Managing User Accounts

Local User Management

The Local User Management tab allows you to configure users, modify password and lockout details, and upload SSH keys.

Before you begin

You must log in with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Under the Local User Management tab, there are several options for further configuration.

Disabling Strong Password

The Cisco IMC implements a strong password policy wherein you are required to follow guidelines and set a strong password when you log on to the server for the first time. The Local User tab displays a Disable Strong Password button which allows you to disable the strong password policy and set a password of your choice by ignoring the guidelines. Once you disable the strong password, an Enable Strong Password button is displayed. By default, the strong password policy is enabled.

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Click Disable Strong Password.

Step 5

In the dialog box, click OK to proceed, or Cancel to return to the previous page.

Password Expiry

You can set a shelf life for a password, after which it expires. As an administrator, you can set this time in days. This configuration is common to all users. When the password expires, the user is notified on login and is not allowed to login unless the password is reset.

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Click Password Expiration Details.

Step 5

In the Password Expiration Details dialog box, update the relevant fields. The following fields are available:

Name

Description

Enable Password Expiry check box

If checked, allows you to configure the Password Expiry Duration. Uncheck the check box to disable password expiry.

Password Expiry Duration field

The time period that you can set for the existing password to expire (from the time you set a new password or modify an existing one). The range is between 1 to 3650 days.

Password History field

The number of occurrences when a password was entered. When this is enabled, you cannot repeat a password. Enter a value between 0 to 5. Entering 0 disables this field.

Notification Period field

Notifies the time by when the password expires. Enter a value between 0 to 15 days. Entering 0 disables this field.

Grace Period field

Time period till when the existing password can still be used, after it expires. Enter a value between 0 to 5 days. Entering 0 disables this field.

Step 6

Complete your action with one of the following:

Name

Description

Save Changes button

Saves the updated settings and closes the dialog box.

Reset Values button

Resets the dialog box fields to previous values.

Restore Default button

Restores the default values for the dialog box.

Cancel button

Cancels the process and closes the dialog box.

Account Lockout Details

You can set a lockout period for accounts, after which the account is locked out. As an administrator, you can set this time in minutes. You can also set the number of attempts allowed before the account is locked. This configuration is common to all users.

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Click Account Lockout Details.

Step 5

In the Account Lockout Details dialog box,update the relevant fields. The following fields are available:

Name

Description

Allowed Attempts field

The number of attempts allowed.

Enter a value between 0 and 20.

Lockout Period field

The lockout duration in minutes.

Enter a value between 0 and 60.

Disable User on Lockout check box

If checked, the user is disabled on the Cisco IMC after lockout.

Disabling IPMI User Mode

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Click Disable IPMI User Mode.

Step 5

In the dialog box, click OK.

Configuring User Authentication Precedence

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Click Configure User Authentication Precedence.

Step 5

In the Configure User Authentication Precedence dialog box, choose the database to be updated.

Step 6

Use the Up and Down arrows to move this database priority higher or lower.

Step 7

Click Save Changes.

Configuring Local Users

Adding a New User

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Choose an ID to add the new user to, click the ID rowin the Local User Management pane, and click Add User.

Step 5

In the Local User Details dialog box, update the following properties:

Name

Description

ID field

The unique identifier for the user.

Username field

The username for the user.

Enter between 1 and 16 characters.

Role Played field

The role assigned to the user. This can be one of the following:

  • read-only—A user with this role can view information but cannot make any changes.

  • user—A user with this role can perform the following tasks:

    • View all information

    • Manage the power control options such as power on, power cycle, and power off

    • Launch the KVM console and virtual media

    • Clear all logs

    • Toggle the locator LED

    • Set time zone

    • Ping

  • admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

Enabled check box

If checked, the user is enabled on the CIMC.

Password field

The password for this username. When you move the mouse over the help icon beside the field, the following guidelines to set the password are displayed:

  • The password must have a minimum of 8 and a maximum of 20 characters.

  • The password must not contain the user's name.

  • The password must contain characters from three of the following four categories:

    • English uppercase characters (A through Z).

    • English lowercase characters (a through z).

    • Base10 digits (0 through 9).

    • Non-alphabetic characters (!, @, #, $, %, ^, &, *, -, _, , =, '').

These rules are meant to define a strong password for the user, for security reasons. However, if you want to set a password of your choice ignoring these guidelines, click the Disable Strong Password button on the Local Users tab. While setting a password when the strong password option is disabled, you can use between 1- 20 characters.

