of attempts and the details of the locked account.

Configuring User Authentication Precedence

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

From the Actions drop-down list, select User Management > Configure User Authentication Precedence.

Configure User Authentication Precedence dialog box is displayed.

Step 4

In the Configure User Authentication Precedence dialog box, select the database for which you wish to update the priority.

Use the Up or the Down arrow to change the priority of the database.

Step 5

You can view the following properties:

Table 19. User Authentication Precedence

Name

Description

Database check box

Use the check box to select the desired database.

Name column

The user database name.

Priority column

This shows the priority of that database.

Up Arrow button

Use this arrow to move a database up the priority list.

Down Arrow button

Use this arrow to move a database down the priority list.

Resetting User Credentials to Factory Default Values


Caution

You may lose current IP address settings, NIC port settings, NIC redundancy after performing this procedure. Cisco recommends that you make a note of your current server settings before performing this procedure.

Before you begin

Ensure that your management Ethernet cable is plugged into the dedicated management port.

SUMMARY STEPS

  1. Login as an admin user.
  2. In the Navigation pane, click the Chassis menu.
  3. In the Chassis menu, click Summary.
  4. From the tool bar, click Launch KVM.
  5. Alternatively, in the Navigation pane, click the Compute menu.
  6. From the Power menu, select Reset System.
  7. When prompted, press F8 to enter the Cisco IMC Configuration Utility. This utility opens in the KVM console window.
  8. Check the Factory Default check box, the server reverts to the factory defaults.
  9. Press F5 to refresh the settings that you made. You might have to wait about 45 seconds until the new settings appear and the message Network settings configured is displayed before you reboot the server in the next step.
  10. Press F10 to save your settings and reboot the server.

DETAILED STEPS

Step 1

Login as an admin user.

Step 2

In the Navigation pane, click the Chassis menu.

Step 3

In the Chassis menu, click Summary.

Step 4

From the tool bar, click Launch KVM.

Step 5

Alternatively, in the Navigation pane, click the Compute menu.

  1. In the Compute menu, select a server.

  2. In the work pane, click the Remote Management tab.

  3. In the Remote Management pane, click the Virtual KVM tab.

  4. In the Virtual KVM tab, click Launch HTML based KVM console.

Step 6

From the Power menu, select Reset System.

Step 7

When prompted, press F8 to enter the Cisco IMC Configuration Utility. This utility opens in the KVM console window.

Step 8

Check the Factory Default check box, the server reverts to the factory defaults.

Step 9

Press F5 to refresh the settings that you made. You might have to wait about 45 seconds until the new settings appear and the message Network settings configured is displayed before you reboot the server in the next step.

Step 10

Press F10 to save your settings and reboot the server.

LDAP Servers

Cisco IMC supports directory services that organize information in a directory, and manage access to this information. Cisco IMC supports Lightweight Directory Access Protocol (LDAP), which stores and maintains directory information in a network. In addition, Cisco IMC supports Microsoft Active Directory (AD). Active Directory is a technology that provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The Cisco IMC utilizes the Kerberos-based authentication service of LDAP.

When LDAP is enabled in the Cisco IMC, user authentication and role authorization is performed by the LDAP server for user accounts not found in the local user database. The LDAP user authentication format is username@domain.com.

By checking the Enable LDAP check box in the LDAP Settings area, you can require the server to encrypt data sent to the LDAP server.

Configuring the LDAP Server

The Cisco IMC can be configured to use LDAP for user authentication and authorization. To use LDAP, configure users with an attribute that holds the user role and locale information for the Cisco IMC. You can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales or you can modify the LDAP schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1.


Important

For more information about altering the schema, see the article at http://technet.microsoft.com/en-us/library/bb727064.aspx.


Note

This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales.

If you are using Group Authorization on the Cisco IMC LDAP configuration, then you can skip Steps 1-4 and perform the steps listed in the Configuring LDAP Settings and Group Authorization section.

The following steps must be performed on the LDAP server.

Procedure

Step 1

Ensure that the LDAP schema snap-in is installed.

