The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Cisco UCS supports two methods to authenticate user logins:
If a system is configured for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Manager can communicate with it. In addition, you need to be aware of the following guidelines that impact user authorization:
User accounts can exist locally in Cisco UCS Manager or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through Cisco UCS Manager GUI or Cisco UCS Manager CLI.
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles those users require for working in Cisco UCS Manager and that the names of those roles match the names used in Cisco UCS Manager. Depending on the role policy, a user may not be allowed to log in or will be granted only read-only privileges.
For RADIUS and TACACS+ configurations, you must configure a user attribute for Cisco UCS in each remote authentication provider through which users log in to Cisco UCS Manager. This user attribute holds the roles and locales assigned to each user.
Note |
This step is not required for LDAP configurations that use LDAP Group Mapping to assign roles and locales. |
When a user logs in, Cisco UCS Manager does the following:
The following is a sample OID for a custom CiscoAVPair attribute:
CN=CiscoAVPair,CN=Schema, CN=Configuration,CN=X objectClass: top objectClass: attributeSchema cn: CiscoAVPair distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X instanceType: 0x4 uSNCreated: 26318654 attributeID: 1.3.6.1.4.1.9.287247.1 attributeSyntax: 2.5.5.12 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: CiscoAVPair adminDescription: UCS User Authorization Field oMSyntax: 64 lDAPDisplayName: CiscoAVPair name: CiscoAVPair objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X
The LDAP group rule is used to determine whether Cisco UCS should use LDAP groups when assigning user roles and locales to a remote user.
Configuring LDAP Providers
The properties that you configure in this task are the default settings for all LDAP provider connections defined in Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
Create an LDAP provider.
Cisco UCS Manager supports a maximum of 16 LDAP providers.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | In the Work pane, click the General tab. |
Step 4 | In the Actions area, click Create LDAP Provider. |
Step 5 |
On the Create LDAP Provider page of the wizard, do the following:
|
Step 6 |
On the LDAP Group Rule page of the wizard, do the following:
|
For implementations involving a single LDAP database, select LDAP as the authentication service.
For implementations involving multiple LDAP databases, configure an LDAP provider group.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||
Step 3 | Expand LDAP Providers and choose the LDAP provider for which you want to change the group rule. | ||||||||||
Step 4 | In the Work pane, click the General tab. | ||||||||||
Step 5 |
In the LDAP Group Rules area, complete the following fields:
|
||||||||||
Step 6 | Click Save Changes. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand LDAP Providers. |
Step 4 | Right-click the LDAP provider you want to delete and choose Delete. |
Step 5 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
For organizations that already use LDAP groups to restrict access to LDAP databases, group membership information can be used by UCSM to assign a role or locale to an LDAP user during login. This eliminates the need to define role or locale information in the LDAP user object when Cisco UCS Manager is deployed.
When a user logs in to Cisco UCS Manager, information about the user's role and locale are pulled from the LDAP group map. If the role and locale criteria match the information in the policy, access is granted.
Role and locale definitions are configured locally in UCSM and do not update automatically based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, it is important that you update your Cisco UCS Manager instance with the change.
Note |
Cisco UCS Manager includes many out-of-the-box user roles but does not include any locales. Mapping an LDAP provider group to a locale requires that you create a custom locale. |
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click LDAP Group Maps and choose Create LDAP Group Map. |
Step 4 |
In the Create LDAP Group Map dialog box, do the following:
|
Set the LDAP group rule.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand LDAP Group Maps. |
Step 4 | Right-click the LDAP group map you want to delete and choose Delete. |
Step 5 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Configuring RADIUS Providers
The properties that you configure in this task are the default settings for all RADIUS provider connections defined in Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||
Step 2 | In the Admin tab, expand . | ||||||
Step 3 |
Complete the following fields in the Properties area:
|
||||||
Step 4 | Click Save Changes. |
Create a RADIUS provider.
Cisco UCS Manager supports a maximum of 16 RADIUS providers.
Perform the following configuration in the RADIUS server:
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 |
In the Create RADIUS Provider dialog box:
|
Step 4 | Click Save Changes. |
For implementations involving a single RADIUS database, select RADIUS as the primary authentication service.
For implementations involving multiple RADIUS databases, configure a RADIUS provider group.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Right-click the RADIUS provider you want to delete and choose Delete. |
Step 4 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Configuring TACACS+ Providers
The properties that you configure in this task are the default settings for all TACACS+ provider connections defined in Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 |
In the Properties area, complete the Timeout field: The length of time in seconds the system should spend trying to contact the TACACS+ database before it times out. Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the global timeout value specified on the TACACS+ General tab. The default is 5 seconds. |
Step 4 | Click Save Changes. |
Create an TACACS+ provider.