Suggest button

Generates a strong random password.

Confirm New Password field

The password repeated for confirmation purposes.

Step 6

Click Save.

Modifying an Existing User

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Choose the ID row of the user to be modified,and click Modify User.

Step 5

In the Modify User Details dialog box, update the following properties:

Name

Description

ID field

The unique identifier for the user.

Username field

The username for the user.

Enter between 1 and 16 characters.

Role Played field

The role assigned to the user. This can be one of the following:

  • read-only—A user with this role can view information but cannot make any changes.

  • user—A user with this role can perform the following tasks:

    • View all information

    • Manage the power control options such as power on, power cycle, and power off

    • Launch the KVM console and virtual media

    • Clear all logs

    • Toggle the locator LED

    • Set time zone

    • Ping

  • admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

Enabled check box

If checked, the user is enabled on the CIMC.

Change Password check box

If checked, when you save the changes, the password for this user will be changed. You must check this box if this is a new username.

New Password field

The password for this username. When you move the mouse over the help icon beside the field, the following guidelines to set the password are displayed:

  • The password must have a minimum of 8 and a maximum of 20 characters.

  • The password must not contain the user's name.

  • The password must contain characters from three of the following four categories:

    • English uppercase characters (A through Z).

    • English lowercase characters (a through z).

    • Base10 digits (0 through 9).

    • Non-alphabetic characters (!, @, #, $, %, ^, &, *, -, _, , =, '').

These rules are meant to define a strong password for the user, for security reasons. However, if you want to set a password of your choice ignoring these guidelines, click the Disable Strong Password button on the Local Users tab. While setting a password when the strong password option is disabled, you can use between 1- 20 characters.

Confirm New Password field

The password repeated for confirmation purposes.

Step 6

Click Save.

Deleting an Existing User

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

To delete a local user account, click a row in the Local User Management pane and click Delete User.

Step 5

In the dialog box, click OK to delete the user.

Step 6

Click Save Changes.

Configuring SSH Keys

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the Local User Management tab.

Step 4

Choose a row in the Local User Management pane and click SSH Keys.

Step 5

In the SSH Keys dialog box, update the following properties:

Name

Description

+ Add Key button

Button to add SSH key(s) to a user. Opens the Add Key area.

Modify Key button

Button to modify SSH keys for a user.

X Delete Key button

Button to delete SSH keys for a user.

ID

User ID

Comment

Comments for SSH keys.

Key

Key details.

Add Key area

Methods to add SSH keys for a user.

Paste SSH Key radio button

Provides space to paste the SSH key.

Upload from Local radio button

Provides a Browse button to browse to the file location, select and upload the SHH key.

Upload from Remote Location radio button

Provides options to upload the SHH key from remote locations.

  • Upload SSH Key from drop-down

    • TFTP

    • FTP

    • SFTP

    • SCP

    • HTTP

  • Server IP/Hostname field

  • Path and Filename field

  • Username field

  • Password field

Step 6

Click Upload SSH Key.

LDAP Servers - Overview

Cisco IMC supports directory services that organize information in a directory, and manage access to this information. supports Lightweight Directory Access Protocol (LDAP), which stores and maintains directory information in a network. In addition, supports Microsoft Active Directory (AD). Active Directory is a technology that provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The utilizes the Kerberos-based authentication service of LDAP.

When LDAP is enabled in the Cisco IMC, user authentication and role authorization is performed by the LDAP server for user accounts not found in the local user database. The LDAP user authentication format is username@domain.com.

You can require the server to encrypt data sent to the LDAP server.

Configuring the LDAP Server

The CIMC can be configured to use LDAP for user authentication and authorization. To use LDAP, configure users with an attribute that holds the user role and locale information for the CIMC. You can use an existing LDAP attribute that is mapped to the user roles and locales or you can modify the LDAP schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1.


Important

For more information about altering the schema, see the article at http://technet.microsoft.com/en-us/library/bb727064.aspx.


Note

This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the user roles and locales.

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

Ensure that the LDAP schema snap-in is installed.

Step 2

Using the schema snap-in, add a new attribute with the following properties:

Properties

Value

Common Name

CiscoAVPair

LDAP Display Name

CiscoAVPair

Unique X500 Object ID

1.3.6.1.4.1.9.287247.1

Description

CiscoAVPair

Syntax

CaseSensitive String

Step 3

Add the CiscoAVPair attribute to the user class using the snap-in:

  • Expand the Classes node in the left pane and type U to choose the user class.