Step 2

Using the schema snap-in, add a new attribute with the following properties:

Properties

Value

Common Name

CiscoAVPair

LDAP Display Name

CiscoAVPair

Unique X500 Object ID

1.3.6.1.4.1.9.287247.1

Description

CiscoAVPair

Syntax

Case Sensitive String

Step 3

Add the CiscoAVPair attribute to the user class using the snap-in:

  1. Expand the Classes node in the left pane and type U to select the user class.

  2. Click the Attributes tab and click Add.

  3. Type C to select the CiscoAVPair attribute.

  4. Click OK.

Step 4

Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to Cisco IMC:

Role

CiscoAVPair Attribute Value

admin

shell:roles="admin"

user

shell:roles="user"

read-only

shell:roles="read-only"

Note

 

For more information about adding values to attributes, see the article at http://technet.microsoft.com/en-us/library/bb727064.aspx.

What to do next

Use the Cisco IMC to configure the LDAP server.

Configuring the LDAP Server on Cisco IMC

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the LDAP tab.

Step 4

Select the Configure LDAP Servers tab.

Step 5

You can use one of the following methods to configure LDAP server:

  • Pre-Configure LDAP Servers

  • Use DNS to Configure LDAP Servers

Step 6

To configure using Pre-Configure LDAP Servers, select the radio button and click Add LDAP Server.

Step 7

Update the following properties:

Table 20. Configure LDAP Servers - Pre-Configure LDAP Servers

Name

Description

Add LDAP Server button

Allows you to add an LDAP server. A new row is added to the list of servers.

LDAP Servers column

The IP address of the 6 LDAP servers.

If you are using Active Directory for LDAP, then servers 1, 2 and 3 are domain controllers, while servers 4, 5 and 6 are Global Catalogs. If you are not Active Directory for LDAP, then you can configure a maximum of 6 LDAP servers.

Port column

The port numbers for the servers.

If you are using Active Directory for LDAP, then for servers 1, 2 and 3, which are domain controllers, the default port number is 389. For servers 4, 5 and 6, which are Global Catalogs, the default port number is 3268.

LDAPS communication occurs over the TCP 636 port. LDAPS communication to a global catalog server occurs over TCP 3269 port.

Edit icon

To edit LDAP server details, click the icon for the respective row.

Step 8

To configure using Use DNS to Configure LDAP Servers, select the radio button and update the following properties:

Table 21. Configure LDAP Servers - Use DNS to Configure LDAP Servers

Name

Description

Source drop-down list

Allows you to select the source. It can be one of the following:

  • Extracted

  • Configured

  • Configured-Extracted

Domain To Search field

This setting specifies the domain name that the IMC will use to search for LDAP servers. When configured, the IMC queries DNS for SRV records in the specified domain to dynamically discover LDAP servers.

Forest to Search field

This setting specifies the Active Directory (AD) forest that the IMC will search to discover LDAP servers. When configured, the IMC queries DNS for SRV records within the specified forest to dynamically locate LDAP servers.

Configuring LDAP Settings and Group Authorization

Before you begin

You must log in as an admin to perform this procedure.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the LDAP tab.

Step 4

Select the LDAP Settings tab.

Step 5

In the General Settings area, update the following properties:

Table 22. General Settings Area

Name

Description

Enable LDAP toggle button

If enabled, user authentication and role authorization is performed first by the LDAP server, followed by user accounts that are not found in the local user database.

Base DN field

Base Distinguished Name. This field describes where to load users and groups from.

It must be in the dc=domain,dc=com format for Active Directory servers.

Domain field

The IPv4 domain that all users must be in.

This field is required unless you specify at least one Global Catalog server address.

Enable Secure LDAP toggle button

If checked, the server enables secure LDAP and prompts you to download LDAP CA certificate.

To delete an existing secure LDAP certificate, un-check this option. Follow the system prompts to confirm deletion.

Timeout (for each server) drop-down list

The number of seconds the Cisco IMC waits until the LDAP search operation times out.

If the search operation times out, Cisco IMC tries to connect to the next server listed on this tab, if one is available.

Note

 

The value you specify for this field could impact the overall time.

Step 6

In the Binding Parameters area, update the following properties:

Table 23. Binding Parameters Area
Name Description

Method drop-down list

It can be one of the following:

  • Anonymous—requires NULL username and password. If this option is selected and the LDAP server is configured for Anonymous logins, then the user can gain access.

  • Configured Credentials—requires a known set of credentials to be specified for the initial bind process. If the initial bind process succeeds, then the distinguished name (DN) of the user name is queried and re-used for the re-binding process. If the re-binding process fails, then the user is denied access.

  • Login Credentials—requires the user credentials. If the bind process fails, the user is denied access.

