Remote Authentication

Guidelines and Recommendations for Remote Authentication Providers

If you configure a system for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Central can communicate with it. In addition, be aware of the following guidelines that impact user authorization:

User Accounts in Remote Authentication Services

User accounts can exist locally in Cisco UCS Central or in the remote authentication server. You can view the temporary sessions for users who log in through remote authentication services through Cisco UCS Central GUI or Cisco UCS Central CLI.

User Roles in Remote Authentication Services

If you create user accounts in the remote authentication server, ensure that:
  • Accounts include the roles those users require for working in Cisco UCS Central.

  • Names of those roles match the names used in Cisco UCS Central.

Depending on the role policy, a user may not have permission to log in, or they may only have read-only privileges.

Local and Remote User Authentication Support

Cisco UCS Central uses LDAP, RADIUS and TACACS+ for remote authentication.

User Attributes in Remote Authentication Providers

When a user logs in, Cisco UCS Central:

  1. Queries the remote authentication service.

  2. Validates the user.

  3. Checks for the roles and locales assigned to that user, (if user passed validation).

The following table contains a comparison of the user attribute requirements for the remote authentication providers supported by Cisco UCS Central.

Table 1 Comparison of User Attributes by Remote Authentication Provider
Authentication Provider Custom Attribute Schema Extension Attribute ID Requirements

LDAP

Optional

Do one of the following:

  • Do not extend the LDAP schema and configure an existing, unused attribute that meets the requirements.

  • Extend the LDAP schema and create a custom attribute with a unique name, such as CiscoAVPair.

The Cisco LDAP implementation requires a unicode type attribute.

If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1

The following section contains a sample OID (object identifier).

RADIUS

Optional

Do one of the following:

  • Do not extend the RADIUS schema and use an existing unused attribute that meets the requirements.

  • Extend the RADIUS schema and create a custom attribute with a unique name, such as cisco-avpair.

The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.

The following syntax example specifies multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.

TACACS+

Required

You must extend the schema and create a custom attribute with the name cisco-av-pair.

The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.

The following syntax example specifies multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales*"L1 abc". Using an asterisk (*) in the cisco-av-pair attribute syntax flags the locale as optional, preventing authentication failures for other Cisco devices that use the same authorization profile. Use a space as the delimiter to separate multiple values.

Sample OID for LDAP User Attribute

The following is a sample OID for a custom CiscoAVPair attribute:

CN=CiscoAVPair,CN=Schema,
CN=Configuration,CN=X
objectClass: top
objectClass: attributeSchema
cn: CiscoAVPair
distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X
instanceType: 0x4
uSNCreated: 26318654
attributeID: 1.3.6.1.4.1.9.287247.1
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: CiscoAVPair
adminDescription: UCS User Authorization Field
oMSyntax: 64
lDAPDisplayName: CiscoAVPair
name: CiscoAVPair
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X