Managing Administrative Settings

This chapter includes the following sections:

Administrative Settings for Cisco UCS Central

Cisco UCS Central, supports configuring policies and user authentication natively from the Administration tab in the GUI, similar to the tasks defined for UCS domains from the Operations Management tab. Most of the features are common across the two tabs, the difference being in the user role and server support.

The Administration tab allows you to perform administration tasks in the following areas:

  • General Settings

  • Users and Authentication

General Settings

You can configure policies from the Cisco UCS Central GUI. These administrative policies are defined at the organization level and can manage anything in the infrastructure, from date and time, SNMP traps, to backup and export policies.

IPv6 Support

Cisco UCS Central supports IPv6 addressing, which is now enabled on the management interface visible to the UCS Manager. However, UCS Central operates on a dual mode where both IPv4 and IPv6 are enabled. This feature helps Cisco UCS Central and Cisco UCS Manager communicate with each other through an IPv6 address, primarily to share pools and policy related information only.

As part of the IPv6 integration, the Cisco UCS Central GUI displays IPv6 addresses of all registered UCS Managers in the Equipments tab. The GUI also displays IPv6 addresses in all the other areas where the device has an IPv6 address.

Cisco UCS Central supports the creation and deletion of IPv4 and IPv6 blocks in the IP pools, and supports IPv6 addressing for the following policies:

  • LDAP

  • TACAS

  • Radius

  • NTP

  • DNS

You can now register a Cisco UCS Manager using an IPv6 address or an IPv4 address.

You can configure an IPv6 address on the Cisco UCS Central through the GUI or CLI commands. This is also true for all the other areas where IPv6 addresses are used.

You can now create a Global Service Profile (GSP) and a Local Service Profile (LSP) using an Outband management IPv4 address and an Inband IPv4 and/or IPv6 address.

Configuring IPv6 in Standalone Mode

Procedure
     Command or ActionPurpose
    Step 1UCSC# scope system  

    Enters System mode.

     
    Step 2UCSC/System#network-interface a   Enters network interface of Node A.  
    Step 3UCSC/network-interface#scope ipv6-config   Scopes to IPv6 configuration.  
    Step 4UCSC/network-interface/ipv6-config#set net ipv6 ipv6 address ipv6-gw IPv6 gateway ipv6-prefix prefix   Specifies the IPv6 address, gateway, and prefix.  
    Step 5UCSC/network-interface/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  

    The following example shows how to configure IPv6 in standalone mode: 

    UCSC#scope system
UCSC/system#scope network-interface a
UCSC/network-interface# scope ipv6-config
UCSC/ipv6-config# set net ipv6 ipv6 2001:db8:a::11 ipv6-gw  2001:db8:a::1 ipv6-prefix  64
UCSC/ipv6-config# commit-buffer

    Configuring IPv6 in High Availability Mode

    Procedure
       Command or ActionPurpose
      Step 1UCSC# scope system  

      Enters System mode.

       
      Step 2UCSC/System#scope network-interface a   Enters Node A of the network interface, which is also the primary virtual machine.  
      Step 3UCSC/network-interface#scope ipv6-config   Scopes to IPv6 configuration.  
      Step 4UCSC/ipv6-config#set net ipv6 ipv6 address ipv6-gw ipv6 gatewayipv6-prefix prefix   Specifies the IPv6 address, gateway, and prefix.  
      Step 5UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
      Step 6UCSC/ipv6-config#top   Returns to the top most directory.  
      Step 7UCSC# scope system  

      Enters System mode.

       
      Step 8UCSC/System#scope network-interface b   Enters Node B of the network interface, which is also the subordinate virtual machine.  
      Step 9UCSC/network-interface#scope ipv6-config   Scopes to IPv6 configuration.  
      Step 10UCSC/ipv6-config#set net ipv6ipv6 address ipv6-gwipv6 gatewayipv6-prefixprefix   Specifies the IPv6 address, gateway, and prefix.  
      Step 11UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
      Step 12UCSC/ipv6-config#top   Returns to the top most directory.  
      Step 13UCSC# scope system  

      Enters System mode.

       
      Step 14UCSC/network-interface#set virtual ip ipv6ipv6 address   Configures a virtual IPv6 address.  
      Step 15UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
      Step 16UCSC/ipv6-config#top   Returns to the top most directory.  

      The following example shows how to configure IPv6 in the high availability mode: 

      UCSC#scope system
UCSC/system#scope network-interface a
UCSC/network-interface# scope ipv6-config
UCSC/ipv6-config# set net ipv6 2001:db8:a::11 ipv6-gw  2001:db8:a::1 ipv6-prefix  64
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top

      UCSC#scope system
UCSC/system#scope network-interface b
UCSC/network-interface# scope ipv6-config
UCSC/ipv6-config# set net ipv6 2001:db8:a::12 ipv6-gw  2001:db8:a::1 ipv6-prefix  64
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top

      UCSC#scope system
UCSC/network-interface# set virtual ip ipv6 2001:db8:a::10
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top

      Disabling IPv6

      You can disable IPv6 on the Cisco UCS Central by setting the IPv6 address ( in both the standalone and HA mode) to null.

      Procedure
         Command or ActionPurpose
        Step 1 UCSC#scope system  

        Enters system mode.

         
        Step 2 UCSC#scope network-interface a  

        Enters Node A of the network interface.

         
        Step 3UCSC/network-interface#scope ipv6-config   Scopes to IPv6 configuration.  
        Step 4UCSC/ipv6-config#set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64   Sets the IPv6 address to null, therefore disabling it.  
        Step 5UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
        Step 6UCSC/ipv6-config#top   Returns to the top most directory.  
        Step 7 UCSC#scope system  

        Enters system mode.

         
        Step 8UCSC/system#set virtual-ip ipv6 ::   Sets the IPv6 address to null, therefore disabling it.  
        Step 9UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
        Step 10UCSC/ipv6-config#top   Returns to the top most directory.  
        Step 11 UCSC#scope system  

        Enters system mode.

         
        Step 12 UCSC#scope network-interface a  

        Enters Node A of the network interface.

         
        Step 13UCSC/network-interface#scope ipv6-config   Scopes to IPv6 configuration.  
        Step 14UCSC/ipv6-config#set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64   Sets the IPv6 address to null, therefore disabling it.  
        Step 15UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
        Step 16UCSC/ipv6-config#top   Returns to the top most directory.  
        Step 17 UCSC#scope system  

        Enters system mode.

         
        Step 18 UCSC#scope network-interface b  

        Enters Node B of the network interface.

         
        Step 19UCSC/network-interface#scope ipv6-config   Scopes to IPv6 configuration.  
        Step 20UCSC/ipv6-config#set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64   Sets the IPv6 address to null, therefore disabling it.  
        Step 21UCSC/ipv6-config#commit-buffer   Commits the transaction to the system configuration.  
        Step 22UCSC/ipv6-config#top   Returns to the top most directory.  

        Setting the IPv6 value to null moves all the affected IPv6 devices to a state of lost visibility.

        The following example shows how to disable IPv6 on Cisco UCS Central for the standalone and HA modes: 

        UCSC#scope system
UCSC/system#  scope network-interface a
UCSC/network-interface# scope ipv6-config
UCSC/ipv6-config# set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top


UCSC/# scope system
UCSC/system# set virtual-ip ipv6 ::
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top
UCSC#scope system
UCSC/system#  scope network-interface a
UCSC/network-interface# scope ipv6-config
UCSC/ipv6-config# set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top


UCSC#scope system
UCSC/system#  scope network-interface b
UCSC/network-interface# scope ipv6-config
UCSC/ipv6-config# set net ipv6 ipv6 :: ipv6-gw :: ipv6-prefix 64
UCSC/ipv6-config# commit-buffer
UCSC/ipv6-config# top

        Configuring an SNMP Trap

        Procedure
           Command or ActionPurpose
          Step 1 UCSC#connect policy-mgr  

          Enters policy manager mode.

           
          Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
          Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
          Step 4UCSC(policy-mgr) /org/device-profile # scope snmp  

          Scopes the default SNMP policy's configuration mode.

           
          Step 5UCSC(policy-mgr) /org/device-profile/snmp # create snmp-trap snmp-trap-ip   (Optional)

          If scoping into an organization previously, creates the SNMP trap IP address for that organization (in format 0.0.0.0), and enters SNMP trap configuration mode.

           
          Step 6UCSC(policy-mgr) /org/device-profile/snmp # scope snmp-trap snmp-trap-ip   (Optional)

          If scoping into organization previously, scopes the SNMP trap IP address for that organization (in format 0.0.0.0), and enters SNMP trap configuration mode.

           
          Step 7UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set community snmp-trap-community-host-config-string  

          Enter the SNMP trap community string to configure the SNMP trap host.

           
          Step 8UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set notificationtype traps  

          Enter the notification type for the SNMP trap as SNMP Trap Notifications (traps).

           
          Step 9UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set port port-number  

          Enter the SNMP trap port number (1-65535).

           
          Step 10UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set v3privilege auth | noauth | priv  

          Enter a V3 Privilege security level for the SNMP trap of authNoPriv Security Level (auth), noAuthNoPriv Security Level (noauth), or authPriv Security Level (priv).

           
          Step 11UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set version v1 | v2c | v3  

          Enter a version for the SNMP trap of SNMP v1, v2c, or v3.

           
          Step 12UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # commit-buffer  

          Commits the transaction to the system configuration.

           
          The following example shows how to scope into an organization, scope the SNMP policy, create the SNMP trap with IP address 0.0.0.0, set the SNMP community host string to snmptrap01, set the SNMP notification type to traps, set the SNMP port to 1, set the v3privilege to priv, set the version to v1, and commit the transaction: 
          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope snmp
UCSC(policy-mgr) /org/device-profile/snmp # create snmp-trap 0.0.0.0
UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set community snmptrap01
UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set notificationtype traps
UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set port 1
UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set v3privilege priv
UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # set version v1
UCSC(policy-mgr) /org/device-profile/snmp/snmp-trap* # commit-buffer

          Configuring an SNMP User

          Procedure
             Command or ActionPurpose
            Step 1 UCSC#connect policy-mgr  

            Enters policy manager mode.

             
            Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
            Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
            Step 4UCSC(policy-mgr) /org/device-profile # scope snmp  

            Scopes the SNMP policy's configuration mode.

             
            Step 5UCSC(policy-mgr) /org/device-profile/snmp # create snmp-user snmp-user  

            Enter a name for the SNMP user.

             
            Step 6UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set aes-128 yes | no  

            Use AES-128 for the SNMP user (yes or no).

             
            Step 7UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set auth md5 | sha  

            Use MD5 or Sha authorization mode for the SNMP user.

             
            Step 8UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set password password  

            Enter and confirm a password for the SNMP user.

             
            Step 9UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set priv-password private-password  

            Enter and confirm a private password for the SNMP user.

             
            Step 10UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # commit-buffer  

            Commits the transaction to the system configuration.

             
            The following example shows how to scope into an organization, scope the SNMP policy, scope into the SNMP user named snmpuser01, set aes-128 mode to enabled, set authorization to sha mode, set password to userpassword01, set private password to userpassword02, and commit the transaction: 
            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope snmp
UCSC(policy-mgr) /org/device-profile/snmp # scope snmp-user snmpuser01
UCSC(policy-mgr) /org/device-profile/snmp/snmp-user # set aes-128 yes
UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set auth sha
UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set password userpassword01
Enter a password: userpassword01
Confirm the password: userpassword01
UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # set priv-password userpassword02
Enter a password: userpassword02
Confirm the password: userpassword02
UCSC(policy-mgr) /org/device-profile/snmp/snmp-user* # commit-buffer

            Configuring an NTP Server

            Procedure
               Command or ActionPurpose
              Step 1 UCSC#connect policy-mgr  

              Enters policy manager mode.

               
              Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
              Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
              Step 4UCSC(policy-mgr) /org/device-profile # scope timezone-ntp-config  

              Enters time zone NTP configuration mode.

               
              Step 5UCSC(policy-mgr) /org/device-profile/timezone-ntp-config # create ntp server-name  

              Creates an NTP server instance.

               
              Step 6UCSC(policy-mgr) /org/device-profile/timezone-ntp-config* # commit-buffer  

              Commits the transaction to the system configuration.

               
              The following example shows how to scope into an organization, create an NTP server instance named orgNTP01, and commit the transaction: 
              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope timezone-ntp-config
UCSC(policy-mgr) /org/device-profile/timezone-ntp-config # create ntp orgNTP01
UCSC(policy-mgr) /org/device-profile/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /org/device-profile/timezone-ntp-config #

              Configuring a DNS Server

              Procedure
                 Command or ActionPurpose
                Step 1 UCSC#connect policy-mgr  

                Enters policy manager mode.

                 
                Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                Step 4UCSC(policy-mgr) /org/device-profile # scope dns-config  

                Enter an existing DNS policy's configuration mode from the organization.

                 
                Step 5UCSC(policy-mgr) /org/device-profile/dns-config # create dns server-IP-address  

                Creates a DNS server instance.

                 
                Step 6UCSC(policy-mgr) /org/device-profile/dns-config* # commit-buffer  

                Commits the transaction to the system configuration.

                 
                The following example shows how to scope into the organization, create a DNS server instance named 0.0.0.0, and commit the transaction: 
                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr)/org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope dns-config
UCSC(policy-mgr) /org/device-profile # create dns 0.0.0.0
UCSC(policy-mgr) /org/device-profile* # commit-buffer

                Configuring a Fault Policy

                Procedure
                   Command or ActionPurpose
                  Step 1 UCSC#connect policy-mgr  

                  Enters policy manager mode.

                   
                  Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                  Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                  Step 4UCSC(policy-mgr) /org/device-profile # create fault policy   (Optional)

                  If scoping into a device previously, creates the fault policy for that domain group.

                   
                  Step 5UCSC(policy-mgr) /org # scope fault policy   (Optional)

                  If scoping into the domain group root previously, scopes the default fault policy's configuration mode from the Domain Group root.

                   
                  Step 6UCSC(policy-mgr) /org/device-profile/policy* # set ackaction delete-on-clear  

                  Set the fault policy acknowledgment action to delete on clear (delete-on-clear) or reset to initial severity (reset-to-initial-severity).

                   
                  Step 7UCSC(policy-mgr) /org/device-profile/policy* # set clearaction delete | retain  

                  Set the fault policy clear action to delete or retain.

                   
                  Step 8UCSC(policy-mgr) /org/device-profile/policy* # set clearinterval clear-number-of-days | retain  

                  Set the fault policy clear interval to the number of days (0-3600) or retain.

                   
                  Step 9UCSC(policy-mgr) /org/device-profile/policy* # set flapinterval flap-number-of-days  

                  Set the fault policy flap interval to the number of days (0-3600).