    By default, the Login Credentials option is selected.

Binding DN field

The distinguished name (DN) of the user. This field is editable only if you have selected Configured Credentials option as the binding method.

Password field

The password of the user. This field is editable only if you have selected Configured Credentials option as the binding method.

Step 7

In the Search Parameters area, update the following fields:

Table 24. Search Parameters Area

Name

Description

Filter Attribute field

This field must match the configured attribute in the schema on the LDAP server.

By default, this field displays sAMAccountName.

Group Attribute field

This field must match the configured attribute in the schema on the LDAP server.

By default, this field displays memberOf.

Attribute field

An LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

The LDAP attribute can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales, or can modify the schema such that a new LDAP attribute can be created. For example, CiscoAvPair.

Nested Group Search Depth field

Parameter to search for an LDAP group nested within another defined group in an LDAP group map. The parameter defines the depth of a nested group search.

Step 8

(Optional) Select the Group Authorization area and update the following properties:

Table 25. LDAP Group Authorization

Name

Description

LDAP Group Authorization toggle button

If enabled, user authentication is also done on the group level for LDAP users that are not found in the local user database.

If you enable this option, Cisco IMC enables the Configure Group button.

Group Name column

The name of the group in the LDAP server database that is authorized to access the server. name of the group in the db

Group Domain column

The LDAP server domain the group must reside in. AD domain

Role column

The role assigned to all users in this LDAP server group. This can be one of the following: Role for these users

  • read-only—A user with this role can view information but cannot make any changes.

  • user—A user with this role can perform the following tasks:

    • View all information

    • Manage the power control options such as power on, power cycle, and power off

    • Launch the KVM console and virtual media

    • Clear all logs

    • Ping

  • admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

Edit icon

Allows you to edit the new row. Once configured, click Save.

Delete button

Allows you to delete the selected LDAP group.

LDAP Certificates Overview

Cisco IMC allow an LDAP client to validate a directory server certificate against an installed CA certificate or chained CA certificate during an LDAP binding step. This feature is introduced in the event where anyone can duplicate a directory server for user authentication and cause a security breach due to the inability to enter a trusted point or chained certificate into the Cisco IMC for remote user authentication.

An LDAP client needs a new configuration option to validate the directory server certificate during the encrypted TLS/SSL communication.

Viewing LDAP CA Certificate Status

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the LDAP tab.

Step 4

Select the LDAP Settings tab.

Step 5

In the LDAP CA Certificate Status area, view the following fields:

Table 26. LDAP CA Certificate Status
Name Description

Download Status

This field displays the status of the LDAP CA certificate download.

Export Status

This field displays the status of the LDAP CA certificate export.

Exporting an LDAP CA Certificate

Before you begin

You must log in as as admin to perform this procedure.

You should have downloaded a signed LDAP CA Certificate before you can export it.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

From the Actions drop-down list, select Export LDAP CA Certificate.

The Export LDAP CA Certificate dialog box appears.

Step 4

Step 5

Click Export.

Uploading an LDAP CA Certificate


Note

Only CA certificates or chained CA certificates must be used in Cisco IMC. By default, CA certificate is in .cer format. If it is a chained CA certificate, then it needs to be converted to .cer format before downloading it to Cisco IMC.

Before you begin

  • You must log in as a user with admin privileges to perform this action.

  • You must enable Enable Secure LDAP to perform this action.


Note

Only CA certificates or chained CA certificates must be used in Cisco IMC. By default, CA certificate is in .cer format. If it is a chained CA certificate, then it needs to be converted to .cer format before downloading it to Cisco IMC.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the LDAP tab.

Step 4

Select the LDAP Settings tab.

Step 5

Enable Enable Secure LDAP.

The Upload LDAP CA Certificate dialog box appears.

Step 6

In the Upload LDAP CA Certificate dialog box, update the following properties:

Table 27. Remote
Name Description

Remote button

Select this option when you want to upload the certificate from a remote location.

Server IP/Hostname

Server details from where you want to upload the certificate.

Upload Protocol button

Select one of the following protocols.

  • TFTP

  • FTP

  • SCP

  • SFTP

  • HTTP

Note

 

If you select FTP, SCP or SFTP, you will be prompted to enter your username and password.

Path and Filename field

File path where the certificate file resides on the server along with the filename.

Username field

User name for your remote server.