  • Click the Attributes tab and click Add.

  • Type C to choose the Cisco AVPair attribute.

  • Click OK.

Step 4

Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to:

Role

CiscoAVPair Attribute Value

admin

shell:roles="admin"

user

shell:roles="user"

read-only

shell:roles="read-only"

Note

 

For more information about adding values to attributes, see the article at http://technet.microsoft.com/en-us/library/bb727064.aspx.

Configuring LDAP Settings and Group Authorization

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click LDAP.

Step 4

In the LDAP Settings area, update the following properties:

Name

Description

Enable LDAP checkbox

If checked, user authentication and role authorization is performed first by the LDAP server, followed by user accounts that are not found in the local user database.

Base DN field

Base Distinguished Name. This field describes where to load users and groups from.

It must be in the dc=domain,dc=comformat for Active Directory servers.

Domain field

The IPv4 domain that all users must be in.

This field is required unless you specify at least one Global Catalog server address.

Timeout (0 - 180) seconds field

The number of seconds the CIMC waits until the LDAP search operation times out.

If the search operation times out, CIMC tries to connect to the next server listed on this tab, if one is available.

Note

 

The value you specify for this field could impact the overall time.

Step 5

In the Configure LDAP Servers area, update the following properties:

Name

Description

Pre-Configure LDAP Servers radio button

If checked, the Active Directory uses the pre-configured LDAP servers.

LDAP Servers

Server field

The IP address of the 6 LDAP servers.

If you are using Active Directory for LDAP, then servers 1, 2 and 3 are domain controllers, while servers4, 5 and 6 are Global Catalogs. If you are not Active Directory for LDAP, then you can configure a maximum of 6 LDAP servers.

Note

 

You can provide the IP address of the host name as well.

Port field

The port numbers for the servers.

If you are using Active Directory for LDAP, then for servers 1, 2 and 3, which are domain controllers, the default port number is 389. For servers 4, 5 and 6, which are Global Catalogs, the default port number is 3268.

LDAPS communication occurs over the TCP 636 port. LDAPS communication to a global catalog server occurs over TCP 3269 port.

Use DNS to Configure LDAP Servers radio button

If checked, you can use DNS to configure access to the LDAP servers.

DNS Parameters

Source field

Specifies how to obtain the domain name used for the DNS SRV request. It can be one of the following:

  • Extracted—specifies using domain name extracted-domain from the login ID

  • Configured—specifies using the configured-search domain.

  • Configured-Extracted—specifies using the domain name extracted from the login ID than the configured-search domain.

Domain to Search field

A configured domain name that acts as a source for a DNS query.

This field is disabled if the source is specified as Extracted.

Forest to Search field

A configured forest name that acts as a source for a DNS query.

This field is disabled if the source is specified as Extracted.

Step 6

In the Binding Parameters area, update the following properties:

Name

Description

Method field

It can be one of the following:

  • Anonymous—requires NULL username and password. If this option is chosen and the LDAP server is configured for Anonymous logins, then the user can gain access.

  • Configured Credentials—requires a known set of credentials to be specified for the initial bind process. If the initial bind process succeeds, then the distinguished name (DN) of the user name is queried and re-used for the re-binding process. If the re-binding process fails, then the user is denied access.

  • Login Credentials—requires the user credentials. If the bind process fails, the user is denied access.

By default, the Login Credentials option is chosen.

Binding DN field

The distinguished name (DN) of the user. This field is editable only if you have chosen Configured Credentials option as the binding method.

Password field

The password of the user. This field is editable only if you have chosen Configured Credentials option as the binding method.

Step 7

In the Search Parameters area, update the following properties:

Name

Description

Filter Attribute field

This field must match the configured attribute in the schema on the LDAP server.

By default, this field displays sAMAccountName.

Group Attribute field

This field must match the configured attribute in the schema on the LDAP server.

By default, this field displays memberOf.

Attribute field

An LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

The LDAP attribute can use an existing LDAP attribute that is mapped to the user roles and locales, or can modify the schema such that a new LDAP attribute can be created. For example, CiscoAvPair.

Note

 

If you do not specify this property, the user cannot login. Although the object is located onthe LDAP server, it should be an exact match of the attribute that is specified in this field.

Nested Group Search Depth (1-128) field

Parameter to search for an LDAP group nested within another defined group in an LDAP group map. The parameterdefines the depth of a nested group search.