                   
                  Step 10UCSC(policy-mgr) /org/device-profile/policy* # set retentioninterval retention-number-of-days | forever  

                  Set the fault policy clear interval to the number of days (0-3600) or forever.

                   
                  Step 11UCSC(policy-mgr) /org/device-profile/policy* # set soakingseverity condition | info | warning  

                  Set the fault policy soaking severity to condition, info, or warning.

                   
                  Step 12UCSC(policy-mgr) /org/device-profile/policy* # set soakinterval soak-number-of-days | never  

                  Set the fault policy soak interval to the number of days (0-3600) or never.

                   
                  Step 13UCSC(policy-mgr) /org/device-profile/policy* # commit-buffer  

                  Commits the transaction to the system configuration.

                   
                  The following example shows how to scope into the org01, create a global fault debug policy, enter the status settings, and commit the transaction: 
                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org 
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # create fault policy
UCSC(policy-mgr) /org/device-profile/policy* # set ackaction delete-on-clear
UCSC(policy-mgr) /org/device-profile/policy* # set clearaction delete
UCSC(policy-mgr) /org/device-profile/policy* # set clearinterval 90
UCSC(policy-mgr) /org/device-profile/policy* # set flapinterval 180
UCSC(policy-mgr) /org/device-profile/policy* # set retentioninterval 365
UCSC(policy-mgr) /org/device-profile/policy* # set soakingseverity info
UCSC(policy-mgr) /org/device-profile/policy* # set soakinterval warning
UCSC(policy-mgr) /org/device-profile/policy* # commit-buffer
UCSC(policy-mgr) /org/device-profile/policy #

                  Configuring a TFTP Core Export Policy

                  Procedure
                     Command or ActionPurpose
                    Step 1 UCSC#connect policy-mgr  

                    Enters policy manager mode.

                     
                    Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                    Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                    Step 4UCSC(policy-mgr) /org/device-profile # scope tftp-core-export-config   (Optional)

                    Scopes an existing TFTP Core Export Debug policy's configuration mode.

                     
                    Step 5UCSC(policy-mgr) /org/device-profile # create tftp-core-export-config   (Optional)

                    Creates a TFTP Core Export Debug policy if it does not exist, then scopes into the policy.

                     
                    Step 6UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # enable core-export-target  

                    Enables the TFTP core export target.

                     
                    Step 7UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target path name-of-path  

                    Sets the TFTP core export policy target path.

                     
                    Step 8UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target port port-number  

                    Sets the TFTP core export policy port number (1-65535).

                     
                    Step 9UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target server-description port-number  

                    Sets the TFTP core export target policy server description.

                    Note   

                    Do not use spaces in the server description unless the text is quoted (format examples: "Server description text" or Server_description_text).

                     
                    Step 10UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target server-name server-name  

                    Sets the TFTP core export target policy server name.

                     
                    Step 11UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # commit-buffer  

                    Commits the transaction to the system configuration.

                     
                    The following example shows how to scope into org01, create the TFTP Core Export Policy, configure the policy, and commit the transaction: 
                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # create tftp-core-export-config
UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # enable core-export-target
UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target path /target
UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target port 65535
UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target server-description "TFTP core export server 2"
UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # set core-export-target server-name TFTPcoreserver01
UCSC(policy-mgr) /org/device-profile/tftp-core-export-config* # commit-buffer

                    Creating a Locally Authenticated User

                    Procedure
                       Command or ActionPurpose
                      Step 1 UCSC#connect policy-mgr  

                      Enters policy manager mode.

                       
                      Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                      Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                      Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                      Step 5UCSC(policy-mgr) /org/device-profile/security # create local-user local-user-name  

                      Creates a user account for the specified local user and enters security local user mode.

                       
                      Step 6 UCSC(policy-mgr) org/device-profile/security/local-user* # set account-status {active | inactive}  

                      Specifies whether the local user account is enabled or disabled.

                      The admin user account is always set to active. It cannot be modified.

                      Note   

                      If you set the account status to inactive, the configuration is not deleted from the database. The user is prevented from logging into the system using their existing credentials.

                       
                      Step 7UCSC(policy-mgr) /org/device-profile/security/local-user* # set password password  

                      Sets the password for the user account

                       
                      Step 8UCSC(policy-mgr) /org/device-profile/security/local-user* # set firstname first-name   (Optional)

                      Specifies the first name of the user.

                       
                      Step 9UCSC(policy-mgr) /org/device-profile/security/local-user* # set lastname last-name   (Optional)

                      Specifies the last name of the user.

                       
                      Step 10UCSC(policy-mgr) /org/device-profile/security/local-user* # set expiration month day-of-month year   (Optional)

                      Specifies the date that the user account expires. The month argument is the first three letters of the month name.

                       
                      Step 11UCSC(policy-mgr) /org/device-profile/security/local-user* # set email email-addr   (Optional)

                      Specifies the user e-mail address.

                       
                      Step 12UCSC(policy-mgr) /org/device-profile/security/local-user* # set phone phone-num   (Optional)

                      Specifies the user phone number.

                       
                      Step 13UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey ssh-key   (Optional)

                      Specifies the SSH key used for passwordless access.

                       
                      Step 14UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer  

                      Commits the transaction.

                       
                      The following example shows how to create the user account named eagle_eye, enable the user account, set the password to eye5687, and commit the transaction: 
                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create local-user eagle_eye
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user* # set password
Enter a password:
Confirm the password:
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/local-user* #
                      The following example creates the user account named lincey, enables the user account, sets an OpenSSH key for passwordless access, and commits the transaction. 
                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org# scope device-profile /
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create local-user lincey
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4K iaQB8X/PDdmtlxQQcawcljk8f4VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpD m8HPh2LOgyH7Ei1MI8="
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/local-user* #
                      The following example creates the user account named jforlenz, enables the user account, sets a Secure SSH key for passwordless access, and commits the transaction. 
                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org# scope device-profile /
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create local-user jforlenz
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
User's SSH key:
> ---- BEGIN SSH2 PUBLIC KEY ----
>AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8
>5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO
>IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8=
> ---- END SSH2 PUBLIC KEY ----
> ENDOFBUF
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/local-user* #

                      Creating a Remote User Login Policy

                      Procedure
                         Command or ActionPurpose
                        Step 1 UCSC#connect policy-mgr  

                        Enters policy manager mode.

                         
                        Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                        Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                        Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                        Step 5UCSC(policy-mgr) /org/device-profile/security # scope auth-realm  

                        Enters authentication realm security mode.

                         
                        Step 6UCSC(policy-mgr) /org/device-profile/security/auth-realm # set remote-user default-role {assign-default-role | no-login}  

                        Specifies whether user access to Cisco UCS Central is restricted based on user roles.

                         
                        Step 7UCSC(policy-mgr) /org/device-profile/security/auth-realm* # commit-buffer  

                        Commits the transaction to the system configuration.

                         
                        The following example shows how to set the role policy for remote users and commit the transaction: 
                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm
UCSC(policy-mgr) /org/device-profile/security/auth-realm # set remote-user default-role assign-default-role
UCSC(policy-mgr) /org/device-profile/security/auth-realm* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/auth-realm #

                        Creating a User Role

                        Procedure
                           Command or ActionPurpose
                          Step 1 UCSC#connect policy-mgr  

                          Enters policy manager mode.

                           
                          Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                          Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                          Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                          Step 5UCSC(policy-mgr) /org/device-profile/security # create role name  

                          Creates the user role and enters security role mode.

                           
                          Step 6UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer  

                          Commits the transaction to the system configuration.

                           
                          The following example creates the service-profile-security-admin role, adds the service profile security and service profile security policy privileges to the role, and commits the transaction: 
                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create role ls-security-admin
UCSC(policy-mgr) /org/device-profile/security/role* # commit-buffer

                          Creating a User Locale

                          Procedure
                             Command or ActionPurpose
                            Step 1 UCSC#connect policy-mgr  

                            Enters policy manager mode.

                             
                            Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                            Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                            Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                            Step 5UCSC(policy-mgr) /org/device-profile/security # create locale name  

                            Creates the user role and enters security role mode.

                             
                            Step 6UCSC(policy-mgr) /org/device-profile/security/locale * # create org-ref org-ref-name orgdn orgdn-name  

                            References (binds) an organization to the locale. The org-ref-name argument is the name used to identify the organization reference, and the orgdn-name argument is the distinguished name of the organization being referenced.

                             
                            Step 7UCSC(policy-mgr) /org/device-profile/security/locale * # commit-buffer  

                            Commits the transaction to the system configuration.

                             
                            The following example shows how to create the finance organization for the western locale and commit the transaction: 
                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create locale western
UCSC(policy-mgr) /org/device-profile/security/locale* # create org-ref finance-ref orgdn finance
UCSC(policy-mgr) /org/device-profile/security/locale* # commit-buffer

                            Users and Authentication

                            Cisco UCS Central supports creating local and remote users to access the system. You can configure up to 128 user accounts in each Cisco UCS Central domain. Each of these users must have a unique username and password. For more information, see User Management.

                            Cisco UCS Central uses LDAP for native authentication, but excludes RADIUS and TACACS+ authentication in this release. However, RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains. For more information, see Managing Administrative Settings.

                            Creating an Authentication Domain

                            Procedure
                               Command or ActionPurpose
                              Step 1 UCSC#connect policy-mgr  

                              Enters policy manager mode.

                               
                              Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                              Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                              Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                              Step 5UCSC(policy-mgr) /org/device-profile/security # scope auth-realm  

                              Enters authentication realm mode.

                               
                              Step 6UCSC(policy-mgr) / org/device-profile/security/auth-realm # create auth-domain domain-name  

                              Creates an authentication domain and enters authentication domain mode. The Radius related settings will be applicable only for the Cisco UCS Central under the Domain Group root and child domain groups.

                               
                              Step 7UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # set refresh-period seconds   (Optional)

                              When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain.

                              If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session.

                              Specify an integer between 60 and 172800. The default is 600 seconds.

                               
                              Step 8UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # set session-timeout seconds   (Optional)

                              The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session.

                              Specify an integer between 60 and 172800. The default is 7200 seconds.

                               
                              Step 9UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # create default-auth   (Optional)

                              Creates a default authentication for the specified authentication domain.

                               
                              Step 10UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set auth-server-group auth-serv-group-name   (Optional)

                              Specifies the provider group for the specified authentication domain.

                               
                              Step 11UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set realm {ldap | local | radius | tacacs}  

                              Specifies the realm for the specified authentication domain.

                               
                              Step 12UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # commit-buffer  

                              Commits the transaction to the system configuration.

                               
                              The following example shows how to create an authentication domain called domain1 with a web refresh period of 3600 seconds (1 hour) and a session timeout period of 14400 seconds (4 hours), configure domain1 to use the providers in ldapgroup1, set the realm type to ldap, and commit the transaction. 
                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope security
UCSC(policy-mgr) /org/security # scope device-profile
UCSC(policy-mgr) /org/security/device-profile # scope auth-realm
UCSC(policy-mgr) /org/security/device-profile/auth-realm # create auth-domain domain1
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain* # set refresh-period 3600
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain* # set session-timeout 14400
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain* # create default-auth
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain/default-auth* # set auth-server-group ldapgroup1
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain/default-auth* # set realm ldap
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain/default-auth* # commit-buffer
UCSC(policy-mgr) /org/security/device-profile/auth-realm/auth-domain/default-auth #

                              Creating an LDAP Provider

                              Before You Begin

                              Procedure
                                 Command or ActionPurpose
                                Step 1 UCSC#connect policy-mgr  

                                Enters policy manager mode.

                                 
                                Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                Step 5UCSC(policy-mgr) /org/device-profile/security # scope ldap  

                                Enters security LDAP mode.

                                 
                                Step 6UCSC(policy-mgr) /org/device-profile/security/ldap # create server server-name  

                                Creates an LDAP server instance and enters security LDAP server mode. If SSL is enabled, the server-name , typically an IP address or FQDN, must exactly match a Common Name (CN) in the LDAP server's security certificate. If you use a hostname rather than an IPv4 or IPv6 address, you must configure a DNS server. If the Cisco UCS domain is not registered with Cisco UCS Central or DNS management is set to local, configure a DNS server in Cisco UCS Manager. If the Cisco UCS domain is registered with Cisco UCS Central and DNS management is set to global, configure a DNS server in Cisco UCS Central.

                                 
                                Step 7UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set attribute attribute   (Optional)

                                (Optional) An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

                                 
                                Step 8UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set basedn basedn-name  

                                The specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the user's DN based on their username. The length of the base DN can be set to a maximum of 255 characters minus the length of CN=username, where username identifies the remote user attempting to access Cisco UCS Manager using LDAP authentication.

                                 
                                Step 9UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn binddn-name  

                                The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN.

                                The maximum supported string length is 255 ASCII characters.

                                 
                                Step 10UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set filter filter-value  

                                The LDAP search is restricted to those user names that match the defined filter.

                                 
                                Step 11UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password  

                                To set the password, press Enter after typing the set password command and enter the key value at the prompt.

                                 
                                Step 12UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order order-num  

                                The order in which Cisco UCS Central uses this provider to authenticate users.

                                 
                                Step 13UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port port-num  

                                The port through which Cisco UCS Central communicates with the LDAP database. The standard port number is 389.

                                 
                                Step 14UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl {yes | no}  

                                Enables or disables the use of encryption when communicating with the LDAP server. The options are as follows:

                                • yes —Encryption is required. If encryption cannot be negotiated, the connection fails.

                                • no —Encryption is disabled. Authentication information is sent as clear text.

                                 
                                Step 15UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout timeout-num    
                                Step 16UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set vendor  

                                Specifies the vendor for the LDAP group.

                                • ms-ad —To specify Microsoft Active Directory, enter ms-ad.

                                • openldap —To specify OpenLDAP server, enter openldap.

                                 
                                Step 17UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer  

                                Commits the transaction to the system configuration.

                                 
                                The following example shows how to create an LDAP server instance named 10.193.169.246, configure the binddn, password, order, port, and SSL settings, and commit the transaction: 
                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # create server 10.193.169.246
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password
Enter the password:
Confirm the password:
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order 2
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port 389
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl yes
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout 30
UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap/server #

                                Creating an LDAP Provider Group

                                Before You Begin

                                Create one or more LDAP providers.

                                Procedure
                                   Command or ActionPurpose
                                  Step 1 UCSC#connect policy-mgr  

                                  Enters policy manager mode.

                                   
                                  Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                  Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                  Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                  Step 5UCSC(policy-mgr) /org/device-profile/security # scope ldap  

                                  Enters security LDAP mode.