Password field

Password for your remote server.

Upload button

Allows you to upload the certificate.

Table 28. Local
Name Description

Local button

Select this option when you want to upload the certificate from your local machine.

Click Browse and navigate to the certificate that you want to upload.

Upload button

Allows you to upload the certificate.

Table 29. Paste
Name Description

Paste button

Opens a text box that allows you to copy the entire content of the root CA certificate and paste it in the Paste text field.

Upload button

Allows you to upload the certificate.

Testing LDAP Binding

Before you begin

You must log in as an admin to perform this procedure.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the LDAP tab.

Step 4

Select the LDAP Settings tab.

Step 5

From the Actions drop-down list, select User Management > Test LDAP Binding.

The Test LDAP Binding dialog box appears.

Step 6

Click Test.

TACACS+ Authentication

Cisco IMC supports Terminal Access Controller Access-Control System Plus (TACACS+) user authentication. Cisco IMC supports up to six TACACS+ remote servers. Once a user is successfully authenticated, the username is appended with (TACACS+). This is also displayed in the Cisco IMC interfaces.

Cisco IMC also supports user authentication precedence in case TACACS+ remote servers are inaccessible.

TACACS+ Server Configuration

Privilege level of a user is calculated based on the cisco-av-pair value configured for that user. A cisco-av-pair should be created on the TACACS+ server. Users cannot use any existing TACACS+ attributes.

Following three syntax are supported for the cisco-av-pair attribute:

  • For admin privilege: cisco-av-pair=shell:roles=”admin”

  • For user privilege: cisco-av-pair=shell:roles=”user”

  • For read-only privilege: cisco-av-pair=shell:roles=”read-only”

More roles, if required, can be added by using comma as a separator.


Note

If cisco-av-pair is not configured on the TACACS+ server, then a user with that server has read-only privilege.

Enabling TACACS+ Authentication

Before you begin

Before configuring Terminal Access Controller Access-Control System (TACACS+) based user authentication, ensure that privilege level of a user is configured on TACACS+ server based on the cisco-av-pair value.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the TACACS+ tab.

Step 4

Under the TACACS+ Properties area update the following properties:

Table 30. TACACS+ Properties
Name Description

Enabled toggle button

If enabled, it enables TACACS+ based user authentication.

Fallback only on no connectivity toggle button

If enabled, the authentication falls back to the next precedence database only in-case Cisco IMC is not able to connect to any of the configured TACACS+ servers.

Timeout (for each server): (5- 30) seconds drop-down list

Time duration, in seconds, for which Cisco IMC waits for a response from each of the TACACS+ servers

Step 5

Click Save.

Configuring TACACS+ Remote Server Settings

You can configure up to six TACACS+ remote servers.

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the TACACS+ tab.

Step 4

Under the Server List area, click the Edit icon for the server ID which you wish to configure.

Step 5

Update the following fields:

Table 31. Server List
Name Description

ID column

The precedence that needs to be given for this TACACS+ server. This is also a unique identifier of the server.

IP Address or Host Name column

The IP address at which the TACACS+ server is running.

Port column

The port on which the TACACS+ server is running.

Server key column

The same key that is configured on the TACACS+ server.

Confirm Server Key column

Enter the server key again.

Step 6

Click Save.

Viewing and Terminating User Sessions

Procedure

Step 1

From the Apps drop-down list, select Administration.

Step 2

In the Navigation pane, click User Management menu.

Step 3

Select the Sessions Management tab.

Step 4

View the following information about current user sessions:

Tip

 

Click a column header to sort the table rows, according to the entries in that column.
Table 32. Session Management
Name Description

Session ID column

The unique identifier for the session.

User Name column

The username for the user.

IP Address column

The IP address from which the user accessed the server. If this is a serial connection, it displays N/A.

Session Type column

The type of session the user chose to access the server. This can be one of the following:

  • webgui— indicates the user is connected to the server using the web UI.

  • CLI— indicates the user is connected to the server using CLI.

  • serial— indicates the user is connected to the server using the serial port.

  • XML API— indicates the user is connected to the server using XML API.

  • Redfish— indicates the user is connected to the server using Redfish API.

Description column

Brief description of the session.

Terminate Session button

Allows you to a terminate a user session.

Select a session from the table and click Terminate Session. Click OK to proceed.

Step 5

To terminate a session, select a session from the table and click Terminate Session. Click OK to proceed.