Step 8

In the Group Authorization area, update the following properties:

Name

Description

LDAP Group Authorization check box

If checked, user authentication is also done on the group level for LDAP users that are not found in the local user database.

If you check this box, CIMC enables the Configure Group button.

Group Name column

The name of the group in the LDAP server database that is authorized to access the server.

Group Domain column

The LDAP server domain the group must reside in.

Role column

The role assigned to all users in this LDAP server group. This can be one of the following:

  • read-only—A user with this role can view information but cannot make any changes.

  • user—A user with this role can perform the following tasks:

    • View all information

    • Manage the power control options such as power on, power cycle, and power off

    • Launch the KVM console and virtual media

    • Clear all logs

    • Toggle the locator LED

    • Set time zone

    • Ping

  • admin—A user with this role can perform all actions available through the GUI, CLI, and IPMI.

Configure button

Configures an active directory group.

Delete button

Deletes an existing LDAP group.

Step 9

Click Save Changes.

LDAP Certificates

UCS E-series M6 servers allow an LDAP client to validate a directory server certificate against an installed CA certificate or chained CA certificate during an LDAP binding step. This feature is introduced in the event where anyone can duplicate a directory server for user authentication and cause a security breach due to the inability to enter a trusted point or chained certificate into the Cisco IMC for remote user authentication.

An LDAP client needs a new configuration option to validate the directory server certificate during the encrypted TLS/SSL communication.

Viewing LDAP CA Certificate Status

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the LDAP tab.

Step 4

In the Certificate Status area, view the following fields:

Name

Description

Download Status field

This field displays the status of the LDAP CA certificate download.

Export Status field

This field displays the status of the LDAP CA certificate export.

Exporting an LDAP CA Certificate

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the LDAP tab.

Step 4

Click the Export LDAP CA Certificate link.

Step 5

In the Export LDAP CA Certificate dialog box, update the following fields:

Name

Description

Export to Remote Location drop down

Choosing this option allows you to choose the certificate from a remote location and export it. Enter the following details:

  • TFTP Server

  • FTP Server

  • SFTP Server

  • SCP Server

  • HTTP Server

Note

 

If you chose SCP or SFTP as the remote server type while performing this action, a pop-up window is displayed with the message Server (RSA) key fingerprint is <server_finger_print _ID> Do you wish to continue?. Click Yes or No depending on the authenticity of the server fingerprint.

The fingerprint is based on the host's public key and helps you to identify or verify the host you are connecting to.

  • Server IP/Hostname field— The IP address or hostname of the server on which the LDAP CA certificate file should be exported. Depending on the setting in the Download Certificate from drop-down list, the name of the field may vary.

  • Path and Filename field — The path and filename Cisco IMC should use when downloadingthe certificate from the remote server.

  • Username field — The username the system should use to log in to the remote server. This field does not apply if the protocol is TFTP or HTTP.

  • Passwordfield— The password for the remote server username. This field does not apply if the protocol is TFTP or HTTP.

Export to Local Desktop field

Choosing this option allows you to choose the certificate stored on a drive that is local to the computer and export it.

Step 6

Click Export Certificate.

Testing LDAP Binding


Note

If you checked the Enable Encryption and the Enable Binding CA Certificate check boxes, enter the fully qualified domain name (FQDN) of the LDAP server in the LDAP Server field. To resolve the FQDN of the LDAP server, configure the preferred DNS of Cisco IMC network with the appropriate DNS IP address.

Before you begin

You must log in as a user with admin privileges to perform this task.

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click the LDAP tab.

Step 4

Click the Test LDAP Binding link.

Step 5

In the Test LDAP CA Certificate Binding dialog box, view the following fields:

Name

Description

Username field

Enter the username.

Password field

Enter the corresponding password.

Step 6

Click Test.

Viewing User Sessions

Procedure

Step 1

In the Navigation pane, click the Admin menu.

Step 2

In the Admin menu, click User Management.

Step 3

In the User Management pane, click Session Management.

Step 4

In the Sessions pane, view the following fields:

Name

Description

Session ID column

The unique identifier for the session.

Username column

The username for the user.

IP Address column

The IP address from which the user accessed the server. If this is a serial connection, it displays N/A.

Type column

The type of session the user chose to access the server. This can be one of the following:

  • webgui—indicates the user is connected to the server using the web UI.

  • CLI—indicates the user is connected to the server using CLI.

  • serial— indicates the user is connected to the server using the serial port.