                                   
                                  Step 6UCSC(policy-mgr) /org/device-profile/security/ldap # create auth-server-group auth-server-group-name  

                                  Creates an LDAP provider group and enters authentication server group security LDAP mode.

                                   
                                  Step 7UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap-provider-name  

                                  Adds the specified LDAP provider to the LDAP provider group and enters server reference authentication server group security LDAP mode.

                                   
                                  Step 8UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # set order order-num  

                                  Specifies the order in which Cisco UCS Central uses this provider to authenticate users.

                                  Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                                   
                                  Step 9UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # commit-buffer  

                                  Commits the transaction to the system configuration.

                                   
                                  The following example shows how to create an LDAP provider group called ldapgroup, add two previously configured providers called ldap1 and ldap2 to the provider group, set the order, and commit the transaction: 
                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # create auth-server-group ldapgroup
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap1
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # up
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap2
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # commit-buffer
                                  What to Do Next

                                  Configure an authentication domain.

                                  Creating an LDAP Group Map

                                  Before You Begin

                                  • Create an LDAP provider group.

                                  • Configure the distinguished name for the LDAP group in the LDAP server.

                                  • Create user locales in Cisco UCS Central (optional).

                                  • Create user roles in Cisco UCS Central (optional).

                                  Procedure
                                     Command or ActionPurpose
                                    Step 1 UCSC#connect policy-mgr  

                                    Enters policy manager mode.

                                     
                                    Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                    Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                    Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                    Step 5UCSC(policy-mgr) /org/device-profile/security # scope ldap  

                                    Enters security LDAP mode.

                                     
                                    Step 6UCSC(policy-mgr) /org/device-profile/security/ldap # create ldap-group group-dn  

                                    Creates an LDAP group map for the specified DN.

                                     
                                    Step 7UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create locale locale-name  

                                    Maps the LDAP group to the specified locale.

                                     
                                    Step 8UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create role role-name  

                                    Maps the LDAP group to the specified role.

                                     
                                    Step 9UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # commit-buffer  

                                    Commits the transaction to the system configuration.

                                     
                                    The following example shows how to map the LDAP group mapped to a DN, set the locale to pacific, set the role to admin, and commit the transaction: 
                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com
UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create locale pacific
UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create role admin
UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group #
                                    What to Do Next

                                    Set the LDAP group rule.

                                    Deleting an LDAP Provider

                                    Procedure
                                       Command or ActionPurpose
                                      Step 1 UCSC#connect policy-mgr  

                                      Enters policy manager mode.

                                       
                                      Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                      Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                      Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                      Step 5UCSC(policy-mgr) /org/device-profile/security # scope ldap  

                                      Enters security LDAP mode.

                                       
                                      Step 6UCSC(policy-mgr) /org/device-profile/security/ldap # delete server serv-name  

                                      Deletes the specified server.

                                       
                                      Step 7UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer  

                                      Commits the transaction to the system configuration.

                                       
                                      The following example shows how to delete the LDAP server called ldap1 and commit the transaction: 
                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # delete server ldap1
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap #

                                      Deleting an LDAP Provider Group

                                      Procedure
                                         Command or ActionPurpose
                                        Step 1 UCSC#connect policy-mgr  

                                        Enters policy manager mode.

                                         
                                        Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                        Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                        Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                        Step 5UCSC(policy-mgr) /org/device-profile/security # scope ldap  

                                        Enters security LDAP mode.

                                         
                                        Step 6UCSC(policy-mgr) /org/device-profile/security/ldap # delete auth-server-group auth-server-group-name  

                                        Deletes the LDAP provider group.

                                         
                                        Step 7UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer  

                                        Commits the transaction to the system configuration.

                                         
                                        The following example shows how to delete an LDAP provider group called ldapgroup and commit the transaction: 
                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # delete auth-server-group ldapgroup
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap #

                                        Deleting an LDAP Group Map

                                        Procedure
                                           Command or ActionPurpose
                                          Step 1 UCSC#connect policy-mgr  

                                          Enters policy manager mode.

                                           
                                          Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                          Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                          Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                          Step 5UCSC(policy-mgr) /org/device-profile/security # scope ldap  

                                          Enters security LDAP mode.

                                           
                                          Step 6UCSC(policy-mgr) /org/device-profile/security/ldap # delete ldap-group group-dn  

                                          Deletes the LDAP group map for the specified DN.

                                           
                                          Step 7UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer  

                                          Commits the transaction to the system configuration.

                                           
                                          The following example shows how to delete an LDAP group map and commit the transaction: 
                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer

                                          Configuring an HTTPS Certificate

                                          Procedure
                                             Command or ActionPurpose
                                            Step 1 UCSC#connect policy-mgr  

                                            Enters policy manager mode.

                                             
                                            Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                            Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                            Step 4UCSC(policy-mgr) /org/device-profile#scope https   Enters the HTTPS service mode.  
                                            Step 5UCSC(policy-mgr) /org/device-profile/https # set keyring keyring-name  

                                            Creates and names the key ring.

                                             
                                            Step 6UCSC(policy-mgr) /org/device-profile/security/https* # commit-buffer  

                                            Commits the transaction to the system configuration.

                                             
                                            The following example shows how to configure an HTTPS Certificate: 
                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope https
UCSC(policy-mgr) /org/device-profile/https # set keyring kr126
UCSC(policy-mgr) /org/device-profile/https* # commit-buffer

                                            Creating a Trusted Point

                                            Procedure
                                               Command or ActionPurpose
                                              Step 1 UCSC#connect policy-mgr  

                                              Enters policy manager mode.

                                               
                                              Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                              Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                              Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                              Step 5UCSC(policy-mgr) /org/device-profile/security #create trustpointtrust point name   Creates a trusted point. Provide a certificate name.  
                                              Step 6UCSC(policy-mgr) /org/device-profile/security/trustpoint* #set certchain[certificate chain]   Specifies certificate information for this trusted point.

                                              If you do not specify certificate information in the command, you are prompted to enter a certificate or a list of trustpoints defining a certification path to the root certificate authority (CA). On the next line following your input, type ENDOFBUF to finish.

                                               
                                              The following example shows how to create a trusted point: 
                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create trustpoint key01
UCSC(policy-mgr) /org/device-profile/security/trustpoint* # set certchain
>-----BEGIN CERTIFICATE-----
>MIIDgzCCAmugAwIBAgIQeXUhz+ZtnrpK4x65oJkQZzANBgkqhkiG9w0BAQUFADBU
>MSIwIAYDVQQDExlibHJxYXVjc2MtV0lOMjAxMi1JUFY2LUNBMB4XDTE0MDIyNjEy
>-----END CERTIFICATE-----
>ENDOFBUF
UCSC(policy-mgr) /org/device-profile/security/trustpoint* # commit-buffer

                                              Deleting a Trusted Point

                                              Before You Begin

                                              Ensure that a key ring is not using the trusted point.

                                              Procedure
                                                 Command or ActionPurpose
                                                Step 1 UCSC#connect policy-mgr  

                                                Enters policy manager mode.

                                                 
                                                Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                                Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                                Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                                Step 5UCSC(policy-mgr) /org/device-profile/security #delete trustpointtrustpoint- name   Deletes the trusted point.  
                                                Step 6UCSC(policy-mgr) /org/device-profile/security#commit-buffer   Commits the transaction.  
                                                The following example shows how to delete a trusted point: 
                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # delete trustpoint tp1
UCSC(policy-mgr) /org/device-profile/security* #commit-buffer

                                                Creating a Key Ring

                                                Procedure
                                                   Command or ActionPurpose
                                                  Step 1 UCSC#connect policy-mgr  

                                                  Enters policy manager mode.

                                                   
                                                  Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                                  Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                                  Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                                  Step 5UCSC(policy-mgr) /org/device-profile/security # create keyring keyring-name  

                                                  Creates and names the key ring.

                                                   
                                                  Step 6UCSC(policy-mgr) /org/device-profile/security/keyring # set modulus mod2048  

                                                  Sets the SSL key length in bits.

                                                   
                                                  Step 7UCSC(policy-mgr) /org/device-profile/security/keyring* # set trustpoint trustpoint-name  

                                                  Sets a trust point within the key ring.

                                                   
                                                  Step 8UCSC(policy-mgr) /org/device-profile/security/keyring* # commit-buffer  

                                                  Commits the transaction to the system configuration.

                                                   
                                                  The following example shows how to create a key ring with a key size of 2048 bits: 
                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create keyring kr126
UCSC(policy-mgr) /org/device-profile/security/keyring* # set modulus mod2048
UCSC(policy-mgr) /org/device-profile/security/keyring* # set trustpoint tp1
UCSC(policy-mgr) /org/device-profile/security/keyring* #commit-buffer

                                                  Deleting a Key Ring

                                                  Before You Begin

                                                  Ensure that the HTTPS service is not using the key ring.

                                                  Procedure
                                                     Command or ActionPurpose
                                                    Step 1 UCSC#connect policy-mgr  

                                                    Enters policy manager mode.

                                                     
                                                    Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                                    Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                                    Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                                    Step 5UCSC(policy-mgr) /org/device-profile/security #delete keyringkeyring name   Deletes the key ring.  
                                                    Step 6UCSC(policy-mgr) /org/device-profile/security#commit-buffer   Commits the transaction.  
                                                    The following example shows how to delete a key ring: 
                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # delete keyring kr126
UCSC(policy-mgr) /org/device-profile/security/keyring* #commit-buffer

                                                    Creating a Certificate Request

                                                    Procedure
                                                       Command or ActionPurpose
                                                      Step 1 UCSC#connect policy-mgr  

                                                      Enters policy manager mode.

                                                       
                                                      Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                                      Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                                      Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                                      Step 5UCSC(policy-mgr) /org/device-profile/security # scope keyring keyring-name  

                                                      Enters the configuration mode for the key ring.

                                                       
                                                      Step 6UCSC(policy-mgr) /org/device-profile/security/keyring* # create certreq  

                                                      Sets the SSL key length in bits.

                                                       
                                                      Step 7UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set country country name  

                                                      Specifies the country code of the company.

                                                       
                                                      Step 8UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set dns DNS name  

                                                      Specifies the Domain Name Server (DNS) address associated with the certificate request.

                                                       
                                                      Step 9UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set e-mail E-mail address  

                                                      Specifies the e-mail address associated with the certificate request.

                                                       
                                                      Step 10UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set ip { certificate request ipv4-address}  

                                                      Specifies the IP address of the fabric interconnect.

                                                       
                                                      Step 11UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set locality locality name  

                                                      Specifies the city or town in which the company requesting the certificate is headquartered.

                                                       
                                                      Step 12UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-name organization name  

                                                      Specifies the organization requesting the certificate.

                                                       
                                                      Step 13UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-unit-name organizational unit name  

                                                      Specifies the organizational unit.

                                                       
                                                      Step 14UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set password certificate request password  

                                                      Specifies an optional password for the certificate request.

                                                       
                                                      Step 15UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set state state, province or country  

                                                      Specifies the state or province in which the company requesting the certificate is headquartered.

                                                       
                                                      Step 16UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set subject-name certificate request name  

                                                      Specifies the fully qualified domain name of the Fabric Interconnect.

                                                       
                                                      Step 17UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # commit-buffer  

                                                      Commits the transaction.

                                                       
                                                      The following example shows how to create a certificate request with an IPv4 address for a key ring, with advanced options: 
                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope keyring 
UCSC(policy-mgr) /org/device-profile/security # create certreq 
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set ip 192.168.200.123
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set country US
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set dns bgl-samc-15A
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set email test@gmail.com
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set locality san francisco
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-name "xyz"
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set org-unit-name Testing
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set state california
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* # set subject-name abc01
UCSC(policy-mgr) /org/device-profile/security/keyring/certreq* #commit-buffer
                                                      What to Do Next

                                                      • Copy the text of the certificate request, including the BEGIN and END lines, and save it in a file. Send the file with the certificate request to a trust anchor or certificate authority to obtain a certificate for the key ring.

                                                      • Create a trusted point and set the certificate chain for the certificate of trust received from the trust anchor.

                                                      Regenerating the Default Key Ring

                                                      The default key ring certificate must be manually regenerated if the cluster name changes or the certificate expires.

                                                      Procedure
                                                         Command or ActionPurpose
                                                        Step 1 UCSC#connect policy-mgr  

                                                        Enters policy manager mode.

                                                         
                                                        Step 2UCSC(policy-mgr)#scope org   Enters organization mode for the specified organization.  
                                                        Step 3UCSC(policy-mgr) /org#scope device-profile   Enters device profile mode for the specified organization.  
                                                        Step 4UCSC(policy-mgr) /org/device-profile#scope security   Enters security mode.  
                                                        Step 5UCSC(policy-mgr) /org/device-profile/security # scope keyring default  

                                                        Enters key ring security mode for the default key ring.

                                                         
                                                        Step 6UCSC(policy-mgr) /org/device-profile/security/keyring # set regenerate yes  

                                                        Regenerates the default key ring.

                                                         
                                                        Step 7UCSC(policy-mgr) /org/device-profile/security/keyring* # commit-buffer  

                                                        Commits the transaction to the system configuration.

                                                         
                                                        The following example shows how to regenerate a default key ring: 
                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope keyring default
UCSC(policy-mgr) /org/device-profile/security/keyring* # set generate yes
UCSC(policy-mgr) /org/device-profile/security/keyring* #commit-buffer

                                                        Remote Access Policies

                                                        Cisco UCS Central supports global remote access policies defining the interfaces monitoring policy, displaying SSH configuration status, and providing policy settings for HTTP, Telnet, web session limits and CIM XML.

                                                        Configuring HTTP

                                                        Configuring an HTTP Remote Access Policy

                                                        Before You Begin

                                                        Before configuring an HTTP remote access policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                        Procedure
                                                           Command or ActionPurpose
                                                          Step 1UCSC# connect policy-mgr  

                                                          Enters policy manager mode.

                                                           
                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                           
                                                          Step 3UCSC(policy-mgr) /domain-group # create http   (Optional)

                                                          If scoping into a domain group previously, creates the HTTP policy for that domain group.

                                                           
                                                          Step 4UCSC(policy-mgr) /domain-group # scope http   (Optional)

                                                          If scoping into the domain group root previously, scopes the default HTTP policy's configuration mode from the Domain Group root.

                                                           
                                                          Step 5UCSC(policy-mgr) /domain-group/http # enable | disable {http | http-redirect}  

                                                          Specifies whether the HTTP remote access policy is enabled or disabled in HTTP or HTTP-Redirect mode.

                                                           
                                                          Step 6UCSC(policy-mgr) /domain-group/http* # set http port port-number  

                                                          Specifies the HTTP service port number from the port range 1-65535.

                                                           
                                                          Step 7UCSC(policy-mgr) /domain-group/http* # commit-buffer  

                                                          Commits the transaction to the system configuration.