Cisco UCS Manager supports a maximum of 16 TACACS+ providers.
Perform the following configuration in the TACACS+ server:
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | In the Actions area of the General tab, click Create TACACS+ Provider. |
Step 4 |
In the Create TACACS+ Provider dialog box:
|
Step 5 | Click Save Changes. |
For implementations involving a single TACACS+ database, select TACACS+ as the primary authentication service.
For implementations involving multiple TACACS+ databases, configure a TACACS+ provider group.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | In the Admin tab, expand . |
Step 3 | Right-click the TACACS+ provider you want to delete and choose Delete. |
Step 4 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Configuring Multiple Authentication Systems
You can configure Cisco UCS to use multiple authentication systems by configuring the following features:
A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco UCS Manager allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.
During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Manager automatically falls back to the local authentication method using the local username and password.
Note |
Authenticating with a single LDAP database does not require you to set up an LDAP provider group. |
Create one or more LDAP providers.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click LDAP Provider Groups and choose Create LDAP Provider Group. |
Step 4 |
In the Create LDAP Provider Group dialog box, do the following:
|
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand LDAP Provider Groups. |
Step 4 | Right-click the LDAP provider group you want to delete and choose Delete. |
Step 5 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Note |
Authenticating with a single RADIUS database does not require you to set up a RADIUS provider group. |
Create one or more RADIUS providers.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click RADIUS Provider Groups and choose Create RADIUS Provider Group. |
Step 4 |
In the Create RADIUS Provider Group dialog box, do the following:
|
Configure an authentication domain or select a default authentication service.
You cannot delete a provider group if it is being used by an authentication configuration.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand RADIUS Provider Groups. |
Step 4 | Right-click the RADIUS provider group you want to delete and choose Delete. |
Step 5 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Note |
Authenticating with a single TACACS+ database does not require you to set up a TACACS+ provider group. |
Create one or more TACACS+ providers.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Right-click TACACS+ Provider Groups and choose Create TACACS+ Provider Group. |
Step 4 |
In the Create TACACS+ Provider Group dialog box, do the following:
|
You cannot delete a provider group if it is being used by an authentication configuration.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Expand TACACS+ Provider Groups. |
Step 4 | Right-click the TACACS+ provider group you want to delete and choose Delete. |
Step 5 | If Cisco UCS Manager GUI displays a confirmation dialog box, click Yes. |
Authentication domains are used by Cisco UCS Manager to leverage multiple authentication systems. Each authentication domain is specified and configured during login. If no authentication domain is specified, the default authentication service configuration is used.
You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Manager. If no provider group is specified, all servers within the realm are used.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||||||
Step 2 | On the Admin tab, expand . | ||||||||||
Step 3 | Right-click Authentication Domains and choose Create a Domain. | ||||||||||
Step 4 |
In the Create a Domain dialog box, complete the following fields:
|
||||||||||
Step 5 | Click OK. |
Selecting a Primary Authentication Service
If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||
Step 2 | On the Admin tab, expand . | ||||||
Step 3 | Click Native Authentication. | ||||||
Step 4 | In the Work pane, click the General tab. | ||||||
Step 5 |
In the Console Authentication area, complete the following fields:
|
||||||
Step 6 | Click Save Changes. |
If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Step 1 | In the Navigation pane, click the Admin tab. | ||||||
Step 2 | On the Admin tab, expand . | ||||||
Step 3 | Click Native Authentication. | ||||||
Step 4 | In the Work pane, click the General tab. | ||||||
Step 5 |
In the Default Authentication area, complete the following fields:
|
||||||
Step 6 | Click Save Changes. |
By default, if user roles are not configured in Cisco UCS Manager read-only access is granted to all users logging in to Cisco UCS Manager from a remote server using the LDAP, RADIUS, or TACACS protocols. For security reasons, it might be desirable to restrict access to those users matching an established user role in Cisco UCS Manager.
Does not restrict user access to Cisco UCS Manager based on user roles. Read-only access is granted to all users unless other user roles have been defined in Cisco UCS Manager.
This is the default behavior.
Restricts user access to Cisco UCS Manager based on user roles. If user roles have not been assigned for the remote authentication system, access is denied.
Step 1 | In the Navigation pane, click the Admin tab. |
Step 2 | On the Admin tab, expand . |
Step 3 | Click Native Authentication. |
Step 4 | In the Work pane, click the General tab. |
Step 5 | In the Role Policy for Remote Users field, click one of the following radio buttons to determine what happens when a user attempts to log in and the remote authentication provider does not supply a user role with the authentication information: |
Step 6 | Click Save Changes. |