                                                           

                                                          The following example shows how to scope into the domain group root (which has an existing HTTP policy by default), enable the HTTP remote access policy to HTTP redirect mode, set the HTTP service port to 1111, and commit the transaction: 

                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope http
UCSC(policy-mgr) /domain-group/http # enable http-redirect
UCSC(policy-mgr) /domain-group/http* # set port 1111
UCSC(policy-mgr) /domain-group/http* # commit-buffer
UCSC(policy-mgr) /domain-group/http #

                                                          The following example shows how to scope into the domain group domaingroup01, create the HTTP remote access policy and enable it to HTTP mode, set the HTTP service port to 222, and commit the transaction: 

                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # create http
UCSC(policy-mgr) /domain-group/http* # enable http
UCSC(policy-mgr) /domain-group/http* # set port 222
UCSC(policy-mgr) /domain-group/http* # commit-buffer
UCSC(policy-mgr) /domain-group/http #

                                                          The following example shows how to scope into the domain group root (which has an existing HTTP policy by default), disable the HTTP remote access policy for HTTP redirect mode, and commit the transaction: 

                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope http
UCSC(policy-mgr) /domain-group/http # disable http-redirect
UCSC(policy-mgr) /domain-group/http* # commit-buffer
UCSC(policy-mgr) /domain-group/http #

                                                          The following example shows how to scope into the domain group domaingroup01, disable the HTTP remote access policy for HTTP mode, and commit the transaction: 

                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group/http # disable http
UCSC(policy-mgr) /domain-group/http* # commit-buffer
UCSC(policy-mgr) /domain-group/http #
                                                          What to Do Next

                                                          Optionally, configure the following remote access policies:

                                                          • Telnet

                                                          • Web Session Limits

                                                          • CIM XML

                                                          • Interfaces Monitoring Policy

                                                          • SSH Configuration

                                                          Deleting an HTTP Remote Access Policy

                                                          An HTTP remote access policy is deleted from a domain group under the domain group root. HTTP remote access policies under the domain groups root cannot be deleted.

                                                          Procedure
                                                             Command or ActionPurpose
                                                            Step 1UCSC# connect policy-mgr  

                                                            Enters policy manager mode.

                                                             
                                                            Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                            Enters a domain group under the domain group root.

                                                            Note   

                                                            Do not enter the domain group root itself. System default HTTP policies cannot be deleted under the domain group root.

                                                             
                                                            Step 3UCSC(policy-mgr) /domain-group # delete http  

                                                            Deletes the HTTP policy for that domain group.

                                                             
                                                            Step 4UCSC(policy-mgr) /domain-group/http* # commit-buffer  

                                                            Commits the transaction to the system configuration.

                                                             

                                                            The following example shows how to scope into the domain group domaingroup01, delete the HTTP policy for that domain group, and commit the transaction: 

                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group/domain-group # delete http
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                            Configuring Telnet

                                                            Configuring a Telnet Remote Access Policy

                                                            Before You Begin

                                                            Before configuring a Telnet remote access policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                            Procedure
                                                               Command or ActionPurpose
                                                              Step 1UCSC# connect policy-mgr  

                                                              Enters policy manager mode.

                                                               
                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                               
                                                              Step 3UCSC(policy-mgr) /domain-group # create telnetd   (Optional)

                                                              If scoping into a domain group previously, creates the Telnet policy for that domain group.

                                                               
                                                              Step 4UCSC(policy-mgr) /domain-group # scope telnetd   (Optional)

                                                              If scoping into the domain group root previously, scopes the default Telnet policy's configuration mode from the Domain Group root.

                                                               
                                                              Step 5UCSC(policy-mgr) /domain-group/telnetd* # enable | disable telnet-server  

                                                              Enables or disables Telnet server services.

                                                               
                                                              Step 6UCSC(policy-mgr) /domain-group/telnetd* # commit-buffer  

                                                              Commits the transaction to the system configuration.

                                                               

                                                              The following example shows how to scope into the domain group root (which has an existing Telnet policy by default), enable Telnet server services, and commit the transaction: 

                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope telnetd
UCSC(policy-mgr) /domain-group/telnetd # enable telnet-server
UCSC(policy-mgr) /domain-group/telnetd* # commit-buffer
UCSC(policy-mgr) /domain-group/telnetd #

                                                              The following example shows how to scope into the domain group domaingroup01, create a Telnet policy, enable Telnet server services, and commit the transaction: 

                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # create telnetd
UCSC(policy-mgr) /domain-group/telnetd* # enable telnet-server
UCSC(policy-mgr) /domain-group/telnetd* # commit-buffer
UCSC(policy-mgr) /domain-group/telnetd #

                                                              The following example shows how to scope into the domain group root (which has an existing Telnet policy by default), disable Telnet server services, and commit the transaction: 

                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope telnetd
UCSC(policy-mgr) /domain-group/telnetd # disable telnet-server
UCSC(policy-mgr) /domain-group/telnetd* # commit-buffer
UCSC(policy-mgr) /domain-group/telnetd #

                                                              The following example shows how to scope into the domain group domaingroup01, disable Telnet server services, and commit the transaction: 

                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group/telnetd # disable telnet-server
UCSC(policy-mgr) /domain-group/telnetd* # commit-buffer
UCSC(policy-mgr) /domain-group/telnetd #
                                                              What to Do Next

                                                              Optionally, configure the following remote access policies:

                                                              • HTTP

                                                              • Web Session Limits

                                                              • CIM XML

                                                              • Interfaces Monitoring Policy

                                                              • SSH Configuration

                                                              Deleting a Telnet Remote Access Policy

                                                              A Telnet remote access policy is deleted from a domain group under the domain group root. Telnet remote access policies under the domain groups root cannot be deleted.

                                                              Procedure
                                                                 Command or ActionPurpose
                                                                Step 1UCSC# connect policy-mgr  

                                                                Enters policy manager mode.

                                                                 
                                                                Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                                Enters a domain group under the domain group root.

                                                                Note   

                                                                Do not enter the domain group root itself. System default Telnet policies cannot be deleted under the domain group root.

                                                                 
                                                                Step 3UCSC(policy-mgr) /domain-group # delete telnetd  

                                                                Deletes the Telnet policy for that domain group.

                                                                 
                                                                Step 4UCSC(policy-mgr) /domain-group/http* # commit-buffer  

                                                                Commits the transaction to the system configuration.

                                                                 

                                                                The following example shows how to scope into the domain group domaingroup01, delete the Telnet policy for that domain group, and commit the transaction: 

                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group/domain-group # delete telnetd
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                Configuring Web Session Limits

                                                                Configuring a Web Session Limits Remote Access Policy

                                                                Before You Begin

                                                                Before configuring a web session limits remote access policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                                Procedure
                                                                   Command or ActionPurpose
                                                                  Step 1UCSC# connect policy-mgr  

                                                                  Enters policy manager mode.

                                                                   
                                                                  Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                   
                                                                  Step 3UCSC(policy-mgr) /domain-group # create web-session-limits   (Optional)

                                                                  If scoping into a domain group previously, creates the web session limits policy for that domain group.

                                                                   
                                                                  Step 4UCSC(policy-mgr) /domain-group # scope web-session-limits   (Optional)

                                                                  If scoping into the domain group root previously, scopes the default web session limits policy's configuration mode from the Domain Group root.

                                                                   
                                                                  Step 5UCSC(policy-mgr) /domain-group/web-session-limits* # set sessionsperuser sessions-per-user  

                                                                  Sets the sessions per user limit (1-256).

                                                                   
                                                                  Step 6UCSC(policy-mgr) /domain-group/web-session-limits* # set totalsessions total-sessions  

                                                                  Sets the total sessions limit (1-256).

                                                                   
                                                                  Step 7UCSC(policy-mgr) /domain-group/web-session-limits* # commit-buffer  

                                                                  Commits the transaction to the system configuration.

                                                                   

                                                                  The following example shows how to scope into the domain group root (which has an existing web sessions limit policy by default), set the sessions per user limit to 12 sessions, set the total sessions limit to 144 sessions, and commit the transaction: 

                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope web-session-limits
UCSC(policy-mgr) /domain-group/web-session-limits # set sessionsperuser 12
UCSC(policy-mgr) /domain-group/web-session-limits* # set totalsessions 144
UCSC(policy-mgr) /domain-group/web-session-limits* # commit-buffer
UCSC(policy-mgr) /domain-group/web-session-limits #

                                                                  The following example shows how to scope into the domain group domaingroup01, create a web sessions limit policy, set the sessions per user limit to 12 sessions, set the total sessions limit to 144 sessions, and commit the transaction: 

                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # create web-session-limits
UCSC(policy-mgr) /domain-group/web-session-limits* # set sessionsperuser 12
UCSC(policy-mgr) /domain-group/web-session-limits* # set totalsessions 144
UCSC(policy-mgr) /domain-group/web-session-limits* # commit-buffer
UCSC(policy-mgr) /domain-group/web-session-limits #
                                                                  What to Do Next

                                                                  Optionally, configure the following remote access policies:

                                                                  • HTTP

                                                                  • Telnet

                                                                  • CIM XML

                                                                  • Interfaces Monitoring Policy

                                                                  Deleting a Web Session Limits Remote Access Policy

                                                                  A web session limits remote access policy is deleted from a domain group under the domain group root. Web session limits remote access policies under the domain groups root cannot be deleted.

                                                                  Procedure
                                                                     Command or ActionPurpose
                                                                    Step 1UCSC# connect policy-mgr  

                                                                    Enters policy manager mode.

                                                                     
                                                                    Step 2UCSC# connect policy-mgr  

                                                                    Enters policy manager mode.

                                                                     
                                                                    Step 3UCSC(policy-mgr)# scope domain-group domain-group  

                                                                    Enters a domain group under the domain group root.

                                                                    Note   

                                                                    Do not enter the domain group root itself. System default web session limits policies cannot be deleted under the domain group root.

                                                                     
                                                                    Step 4UCSC(policy-mgr) /domain-group # delete web-session-limits  

                                                                    Deletes the web session limits policy for that domain group.

                                                                     
                                                                    Step 5UCSC(policy-mgr) /domain-group/http* # commit-buffer  

                                                                    Commits the transaction to the system configuration.

                                                                     

                                                                    The following example shows how to scope into the domain group domaingroup01, delete a web sessions limit policy, and commit the transaction: 

                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # delete web-session-limits
UCSC(policy-mgr) /domain-group/web-session-limits* # commit-buffer
UCSC(policy-mgr) /domain-group/web-session-limits #

                                                                    Configuring CIM XML

                                                                    Configuring a CIM XML Remote Access Policy

                                                                    Before You Begin

                                                                    Before configuring a CIM XML remote access policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                                    Procedure
                                                                       Command or ActionPurpose
                                                                      Step 1UCSC# connect policy-mgr  

                                                                      Enters policy manager mode.

                                                                       
                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                       
                                                                      Step 3UCSC(policy-mgr) /domain-group # create cimxml   (Optional)

                                                                      If scoping into a domain group previously, creates the CIM XML policy for that domain group.

                                                                       
                                                                      Step 4UCSC(policy-mgr) /domain-group # scope cimxml   (Optional)

                                                                      If scoping into the domain group root previously, scopes the default CIM XML's policy's configuration mode from the Domain Group root.

                                                                       
                                                                      Step 5UCSC(policy-mgr) /domain-group/cimxml # enable cimxml  

                                                                      Enables CIM XML mode.

                                                                       
                                                                      Step 6UCSC(policy-mgr) /domain-group/cimxml* # commit-buffer  

                                                                      Commits the transaction to the system configuration.

                                                                       

                                                                      The following example shows how to scope into the domain group root (which has an existing CIM XML policy by default), enable CIM XML mode, and commit the transaction: 

                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope cimxml
UCSC(policy-mgr) /domain-group/cimxml # enable cimxml
UCSC(policy-mgr) /domain-group/cimxml* # commit-buffer
UCSC(policy-mgr) /domain-group/cimxml #

                                                                      The following example shows how to scope into the domain group domaingroup01, create a CIM XML policy, enable CIM XML mode, and commit the transaction: 

                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # create cimxml
UCSC(policy-mgr) /domain-group/cimxml* # enable cimxml
UCSC(policy-mgr) /domain-group/cimxml* # commit-buffer
UCSC(policy-mgr) /domain-group/cimxml #
                                                                      What to Do Next

                                                                      Optionally, configure the following remote access policies:

                                                                      • HTTP

                                                                      • Telnet

                                                                      • Web Session Limits

                                                                      • Interfaces Monitoring Policy

                                                                      Deleting a CIM XML Remote Access Policy

                                                                      A CIM XML remote access policy is deleted from a domain group under the domain group root. CIM XML remote access policies under the domain groups root cannot be deleted.

                                                                      Procedure
                                                                         Command or ActionPurpose
                                                                        Step 1UCSC# connect policy-mgr  

                                                                        Enters policy manager mode.

                                                                         
                                                                        Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                                        Enters a domain group under the domain group root.

                                                                        Note   

                                                                        Do not enter the domain group root itself. System default CIM XML policies cannot be deleted under the domain group root.

                                                                         
                                                                        Step 3UCSC(policy-mgr) /domain-group # delete cimxml  

                                                                        Deletes the CIM XML policy for that domain group.

                                                                         
                                                                        Step 4UCSC(policy-mgr) /domain-group/cimxml* # commit-buffer  

                                                                        Commits the transaction to the system configuration.

                                                                         

                                                                        The following example shows how to scope into the domain group domaingroup01, delete the CIM XML policy, and commit the transaction: 

                                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # delete cimxml
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                        Configuring Interfaces Monitoring

                                                                        Configuring an Interfaces Monitoring Remote Access Policy

                                                                        Before You Begin

                                                                        Before configuring an interfaces monitoring remote access policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                                        Procedure
                                                                           Command or ActionPurpose
                                                                          Step 1UCSC# connect policy-mgr  

                                                                          Enters policy manager mode.

                                                                           
                                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                           
                                                                          Step 3UCSC(policy-mgr) /domain-group # create mgmt-if-mon-policy   (Optional)

                                                                          If scoping into a domain group previously, creates the management interface monitor policy for that domain group.

                                                                           
                                                                          Step 4UCSC(policy-mgr) /domain-group # scope mgmt-if-mon-policy   (Optional)

                                                                          If scoping into the domain group root previously, scopes the default management interface monitors policy's configuration mode from the Domain Group root.

                                                                           
                                                                          Step 5UCSC(policy-mgr) /domain-group/cimxml # set admin-state enabled | disabled  

                                                                          Enables or disabled the administrator status mode.

                                                                           
                                                                          Step 6UCSC(policy-mgr) /domain-group/cimxml # set arp-deadline arp-response-deadline  

                                                                          Enter the deadline time in minutes to wait for ARP responses (5-15).

                                                                           
                                                                          Step 7UCSC(policy-mgr) /domain-group/cimxml # set arp-requests arp-requests  

                                                                          Enter the number of ARP requests (1-5).

                                                                           
                                                                          Step 8UCSC(policy-mgr) /domain-group/cimxml # set arp-target1 arp-ip-target-1  

                                                                          Enter the ARP IP Target1 (in format 0.0.0.0) to remove.

                                                                           
                                                                          Step 9UCSC(policy-mgr) /domain-group/cimxml # set arp-target2 arp-ip-target-1  

                                                                          Enter the ARP IP Target2 (in format 0.0.0.0) to remove.

                                                                           
                                                                          Step 10UCSC(policy-mgr) /domain-group/cimxml # set arp-target3 arp-ip-target-1  

                                                                          Enter the ARP IP Target3 (in format 0.0.0.0) to remove.

                                                                           
                                                                          Step 11UCSC(policy-mgr) /domain-group/cimxml # set max-fail-reports arp-ip-target-1  

                                                                          Enter the number of failure reports at which the interface is to be marked as down (2-5).

                                                                           
                                                                          Step 12UCSC(policy-mgr) /domain-group/cimxml # set mii-retry-count mii-retry-count  

                                                                          Enter the maximum number of retries when using the Media Independent Interface (MII) status to perform monitoring (1-3).

                                                                           
                                                                          Step 13UCSC(policy-mgr) /domain-group/cimxml # set mii-retry-interval mii-retry-interval  

                                                                          Enter the interval between MII status monitoring retries (3-10).

                                                                           
                                                                          Step 14UCSC(policy-mgr) /domain-group/cimxml # set monitor-mechanism mii-status | ping-arp-targets | ping-getaway  

                                                                          Enter the MII monitoring mechanism of MII Status (mii-status), Ping ARP Targets (ping-arp-targets), or Ping Getaway (ping-getaway).

                                                                           
                                                                          Step 15UCSC(policy-mgr) /domain-group/cimxml # set ping-deadline ping-deadline  

                                                                          Enter the deadline time to wait for ping responses (5-15).

                                                                           
                                                                          Step 16UCSC(policy-mgr) /domain-group/cimxml # set ping-requests ping-requests  

                                                                          Enter the number of ping requests (1-5).

                                                                           
                                                                          Step 17UCSC(policy-mgr) /domain-group/cimxml # set poll-interval poll-interval  

                                                                          Enter the polling interval in seconds (90-300).

                                                                           
                                                                          Step 18UCSC(policy-mgr) /domain-group/cimxml* # commit-buffer  

                                                                          Commits the transaction to the system configuration.

                                                                           

                                                                          The following example shows how to scope into the domain group root (which has an existing Management Interfaces Monitoring policy by default), enable Management Interfaces Monitoring mode, enter the status settings, and commit the transaction: 

                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope mgmt-if-mon-policy
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy # set admin-state enabled
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-deadline 5
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-requests 1
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-target1 0.0.0.0
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-target2 0.0.0.0
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-target3 0.0.0.0
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set max-fail-reports 2
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set mii-retry-count 1
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set mii-retry-interval 3
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set monitor-mechanism ping-getaway
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set ping-deadline 5
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set ping-requests 1
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set poll-interval 90
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy #

                                                                          The following example shows how to scope into the domain group domaingroup01, create the Management Interfaces Monitoring policy, enter the status settings, and commit the transaction: 

                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # create mgmt-if-mon-policy
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set admin-state enabled
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-deadline 15
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-requests 5
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-target1 0.0.0.0
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-target2 0.0.0.0
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set arp-target3 0.0.0.0
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set max-fail-reports 5
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set mii-retry-count 3
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set mii-retry-interval 10
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set monitor-mechanism ping-getaway
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set ping-deadline 15
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set ping-requests 5
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # set poll-interval 300
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/mgmt-if-mon-policy #
                                                                          What to Do Next

                                                                          Optionally, configure the following remote access policies:

                                                                          • HTTP

                                                                          • Telnet

                                                                          • Web Session Limits

                                                                          • CIM XML

                                                                          Deleting an Interfaces Monitoring Remote Access Policy

                                                                          An interfaces monitoring remote access policy is deleted from a domain group under the domain group root. Interfaces monitoring remote access policies under the domain groups root cannot be deleted.

                                                                          Procedure
                                                                             Command or ActionPurpose
                                                                            Step 1UCSC# connect policy-mgr  

                                                                            Enters policy manager mode.

                                                                             
                                                                            Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                                            Enters a domain group under the domain group root.

                                                                            Note   

                                                                            Do not enter the domain group root itself. System default Management Interfaces Monitoring policies cannot be deleted under the domain group root.

                                                                             
                                                                            Step 3UCSC(policy-mgr) /domain-group # delete mgmt-if-mon-policy  

                                                                            Deletes the Management Interfaces Monitoring policy for that domain group.

                                                                             
                                                                            Step 4UCSC(policy-mgr) /domain-group* # commit-buffer  

                                                                            Commits the transaction to the system configuration.

                                                                             

                                                                            The following example shows how to scope into the domain group domaingroup01, delete the Management Interfaces Monitoring policy, and commit the transaction: 

                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # delete mgmt-if-mon-policy
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                            Authentication Services

                                                                            Cisco UCS Central uses LDAP for native authentication, and RADIUS and TACACS+ for remote authentication.

                                                                            Guidelines and Recommendations for Remote Authentication Providers

                                                                            If a system is configured for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Central can communicate with it. In addition, you need to be aware of the following guidelines that impact user authorization:

                                                                            User Accounts in Remote Authentication Services

                                                                            User accounts can exist locally in Cisco UCS Central or in the remote authentication server. The temporary sessions for users who log in through remote authentication services can be viewed through Cisco UCS Central GUI or Cisco UCS Central CLI.

                                                                            User Roles in Remote Authentication Services

                                                                            If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles those users require for working in Cisco UCS Central and that the names of those roles match the names used in Cisco UCS Central. Depending on the role policy, a user may not be allowed to log in or will be granted only read-only privileges.

                                                                            Local and Remote User Authentication Support

                                                                            Cisco UCS Central uses LDAP for remote authentication, but excludes RADIUS and TACACS+ authentication in this release. However, RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.

                                                                            User Attributes in Remote Authentication Providers

                                                                            When a user logs in, Cisco UCS Central does the following:

                                                                            1. Queries the remote authentication service.

                                                                            2. Validates the user.

                                                                            3. If the user is validated, checks for the roles and locales assigned to that user.

                                                                            The following table contains a comparison of the user attribute requirements for the remote authentication providers supported by Cisco UCS Central.

                                                                            Table 1 Comparison of User Attributes by Remote Authentication Provider
                                                                            Authentication Provider Custom Attribute Schema Extension Attribute ID Requirements

                                                                            LDAP

                                                                            Optional

                                                                            Optional. You can choose to do either of the following:

                                                                            • Do not extend the LDAP schema and configure an existing, unused attribute that meets the requirements.

                                                                            • Extend the LDAP schema and create a custom attribute with a unique name, such as CiscoAVPair.

                                                                            The Cisco LDAP implementation requires a unicode type attribute.

                                                                            If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1

                                                                            A sample OID is provided in the following section.

                                                                            Sample OID for LDAP User Attribute

                                                                            The following is a sample OID for a custom CiscoAVPair attribute: 

                                                                            CN=CiscoAVPair,CN=Schema,
CN=Configuration,CN=X
objectClass: top
objectClass: attributeSchema
cn: CiscoAVPair
distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X
instanceType: 0x4
uSNCreated: 26318654
attributeID: 1.3.6.1.4.1.9.287247.1
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: CiscoAVPair
adminDescription: UCS User Authorization Field
oMSyntax: 64
lDAPDisplayName: CiscoAVPair
name: CiscoAVPair
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X

                                                                            LDAP Providers

                                                                            You can configure remote users, assign roles and locales from Cisco UCS Central the same way as you can create LDAP users from Cisco UCS Manager. You should always create the LDAP provider from Cisco UCS Central Domain Group root.

                                                                            LDAP Provider Groups

                                                                            You can define up to 28 LDAP provider groups and nest them up to as many levels as the Active Directory supports for nesting in Cisco UCS Central. When you assign a provider to a nested group, even if the provider is a member of a different LDAP group, they become authenticated member of the parent nested group. During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.

                                                                            Creating an LDAP Provider

                                                                            Cisco UCS Central supports a maximum of 16 LDAP providers.

                                                                            Before You Begin

                                                                            If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.

                                                                            • In the LDAP server, perform one of the following configurations:

                                                                              • Configure LDAP groups. LDAP groups contain user role and locale information.

                                                                              • Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose whether to extend the LDAP schema for this attribute. If you do not want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair attribute.

                                                                                The Cisco LDAP implementation requires a unicode type attribute.

                                                                                If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1

                                                                              • For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.

                                                                            • If you want to use secure communications, create a trusted point containing the certificate of the root certificate authority (CA) of the LDAP server in Cisco UCS Central.

                                                                            Procedure
                                                                               Command or ActionPurpose
                                                                              Step 1UCSC# connect policy-mgr  

                                                                              Enters policy manager mode.

                                                                               
                                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                               
                                                                              Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                              Enters security mode.

                                                                               
                                                                              Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                              Enters security LDAP mode.

                                                                               
                                                                              Step 5UCSC(policy-mgr) /domain-group/security/ldap # create server server-name  

                                                                              Creates an LDAP server instance and enters security LDAP server mode. If SSL is enabled, the server-name , typically an IP address or FQDN, must exactly match a Common Name (CN) in the LDAP server's security certificate. If you use a hostname rather than an IPv4 or IPv6 address, you must configure a DNS server. If the Cisco UCS domain is not registered with Cisco UCS Central or DNS management is set to local, configure a DNS server in Cisco UCS Manager. If the Cisco UCS domain is registered with Cisco UCS Central and DNS management is set to global, configure a DNS server in Cisco UCS Central..

                                                                               
                                                                              Step 6UCSC(policy-mgr) /domain-group/security/ldap/server* # set attribute attribute   (Optional)

                                                                              An LDAP attribute that stores the values for the user roles and locales. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name.

                                                                              If you do not want to extend your LDAP schema, you can configure an existing, unused LDAP attribute with the Cisco UCS roles and locales. Alternatively, you can create an attribute named CiscoAVPair in the remote authentication service with the following attribute ID: 1.3.6.1.4.1.9.287247.1

                                                                              This value is required unless a default attribute has been set on the LDAP General tab.

                                                                               
                                                                              Step 7UCSC(policy-mgr) /domain-group/security/ldap/server* # set basedn basedn-name  

                                                                              The specific distinguished name in the LDAP hierarchy where the server should begin a search when a remote user logs in and the system attempts to get the user's DN based on their username. The length of the base DN can be set to a maximum of 255 characters minus the length of CN=username, where username identifies the remote user attempting to access Cisco UCS Manager using LDAP authentication.

                                                                              This value is required unless a default base DN has been set on the LDAP General tab.

                                                                               
                                                                              Step 8UCSC(policy-mgr) /domain-group/security/ldap/server* # set binddn binddn-name  

                                                                              The distinguished name (DN) for an LDAP database account that has read and search permissions for all objects under the base DN.

                                                                              The maximum supported string length is 255 ASCII characters.

                                                                               
                                                                              Step 9UCSC(policy-mgr) /domain-group/security/ldap/server* # set filter filter-value  

                                                                              The LDAP search is restricted to those user names that match the defined filter.

                                                                              This value is required unless a default filter has been set on the LDAP General tab.

                                                                               
                                                                              Step 10UCSC(policy-mgr) /domain-group/security/ldap/server* # set password  

                                                                              The password for the LDAP database account specified in the Bind DN field. You can enter any standard ASCII characters except for space, § (section sign), ? (question mark), or = (equal sign).

                                                                              To set the password, press Enter after typing the set password command and enter the key value at the prompt.

                                                                               
                                                                              Step 11UCSC(policy-mgr) /domain-group/security/ldap/server* # set order order-num  

                                                                              The order in which Cisco UCS Central uses this provider to authenticate users.

                                                                               
                                                                              Step 12UCSC(policy-mgr) /domain-group/security/ldap/server* # set port port-num  

                                                                              The port through which Cisco UCS Central communicates with the LDAP database. The standard port number is 389.

                                                                               
                                                                              Step 13UCSC(policy-mgr) /domain-group/security/ldap/server* # set ssl {yes | no}  

                                                                              Enables or disables the use of encryption when communicating with the LDAP server. The options are as follows:

                                                                              • yes —Encryption is required. If encryption cannot be negotiated, the connection fails.

                                                                              • no —Encryption is disabled. Authentication information is sent as clear text.

                                                                              LDAP uses STARTTLS. This allows encrypted communication using port 389.

                                                                               
                                                                              Step 14UCSC(policy-mgr) /domain-group/security/ldap/server* # set timeout timeout-num  

                                                                              The length of time in seconds the system should spend trying to contact the LDAP database before it times out.

                                                                              Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the global timeout value specified on the LDAP General tab. The default is 30 seconds.

                                                                               
                                                                              Step 15UCSC(policy-mgr) /domain-group/security/ldap/server* # set vendor  

                                                                              Specifies the vendor for the LDAP group.

                                                                              • ms-ad —To specify Microsoft Active Directory, enter ms-ad.

                                                                              • openldap —To specify OpenLDAP server, enter openldap.

                                                                               
                                                                              Step 16UCSC(policy-mgr) /domain-group/security/ldap/server* # commit-buffer  

                                                                              Commits the transaction to the system configuration.

                                                                               

                                                                              The following example shows how to create an LDAP server instance named 10.193.169.246, configure the binddn, password, order, port, and SSL settings, and commit the transaction: 

                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # create server 10.193.169.246
UCSC(policy-mgr) /domain-group/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCSC(policy-mgr) /domain-group/security/ldap/server* # set password
Enter the password:
Confirm the password:
UCSC(policy-mgr) /domain-group/security/ldap/server* # set order 2
UCSC(policy-mgr) /domain-group/security/ldap/server* # set port 389
UCSC(policy-mgr) /domain-group/security/ldap/server* # set ssl yes
UCSC(policy-mgr) /domain-group/security/ldap/server* # set timeout 30
UCSC(policy-mgr) /domain-group/security/ldap/server* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap/server #
                                                                              What to Do Next

                                                                              For implementations involving a single LDAP database, select LDAP as the authentication service.


                                                                              Note

                                                                              When you specify multiple databases for implementation, if you choose a specific user within the database, the server goes in the order of the specified LDAP databases before authenticating the user.

                                                                              Configuring Default Settings for LDAP Providers

                                                                              The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.

                                                                              If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.

                                                                              Procedure
                                                                                 Command or ActionPurpose
                                                                                Step 1UCSC# connect policy-mgr  

                                                                                Enters policy manager mode.

                                                                                 
                                                                                Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                 
                                                                                Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                Enters security mode.

                                                                                 
                                                                                Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                Enters security LDAP mode.

                                                                                 
                                                                                Step 5UCSC(policy-mgr) /domain-group/security/ldap # set attribute attribute  

                                                                                Restricts database searches to records that contain the specified attribute.

                                                                                 
                                                                                Step 6UCSC(policy-mgr) /domain-group/security/ldap* # set basedn distinguished-name  

                                                                                Restricts database searches to records that contain the specified distinguished name.

                                                                                 
                                                                                Step 7UCSC(policy-mgr) /domain-group/security/ldap* # set filter filter  

                                                                                Restricts database searches to records that contain the specified filter.

                                                                                 
                                                                                Step 8UCSC(policy-mgr) /domain-group/security/ldap* # set timeout seconds  

                                                                                Sets the time interval the system waits for a response from the LDAP server before noting the server as down.

                                                                                 
                                                                                Step 9UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

                                                                                Commits the transaction to the system configuration.

                                                                                 

                                                                                The following example shows how to set the LDAP attribute to CiscoAvPair, the base distinguished name to "DC=cisco-ucsm-aaa3,DC=qalab,DC=com", the filter to sAMAccountName=$userid, and the timeout interval to 5 seconds, and commit the transaction: 

                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # set attribute CiscoAvPair
UCSC(policy-mgr) /domain-group/security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCSC(policy-mgr) /domain-group/security/ldap* # set filter sAMAccountName=$userid
UCSC(policy-mgr) /domain-group/security/ldap* # set timeout 5
UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap #
                                                                                What to Do Next

                                                                                Create an LDAP provider.

                                                                                Changing the LDAP Group Rule for an LDAP Provider

                                                                                Procedure
                                                                                   Command or ActionPurpose
                                                                                  Step 1UCSC# connect policy-mgr  

                                                                                  Enters policy manager mode.

                                                                                   
                                                                                  Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                   
                                                                                  Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                  Enters security mode.

                                                                                   
                                                                                  Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                  Enters security LDAP mode.

                                                                                   
                                                                                  Step 5UCSC(policy-mgr) /domain-group/security/ldap # scope server ldap-provider  

                                                                                  Enters security LDAP provider mode.

                                                                                   
                                                                                  Step 6UCSC(policy-mgr) /domain-group/security/ldap/server # scope ldap-group-rule  

                                                                                  Enters LDAP group rule mode.

                                                                                   
                                                                                  Step 7UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule # set authorization {enable | disable}  

                                                                                  Specifies whether Cisco UCS searches LDAP groups when assigning user roles and locales to a remote user.

                                                                                  • disableCisco UCS does not access any LDAP groups.

                                                                                  • enableCisco UCS searches the LDAP provider groups mapped in this Cisco UCS domain. If the remote user is found, Cisco UCS assigns the user roles and locales defined for that LDAP group in the associated LDAP group map.

                                                                                  Note   

                                                                                  Role and locale assignment is cumulative. If a user is included in multiple groups, or has a role or locale specified in the LDAP attribute, Cisco UCS assigns that user all the roles and locales mapped to any of those groups or attributes.

                                                                                   
                                                                                  Step 8UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set member-of-attribute attr-name  

                                                                                  The attribute Cisco UCS uses to determine group membership in the LDAP database.

                                                                                  The supported string length is 63 characters. The default string is memberOf.

                                                                                   
                                                                                  Step 9UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set traversal {non-recursive | recursive}  

                                                                                  Specifies whether Cisco UCS takes the settings for a group member's parent group, if necessary. This can be:

                                                                                  • non-recursiveCisco UCS only searches those groups that the user belongs to.

                                                                                  • recursiveCisco UCS searches all the ancestor groups belonging to the user.

                                                                                   
                                                                                  Step 10UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # commit-buffer  

                                                                                  Commits the transaction to the system configuration.

                                                                                   

                                                                                  The following example shows how to set the LDAP group rule to enable authorization, set the member of attribute to memberOf, set the traversal to non-recursive, and commit the transaction:

                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # scope server ldapprovider
UCSC(policy-mgr) /domain-group/security/ldap/server # scope ldap-group-rule
UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule # set authorization enable
UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set member-of-attribute memberOf
UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set traversal non-recursive
UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule #

                                                                                  Deleting an LDAP Provider

                                                                                  Procedure
                                                                                     Command or ActionPurpose
                                                                                    Step 1UCSC# connect policy-mgr  

                                                                                    Enters policy manager mode.

                                                                                     
                                                                                    Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                     
                                                                                    Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                    Enters security mode.

                                                                                     
                                                                                    Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                    Enters security LDAP mode.

                                                                                     
                                                                                    Step 5UCSC(policy-mgr) /domain-group/security/ldap # delete server serv-name  

                                                                                    Deletes the specified server.

                                                                                     
                                                                                    Step 6UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

                                                                                    Commits the transaction to the system configuration.

                                                                                     

                                                                                    The following example shows how to delete the LDAP server called ldap1 and commit the transaction:

                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # delete server ldap1
UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap #

                                                                                    LDAP Group Maps

                                                                                    For organizations that already use LDAP groups to restrict access to LDAP databases, group membership information can be used by Cisco UCS domains to assign a role or locale to an LDAP user during login. This eliminates the need to define role or locale information in the LDAP user object when Cisco UCS Central is deployed.

                                                                                    Cisco UCS Central uses LDAP group rule to determine LDAP groups when assigning user roles and locales to a remote user. When a user logs in, Cisco UCS Central retrieves information about the user's role and locale from the LDAP group map. If the role and locale criteria match the information in the policy, Cisco UCS Central provides access to the user.

                                                                                    Role and locale definitions are configured locally in Cisco UCS Central and do not update automatically based on changes to an LDAP directory. If you delete or rename LDAP groups in the LDAP directory, make sure to update the changes in Cisco UCS Central.

                                                                                    You can configure an LDAP group map to include any of the following combinations of roles and locales:

                                                                                    • Roles only

                                                                                    • Locales only

                                                                                    • Both roles and locales

                                                                                    Example: If you want to configure authentication for an LDAP group representing a group of server administrators at a specific location, you can include user roles such as server-profile and server-equipment to the LDAP group. If you want to restrict access to server administrators at a specific location, you can specify locales with specific site names.

                                                                                    Note

                                                                                    Cisco UCS Central includes many out-of-the-box user roles but does not include any locales. So you have to create a custom locale to map an LDAP provider group to a locale.

                                                                                    Nested LDAP Groups

                                                                                    You can search LDAP groups that are nested within another group defined in an LDAP group map. With this new capability, you do not always need to create subgroups in a group map in Cisco UCS Central.


                                                                                    Note

                                                                                    • Nested LDAP search support is supported only for Microsoft Active Directory servers. The supported versions are Microsoft Windows 2003 SP3, Microsoft Windows 2008 R2, and Microsoft Windows 2012.

                                                                                    • When you create nested LDAP group in MS-AD, if you use special characters in the name, make sure to configure the characters with \\( , \\). The following is an example for creating a nested LDAP group using Cisco UCS Central CLI: 

                                                                                      create ldap-group CN=test1\\(\\),CN=Users,DC=ucsm,DC=qasam-lab,DC=in

                                                                                    Using the LDAP nesting feature, you can add an LDAP group as a member of another group and nest groups to consolidate member accounts and reduce the replication of traffic.

                                                                                    By default, user rights are inherited when you nest an LDAP group within another group. For example, if you make Group_1 a member of Group_2, the users in Group_1 will have the same permissions as the members of Group_2. You can then search users that are members of Group_1 by choosing only Group_2 in the LDAP group map, instead of having to search Group_1 and Group_2 separately.

                                                                                    Creating an LDAP Group Map

                                                                                    Before You Begin

                                                                                    • Create an LDAP group in the LDAP server.

                                                                                    • Configure the distinguished name for the LDAP group in the LDAP server.

                                                                                    • Create locales in Cisco UCS Central (optional).

                                                                                    • Create custom roles in Cisco UCS Central (optional).

                                                                                    Procedure
                                                                                       Command or ActionPurpose
                                                                                      Step 1UCSC# connect policy-mgr  

                                                                                      Enters policy manager mode.

                                                                                       
                                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                       
                                                                                      Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                      Enters security mode.

                                                                                       
                                                                                      Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                      Enters security LDAP mode.

                                                                                       
                                                                                      Step 5UCSC(policy-mgr) /domain-group/security/ldap # create ldap-group group-dn  

                                                                                      Creates an LDAP group map for the specified DN.

                                                                                       
                                                                                      Step 6UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create locale locale-name  

                                                                                      Maps the LDAP group to the specified locale.

                                                                                       
                                                                                      Step 7UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create role role-name  

                                                                                      Maps the LDAP group to the specified role.

                                                                                       
                                                                                      Step 8UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # commit-buffer  

                                                                                      Commits the transaction to the system configuration.

                                                                                       

                                                                                      The following example shows how to map the LDAP group mapped to a DN, set the locale to pacific, set the role to admin, and commit the transaction:

                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com
UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create locale pacific
UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create role admin
UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap/ldap-group #
                                                                                      What to Do Next

                                                                                      Set the LDAP group rule.

                                                                                      Deleting an LDAP Group Map

                                                                                      Procedure
                                                                                         Command or ActionPurpose
                                                                                        Step 1UCSC# connect policy-mgr  

                                                                                        Enters policy manager mode.

                                                                                         
                                                                                        Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                         
                                                                                        Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                        Enters security mode.

                                                                                         
                                                                                        Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                        Enters security LDAP mode.

                                                                                         
                                                                                        Step 5UCSC(policy-mgr) /domain-group/security/ldap # delete ldap-group group-dn  

                                                                                        Deletes the LDAP group map for the specified DN.

                                                                                         
                                                                                        Step 6UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

                                                                                        Commits the transaction to the system configuration.

                                                                                         

                                                                                        The following example shows how to delete an LDAP group map and commit the transaction:

                                                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com
UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap #

                                                                                        Configuring RADIUS Providers

                                                                                        Configuring Properties for RADIUS Providers

                                                                                        The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.


                                                                                        Note

                                                                                        RADIUS native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central under the Domain Group root and domain groups. RADIUS may be used to create global policies for Cisco UCS domains.

                                                                                        Procedure
                                                                                           Command or ActionPurpose
                                                                                          Step 1UCSC# connect policy-mgr  

                                                                                          Enters policy manager mode.

                                                                                           
                                                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                           
                                                                                          Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                          Enters security mode.

                                                                                           
                                                                                          Step 4UCSC(policy-mgr) /domain-group/security # scope radius  

                                                                                          Enters security RADIUS mode.

                                                                                           
                                                                                          Step 5UCSC(policy-mgr) /domain-group/security/radius # set retries retry-num  

                                                                                          Sets the number of times to retry communicating with the RADIUS server before noting the server as down.

                                                                                           
                                                                                          Step 6UCSC(policy-mgr) /domain-group/security/radius* # set timeout seconds  

                                                                                          Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down.

                                                                                           
                                                                                          Step 7UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer  

                                                                                          Commits the transaction to the system configuration.

                                                                                           

                                                                                          The following example shows how to set the RADIUS retries to 4, set the timeout interval to 30 seconds, and commit the transaction: 

                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope radius
UCSC(policy-mgr) /domain-group/security/radius # set retries 4
UCSC(policy-mgr) /domain-group/security/radius* # set timeout 30
UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer
UCSC(policy-mgr) /domain-group/security/radius #
                                                                                          What to Do Next

                                                                                          Create a RADIUS provider.

                                                                                          Creating a RADIUS Provider

                                                                                          Cisco UCS Central supports a maximum of 16 RADIUS providers. RADIUS native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central under the Domain Group root and domain groups. RADIUS may be used to create global policies for Cisco UCS domains.

                                                                                          Before You Begin

                                                                                          Perform the following configuration in the RADIUS server:

                                                                                          • Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose whether to extend the RADIUS schema for this attribute. If you do not want to extend the schema, use an existing RADIUS attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the cisco-avpair attribute.

                                                                                            The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.

                                                                                            The following syntax example shows how to specify multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.

                                                                                          • For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.

                                                                                          Procedure
                                                                                             Command or ActionPurpose
                                                                                            Step 1UCSC# connect policy-mgr  

                                                                                            Enters policy manager mode.

                                                                                             
                                                                                            Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                             
                                                                                            Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                            Enters security mode.

                                                                                             
                                                                                            Step 4UCSC(policy-mgr) /domain-group/security # scope radius  

                                                                                            Enters security RADIUS mode.

                                                                                             
                                                                                            Step 5UCSC(policy-mgr) /domain-group/security/radius # create server server-name  

                                                                                            Creates a RADIUS server instance and enters security RADIUS server mode

                                                                                             
                                                                                            Step 6UCSC(policy-mgr) /domain-group/security/radius/server* # set authport authport-num   (Optional)

                                                                                            Specifies the port used to communicate with the RADIUS server.

                                                                                             
                                                                                            Step 7UCSC(policy-mgr) /domain-group/security/radius/server* # set key  

                                                                                            Sets the RADIUS server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt.

                                                                                             
                                                                                            Step 8UCSC(policy-mgr) /domain-group/security/radius/server* # set order order-num   (Optional)

                                                                                            Specifies when in the order this server will be tried.

                                                                                             
                                                                                            Step 9UCSC(policy-mgr) /domain-group/security/radius/server* # set retries retry-num   (Optional)

                                                                                            Sets the number of times to retry communicating with the RADIUS server before noting the server as down.

                                                                                             
                                                                                            Step 10UCSC(policy-mgr) /domain-group/security/radius/server* # set timeout seconds   (Optional)

                                                                                            Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down.

                                                                                             
                                                                                            Step 11UCSC(policy-mgr) /domain-group/security/radius/server* # commit-buffer  

                                                                                            Commits the transaction to the system configuration.

                                                                                             

                                                                                            The following example shows how to create a server instance named radiusserv7, set the authentication port to 5858, set the key to radiuskey321, set the order to 2, set the retries to 4, set the timeout to 30, and commit the transaction: 

                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope radius
UCSC(policy-mgr) /domain-group/security/radius # create server radiusserv7
UCSC(policy-mgr) /domain-group/security/radius/server* # set authport 5858
UCSC(policy-mgr) /domain-group/security/radius/server* # set key
Enter the key: radiuskey321
Confirm the key: radiuskey321
UCSC(policy-mgr) /domain-group/security/radius/server* # set order 2
UCSC(policy-mgr) /domain-group/security/radius/server* # set retries 4
UCSC(policy-mgr) /domain-group/security/radius/server* # set timeout 30
UCSC(policy-mgr) /domain-group/security/radius/server* # commit-buffer
UCSC(policy-mgr) /domain-group/security/radius/server #
                                                                                            What to Do Next

                                                                                            • For implementations involving a single RADIUS database, select RADIUS as the primary authentication service.

                                                                                            • For implementations involving multiple RADIUS databases, configure a RADIUS provider group.

                                                                                            Deleting a RADIUS Provider

                                                                                            Procedure
                                                                                               Command or ActionPurpose
                                                                                              Step 1UCSC# connect policy-mgr  

                                                                                              Enters policy manager mode.

                                                                                               
                                                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                               
                                                                                              Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                              Enters security mode.

                                                                                               
                                                                                              Step 4UCSC(policy-mgr) /domain-group/security # scope radius  

                                                                                              Enters security RADIUS mode.

                                                                                               
                                                                                              Step 5UCSC(policy-mgr) /domain-group/security/radius # delete server serv-name  

                                                                                              Deletes the specified server.

                                                                                               
                                                                                              Step 6UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer  

                                                                                              Commits the transaction to the system configuration.

                                                                                               

                                                                                              The following example shows how to delete the RADIUS server called radius1 and commit the transaction:

                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope radius
UCSC(policy-mgr) /domain-group/security/radius # delete server radius1
UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer
UCSC(policy-mgr) /domain-group/security/radius #

                                                                                              Configuring TACACS+ Providers

                                                                                              Configuring Properties for TACACS+ Providers

                                                                                              The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.


                                                                                              Note

                                                                                              TACACS+ native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central. TACACS+ may be used to create global policies for Cisco UCS domains.

                                                                                              Procedure
                                                                                                 Command or ActionPurpose
                                                                                                Step 1UCSC# connect policy-mgr  

                                                                                                Enters policy manager mode.

                                                                                                 
                                                                                                Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                 
                                                                                                Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                Enters security mode.

                                                                                                 
                                                                                                Step 4UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                                                                                Enters security TACACS+ mode. The TACACS+ related settings will be applicable only for the Cisco UCS domains under the Domain Group root and child domain groups.

                                                                                                 
                                                                                                Step 5UCSC(policy-mgr) /domain-group/security/tacacs # set key  

                                                                                                Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt.

                                                                                                 
                                                                                                Step 6UCSC(policy-mgr) /domain-group/security/tacacs* # set order order-num  

                                                                                                Specifies when in the order this server will be tried.

                                                                                                 
                                                                                                Step 7UCSC(policy-mgr) /domain-group/security/tacacs* # set timeout seconds  

                                                                                                Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down.

                                                                                                 
                                                                                                Step 8UCSC(policy-mgr) /domain-group/security/tacacs* # set port port-num  

                                                                                                Specifies the port used to communicate with the TACACS+ server.

                                                                                                 
                                                                                                Step 9UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer  

                                                                                                Commits the transaction to the system configuration.

                                                                                                 

                                                                                                The following example shows how to set the key to tacacskey321, set the order to 4, set the timeout interval to 45 seconds, set the authentication port to 5859, and commit the transaction: 

                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope tacacs
UCSC(policy-mgr) /domain-group/security/tacacs # set key
Enter the key: tacacskey321
Confirm the key: tacacskey321
UCSC(policy-mgr) /domain-group/security/tacacs* # set order 4
UCSC(policy-mgr) /domain-group/security/tacacs* # set timeout 45
UCSC(policy-mgr) /domain-group/security/tacacs* # set port 5859
UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer
UCSC(policy-mgr) /domain-group/security/tacacs #
                                                                                                What to Do Next

                                                                                                Create a TACACS+ provider.

                                                                                                Creating a TACACS+ Provider

                                                                                                Cisco UCS Central supports a maximum of 16 TACACS+ providers. TACACS+ native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central. TACACS+ may be used to create global policies for Cisco UCS domains.

                                                                                                Before You Begin

                                                                                                Perform the following configuration in the TACACS+ server:

                                                                                                • Create the cisco-av-pair attribute. You cannot use an existing TACACS+ attribute.

                                                                                                  The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.

                                                                                                  The following syntax example shows how to specify multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales*"L1 abc". Using an asterisk (*) in the cisco-av-pair attribute syntax flags the locale as optional, preventing authentication failures for other Cisco devices that use the same authorization profile. Use a space as the delimiter to separate multiple values.

                                                                                                • For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.

                                                                                                Procedure
                                                                                                   Command or ActionPurpose
                                                                                                  Step 1UCSC# connect policy-mgr  

                                                                                                  Enters policy manager mode.

                                                                                                   
                                                                                                  Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                   
                                                                                                  Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                  Enters security mode.

                                                                                                   
                                                                                                  Step 4UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                                                                                  Enters security TACACS+ mode.

                                                                                                   
                                                                                                  Step 5UCSC(policy-mgr) /domain-group/security/tacacs # create server server-name  

                                                                                                  Creates an TACACS+ server instance and enters security TACACS+ server mode

                                                                                                   
                                                                                                  Step 6UCSC(policy-mgr) /domain-group/security/tacacs/server* # set key   (Optional)

                                                                                                  Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt.

                                                                                                   
                                                                                                  Step 7UCSC(policy-mgr) /domain-group/security/tacacs/server* # set order order-num   (Optional)

                                                                                                  Specifies when in the order this server will be tried.

                                                                                                   
                                                                                                  Step 8UCSC(policy-mgr) /domain-group/security/tacacs/server* # set timeout seconds   (Optional)

                                                                                                  Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down.

                                                                                                   
                                                                                                  Step 9UCSC(policy-mgr) /domain-group/security/tacacs/server* # set port port-num  

                                                                                                  Specifies the port used to communicate with the TACACS+ server.

                                                                                                   
                                                                                                  Step 10UCSC(policy-mgr) /domain-group/security/tacacs/server* # commit-buffer  

                                                                                                  Commits the transaction to the system configuration.

                                                                                                   

                                                                                                  The following example shows how to create a server instance named tacacsserv680, set the key to tacacskey321, set the order to 4, set the authentication port to 5859, and commit the transaction: 

                                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope tacacs
UCSC(policy-mgr) /domain-group/security/tacacs # create server tacacsserv680
UCSC(policy-mgr) /domain-group/security/tacacs/server* # set key
Enter the key: tacacskey321
Confirm the key: tacacskey321
UCSC(policy-mgr) /domain-group/security/tacacs/server* # set order 4
UCSC(policy-mgr) /domain-group/security/tacacs/server* # set timeout 45
UCSC(policy-mgr) /domain-group/security/tacacs/server* # set port 5859
UCSC(policy-mgr) /domain-group/security/tacacs/server* # commit-buffer
UCSC(policy-mgr) /domain-group/security/tacacs/server #
                                                                                                  What to Do Next

                                                                                                  • For implementations involving a single TACACS+ database, select TACACS+ as the primary authentication service.

                                                                                                  • For implementations involving multiple TACACS+ databases, configure a TACACS+ provider group.

                                                                                                  Deleting a TACACS+ Provider

                                                                                                  Procedure
                                                                                                     Command or ActionPurpose
                                                                                                    Step 1UCSC# connect policy-mgr  

                                                                                                    Enters policy manager mode.

                                                                                                     
                                                                                                    Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                     
                                                                                                    Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                    Enters security mode.

                                                                                                     
                                                                                                    Step 4UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                                                                                    Enters security TACACS+ mode.

                                                                                                     
                                                                                                    Step 5UCSC(policy-mgr) /domain-group/security/tacacs # delete server serv-name  

                                                                                                    Deletes the specified server.

                                                                                                     
                                                                                                    Step 6UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer  

                                                                                                    Commits the transaction to the system configuration.

                                                                                                     

                                                                                                    The following example shows how to delete the TACACS server called tacacs1 and commit the transaction:

                                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope tacacs
UCSC(policy-mgr) /domain-group/security/tacacs # delete server TACACS1
UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer
UCSC(policy-mgr) /domain-group/security/tacacs #

                                                                                                    Configuring Multiple Authentication Systems

                                                                                                    Multiple Authentication Systems

                                                                                                    You can configure Cisco UCS to use multiple authentication systems by configuring the following features:

                                                                                                    • Provider groups

                                                                                                    • Authentication domains

                                                                                                    Once provider groups and authentication domains have been configured in Cisco UCS Central GUI, the following syntax can be used to log in to the system using Cisco UCS Central CLI: ucs- auth-domain

                                                                                                    When multiple authentication domains and native authentication are configured with a remote authentication service, use one of the following syntax examples to log in with SSH or Putty:

                                                                                                    From a Linux terminal:

                                                                                                    • ssh ucs-auth-domain\\username@Cisco UCS domain-ip-address

                                                                                                      ssh ucs-example\\jsmith@192.0.20.11

                                                                                                    • ssh -l ucs-auth-domain\\username {Cisco UCS domain-ip-address | Cisco UCS domain-host-name}

                                                                                                      ssh -l ucs-example\\jsmith 192.0.20.11

                                                                                                    • ssh {Cisco UCS domain-ip-address | Cisco UCS domain-host-name} -l ucs-auth-domain\\username

                                                                                                      ssh 192.0.20.11 -l ucs-example\\jsmith

                                                                                                    From a Putty client:

                                                                                                    • Login as: ucs-auth-domain\\username

                                                                                                      Login as: ucs-example\\jsmith

                                                                                                    From a SSH client:

                                                                                                    • Host Name: Cisco UCS domain-ip-address

                                                                                                      User Name: ucs-auth-domain\\username

                                                                                                      Host Name: 192.0.20.11

                                                                                                      User Name: ucs-example\\jsmith

                                                                                                    Provider Groups

                                                                                                    A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco UCS Central allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.

                                                                                                    During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.

                                                                                                    Creating an LDAP Provider Group

                                                                                                    Creating an LDAP provider group allows you to authenticate using multiple LDAP databases.

                                                                                                    Note

                                                                                                    Authenticating with a single LDAP database does not require you to set up an LDAP provider group.

                                                                                                    Before You Begin

                                                                                                    Create one or more LDAP providers.

                                                                                                    Procedure
                                                                                                       Command or ActionPurpose
                                                                                                      Step 1UCSC# connect policy-mgr  

                                                                                                      Enters policy manager mode.

                                                                                                       
                                                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                       
                                                                                                      Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                      Enters security mode.

                                                                                                       
                                                                                                      Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                                      Enters security LDAP mode.

                                                                                                       
                                                                                                      Step 5UCSC(policy-mgr) /domain-group/security/ldap # create auth-server-group auth-server-group-name  

                                                                                                      Creates an LDAP provider group and enters authentication server group security LDAP mode.

                                                                                                       
                                                                                                      Step 6UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap-provider-name  

                                                                                                      Adds the specified LDAP provider to the LDAP provider group and enters server reference authentication server group security LDAP mode.

                                                                                                       
                                                                                                      Step 7UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # set order order-num  

                                                                                                      Specifies the order in which Cisco UCS uses this provider to authenticate users.

                                                                                                      Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                                                                                                       
                                                                                                      Step 8UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # commit-buffer  

                                                                                                      Commits the transaction to the system configuration.

                                                                                                       

                                                                                                      The following example shows how to create an LDAP provider group called ldapgroup, add two previously configured providers called ldap1 and ldap2 to the provider group, set the order, and commit the transaction:

                                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # create auth-server-group ldapgroup
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap1
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # up
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap2
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref #
                                                                                                      What to Do Next

                                                                                                      Configure an authentication domain or select a default authentication service.

                                                                                                      Deleting an LDAP Provider Group

                                                                                                      Before You Begin

                                                                                                      Remove the provider group from an authentication configuration.

                                                                                                      Procedure
                                                                                                         Command or ActionPurpose
                                                                                                        Step 1UCSC# connect policy-mgr  

                                                                                                        Enters policy manager mode.

                                                                                                         
                                                                                                        Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                         
                                                                                                        Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                        Enters security mode.

                                                                                                         
                                                                                                        Step 4UCSC(policy-mgr) /domain-group/security # scope ldap  

                                                                                                        Enters security LDAP mode.

                                                                                                         
                                                                                                        Step 5UCSC(policy-mgr) /domain-group/security/ldap # delete auth-server-group auth-server-group-name  

                                                                                                        Deletes the LDAP provider group.

                                                                                                         
                                                                                                        Step 6UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer  

                                                                                                        Commits the transaction to the system configuration.

                                                                                                         

                                                                                                        The following example shows how to delete an LDAP provider group called ldapgroup and commit the transaction:

                                                                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope ldap
UCSC(policy-mgr) /domain-group/security/ldap # delete auth-server-group ldapgroup
UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer
UCSC(policy-mgr) /domain-group/security/ldap #

                                                                                                        Creating a RADIUS Provider Group

                                                                                                        Creating a RADIUS provider group allows you to authenticate using multiple RADIUS databases.

                                                                                                        Note

                                                                                                        Authenticating with a single RADIUS database does not require you to set up a RADIUS provider group.

                                                                                                        Before You Begin

                                                                                                        Create one or more RADIUS providers.

                                                                                                        Procedure
                                                                                                           Command or ActionPurpose
                                                                                                          Step 1UCSC# connect policy-mgr  

                                                                                                          Enters policy manager mode.

                                                                                                           
                                                                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                           
                                                                                                          Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                          Enters security mode.

                                                                                                           
                                                                                                          Step 4UCSC(policy-mgr) /domain-group/security # scope radius  

                                                                                                          Enters security RADIUS mode.

                                                                                                           
                                                                                                          Step 5UCSC(policy-mgr) /domain-group/security/radius # create auth-server-group auth-server-group-name  

                                                                                                          Creates a RADIUS provider group and enters authentication server group security RADIUS mode.

                                                                                                           
                                                                                                          Step 6UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref ldap-provider-name  

                                                                                                          Adds the specified RADIUS provider to the RADIUS provider group and enters server reference authentication server group security RADIUS mode.

                                                                                                           
                                                                                                          Step 7UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # set order order-num  

                                                                                                          Specifies the order in which Cisco UCS uses this provider to authenticate users.

                                                                                                          Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                                                                                                           
                                                                                                          Step 8UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # commit-buffer  

                                                                                                          Commits the transaction to the system configuration.

                                                                                                           

                                                                                                          The following example shows how to create a RADIUS provider group called radiusgroup, add two previously configured providers called radius1 and radius2 to the provider group, set the order, and commit the transaction:

                                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope radius
UCSC(policy-mgr) /domain-group/security/radius # create auth-server-group radiusgroup
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref radius1
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # up
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref radius2
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # commit-buffer
UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref #
                                                                                                          What to Do Next

                                                                                                          Configure an authentication domain or select a default authentication service.

                                                                                                          Deleting a RADIUS Provider Group

                                                                                                          Remove the provider group from an authentication configuration.

                                                                                                          Procedure
                                                                                                             Command or ActionPurpose
                                                                                                            Step 1UCSC# connect policy-mgr  

                                                                                                            Enters policy manager mode.

                                                                                                             
                                                                                                            Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                             
                                                                                                            Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                            Enters security mode.

                                                                                                             
                                                                                                            Step 4UCSC(policy-mgr) /domain-group/security # scope radius  

                                                                                                            Enters security RADIUS mode.

                                                                                                             
                                                                                                            Step 5UCSC(policy-mgr) /domain-group/security/radius # delete auth-server-group auth-server-group-name  

                                                                                                            Deletes the RADIUS provider group.

                                                                                                             
                                                                                                            Step 6UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer  

                                                                                                            Commits the transaction to the system configuration.

                                                                                                             

                                                                                                            The following example shows how to delete a RADIUS provider group called radiusgroup and commit the transaction:

                                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope radius
UCSC(policy-mgr) /domain-group/security/radius # delete auth-server-group radiusgroup
UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer
UCSC(policy-mgr) /domain-group/security/radius #

                                                                                                            Creating a TACACS+ Provider Group

                                                                                                            Creating a TACACS+ provider group allows you to authenticate using multiple TACACS+ databases.

                                                                                                            Note

                                                                                                            Authenticating with a single TACACS+ database does not require you to set up a TACACS+ provider group.

                                                                                                            Before You Begin

                                                                                                            Create a TACACS+ provider.

                                                                                                            Procedure
                                                                                                               Command or ActionPurpose
                                                                                                              Step 1UCSC# connect policy-mgr  

                                                                                                              Enters policy manager mode.

                                                                                                               
                                                                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                               
                                                                                                              Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                              Enters security mode.

                                                                                                               
                                                                                                              Step 4UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                                                                                              Enters security TACACS+ mode.

                                                                                                               
                                                                                                              Step 5UCSC(policy-mgr) /domain-group/security/tacacs # create auth-server-group auth-server-group-name  

                                                                                                              Creates a TACACS+ provider group and enters authentication server group security TACACS+ mode.

                                                                                                               
                                                                                                              Step 6UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref ldap-provider-name  

                                                                                                              Adds the specified TACACS+ provider to the TACACS+ provider group and enters server reference authentication server group security TACACS+ mode.

                                                                                                               
                                                                                                              Step 7UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # set order order-num  

                                                                                                              Specifies the order in which Cisco UCS uses this provider to authenticate users.

                                                                                                              Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.

                                                                                                               
                                                                                                              Step 8UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # commit-buffer  

                                                                                                              Commits the transaction to the system configuration.

                                                                                                               

                                                                                                              The following example shows how to create a TACACS+ provider group called tacacsgroup, add two previously configured providers called tacacs1 and tacacs2 to the provider group, set the order, and commit the transaction:

                                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope tacacs
UCSC(policy-mgr) /domain-group/security/tacacs # create auth-server-group tacacsgroup
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref tacacs1
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # up
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref tacacs2
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # commit-buffer
UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref #
                                                                                                              What to Do Next

                                                                                                              Configure an authentication domain or select a default authentication service.

                                                                                                              Deleting a TACACS+ Provider Group

                                                                                                              Remove the provider group from an authentication configuration.

                                                                                                              Procedure
                                                                                                                 Command or ActionPurpose
                                                                                                                Step 1UCSC# connect policy-mgr  

                                                                                                                Enters policy manager mode.

                                                                                                                 
                                                                                                                Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                 
                                                                                                                Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                                Enters security mode.

                                                                                                                 
                                                                                                                Step 4UCSC(policy-mgr) /domain-group/security # scope tacacs  

                                                                                                                Enters security TACACS+ mode.

                                                                                                                 
                                                                                                                Step 5UCSC(policy-mgr) /domain-group/security/tacacs # delete auth-server-group auth-server-group-name  

                                                                                                                Deletes the TACACS+ provider group.

                                                                                                                 
                                                                                                                Step 6UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer  

                                                                                                                Commits the transaction to the system configuration.

                                                                                                                 

                                                                                                                The following example shows how to delete a TACACS+ provider group called tacacsgroup and commit the transaction:

                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope tacacs
UCSC(policy-mgr) /domain-group/security/tacacs # delete auth-server-group tacacsgroup
UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer
UCSC(policy-mgr) /domain-group/security/tacacs #

                                                                                                                Authentication Domains

                                                                                                                Authentication domains are used by Cisco UCS Domain to leverage multiple authentication systems. Each authentication domain is specified and configured during login. If no authentication domain is specified, the default authentication service configuration is used.

                                                                                                                You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Domain. If no provider group is specified, all servers within the realm are used.


                                                                                                                Note

                                                                                                                Effective with this release, authentication domains for LDAP are supported for Cisco UCS Central. However, the authentication domains are supported for managed Cisco UCS domains from the Cisco UCS Central Domain Group root.

                                                                                                                Creating an Authentication Domain

                                                                                                                Procedure
                                                                                                                   Command or ActionPurpose
                                                                                                                  Step 1UCSC# connect policy-mgr  

                                                                                                                  Enters policy manager mode.

                                                                                                                   
                                                                                                                  Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                   
                                                                                                                  Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                                  Enters security mode.

                                                                                                                   
                                                                                                                  Step 4UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                                                                                                  Enters authentication realm mode.

                                                                                                                   
                                                                                                                  Step 5UCSC(policy-mgr) /domain-group/security/auth-realm # create auth-domain domain-name  

                                                                                                                  Creates an authentication domain and enters authentication domain mode. The Radius related settings will be applicable only for the Cisco UCS domains under the Domain Group root and child domain groups.

                                                                                                                  Note   

                                                                                                                  For systems using remote authentication protocol, the authentication domain name is considered part of the user name and counts toward the 32-character limit for locally created user names. Because Cisco UCS inserts 5 characters for formatting, authentication will fail if the domain name and user name combined character total exceeds 27.

                                                                                                                   
                                                                                                                  Step 6UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set refresh-period seconds   (Optional)

                                                                                                                  When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain.

                                                                                                                  If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session.

                                                                                                                  Specify an integer between 60 and 172800. The default is 600 seconds.

                                                                                                                   
                                                                                                                  Step 7UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set session-timeout seconds   (Optional)

                                                                                                                  The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session.

                                                                                                                  Specify an integer between 60 and 172800. The default is 7200 seconds.

                                                                                                                   
                                                                                                                  Step 8UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # create default-auth   (Optional)

                                                                                                                  Creates a default authentication for the specified authentication domain.

                                                                                                                   
                                                                                                                  Step 9UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set auth-server-group auth-serv-group-name   (Optional)

                                                                                                                  Specifies the provider group for the specified authentication domain.

                                                                                                                   
                                                                                                                  Step 10UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set realm {ldap | local | radius | tacacs}  

                                                                                                                  Specifies the realm for the specified authentication domain.

                                                                                                                   
                                                                                                                  Step 11UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # commit-buffer  

                                                                                                                  Commits the transaction to the system configuration.

                                                                                                                   
                                                                                                                  The following example shows how to create an authentication domain called domain1 with a web refresh period of 3600 seconds (1 hour) and a session timeout period of 14400 seconds (4 hours), configure domain1 to use the providers in ldapgroup1, set the realm type to ldap, and commit the transaction.
                                                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope auth-realm
UCSC(policy-mgr) /domain-group/security/auth-realm # create auth-domain domain1
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set refresh-period 3600
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set session-timeout 14400
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # create default-auth
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set auth-server-group ldapgroup1
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set realm ldap
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # commit-buffer
UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth #

                                                                                                                  Selecting a Primary Authentication Service

                                                                                                                  Selecting the Console Authentication Service

                                                                                                                  Before You Begin

                                                                                                                  If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.

                                                                                                                  Procedure
                                                                                                                     Command or ActionPurpose
                                                                                                                    Step 1UCSC# connect policy-mgr  

                                                                                                                    Enters policy manager mode.

                                                                                                                     
                                                                                                                    Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                     
                                                                                                                    Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                                    Enters security mode.

                                                                                                                     
                                                                                                                    Step 4UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                                                                                                    Enters authentication realm security mode.

                                                                                                                     
                                                                                                                    Step 5UCSC(policy-mgr) /domain-group/security/auth-realm # scope console-auth  

                                                                                                                    Enters console authorization security mode.

                                                                                                                     
                                                                                                                    Step 6UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # set realm auth-type  

                                                                                                                    Specifies the console authentication, where the auth-type argument is one of the following keywords:

                                                                                                                    • ldap —Specifies LDAP authentication

                                                                                                                    • local —Specifies local authentication

                                                                                                                    • none —Allows local users to log on without specifying a password

                                                                                                                    • radius —Specifies RADIUS authentication

                                                                                                                    • tacacs —Specifies TACACS+ authentication

                                                                                                                     
                                                                                                                    Step 7UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # set auth-server-group auth-serv-group-name  

                                                                                                                    The associated provider group, if any.

                                                                                                                     
                                                                                                                    Step 8UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # commit-buffer  

                                                                                                                    Commits the transaction to the system configuration.

                                                                                                                     

                                                                                                                    The following example shows how to set the authentication to LDAP, set the console authentication provider group to provider1, and commit the transaction:

                                                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope auth-realm
UCSC(policy-mgr) /domain-group/security/auth-realm # scope console-auth
UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # set realm local
UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # set auth-server-group provider1
UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # commit-buffer
UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth #

                                                                                                                    Selecting the Default Authentication Service

                                                                                                                    Procedure
                                                                                                                       Command or ActionPurpose
                                                                                                                      Step 1UCSC# connect policy-mgr  

                                                                                                                      Enters policy manager mode.

                                                                                                                       
                                                                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                       
                                                                                                                      Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                                      Enters security mode.

                                                                                                                       
                                                                                                                      Step 4UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                                                                                                      Enters authentication realm security mode.

                                                                                                                       
                                                                                                                      Step 5UCSC(policy-mgr) /domain-group/security/auth-realm # scope default-auth  

                                                                                                                      Enters default authorization security mode.

                                                                                                                       
                                                                                                                      Step 6UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth # set realm auth-type  

                                                                                                                      Specifies the default authentication, where auth-type is one of the following keywords:

                                                                                                                      • ldap—Specifies LDAP authentication

                                                                                                                      • local—Specifies local authentication

                                                                                                                      • none—Allows local users to log on without specifying a password

                                                                                                                      • radius—Specifies RADIUS authentication

                                                                                                                      • tacacs—Specifies TACACS+ authentication

                                                                                                                       
                                                                                                                      Step 7UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set auth-server-group auth-serv-group-name   (Optional)

                                                                                                                      The associated provider group, if any.

                                                                                                                       
                                                                                                                      Step 8UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set refresh-period seconds   (Optional)

                                                                                                                      When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain.

                                                                                                                      If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session.

                                                                                                                       
                                                                                                                      Step 9UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set session-timeout seconds   (Optional)

                                                                                                                      The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session.

                                                                                                                      Specify an integer between 60 and 172800. The default is 7200 seconds.

                                                                                                                       
                                                                                                                      Step 10UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # commit-buffer  

                                                                                                                      Commits the transaction to the system configuration.

                                                                                                                       

                                                                                                                      The following example shows how to set the default authentication to LDAP, set the default authentication provider group to provider1, set the refresh period to 7200 seconds (2 hours), set the session timeout period to 28800 seconds (8 hours), and commit the transaction.

                                                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope auth-realm
UCSC(policy-mgr) /domain-group/security/auth-realm # scope default-auth
UCSC(policy-mgr) /domain-group/security/default-auth # set realm ldap
UCSC(policy-mgr) /domain-group/security/default-auth* # set auth-server-group provider1
UCSC(policy-mgr) /domain-group/security/default-auth* # set refresh-period 7200
UCSC(policy-mgr) /domain-group/security/default-auth* # set session-timeout 28800
UCSC(policy-mgr) /domain-group/security/default-auth* # commit-buffer
UCSC(policy-mgr) /domain-group/security/default-auth #

                                                                                                                      Role Policy for Remote Users

                                                                                                                      By default, if user roles are not configured in Cisco UCS Central read-only access is granted to all users logging in to Cisco UCS Central from a remote server using the LDAP protocol (excluding RADIUS and TACACS+ authentication in this release).


                                                                                                                      Note

                                                                                                                      RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.

                                                                                                                      You can configure the role policy for remote users in the following ways:

                                                                                                                      • assign-default-role

                                                                                                                        Does not restrict user access to Cisco UCS Central based on user roles. Read-only access is granted to all users unless other user roles have been defined in Cisco UCS Central.

                                                                                                                        This is the default behavior.

                                                                                                                      • no-login

                                                                                                                        Restricts user access to Cisco UCS Central based on user roles. If user roles have not been assigned for the remote authentication system, access is denied.

                                                                                                                      For security reasons, it might be desirable to restrict access to those users matching an established user role in Cisco UCS Central.

                                                                                                                      Configuring the Role Policy for Remote Users

                                                                                                                      Procedure
                                                                                                                         Command or ActionPurpose
                                                                                                                        Step 1UCSC# connect policy-mgr  

                                                                                                                        Enters policy manager mode.

                                                                                                                         
                                                                                                                        Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                         
                                                                                                                        Step 3UCSC(policy-mgr) /domain-group # scope security  

                                                                                                                        Enters security mode.

                                                                                                                         
                                                                                                                        Step 4UCSC(policy-mgr) /domain-group/security # scope auth-realm  

                                                                                                                        Enters authentication realm security mode.

                                                                                                                         
                                                                                                                        Step 5UCSC(policy-mgr) /domain-group/security/auth-realm # set remote-user default-role {assign-default-role | no-login}  

                                                                                                                        Specifies whether user access to Cisco UCS Central is restricted based on user roles.

                                                                                                                         
                                                                                                                        Step 6UCSC(policy-mgr) /domain-group/security/auth-realm* # commit-buffer  

                                                                                                                        Commits the transaction to the system configuration.

                                                                                                                         
                                                                                                                        The following example shows how to set the role policy for remote users and commit the transaction:
                                                                                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group
UCSC(policy-mgr) /domain-group # scope security
UCSC(policy-mgr) /domain-group/security # scope auth-realm
UCSC(policy-mgr) /domain-group/security/auth-realm # set remote-user default-role assign-default-role
UCSC(policy-mgr) /domain-group/security/auth-realm* # commit-buffer
UCSC(policy-mgr) /domain-group/security/auth-realm #

                                                                                                                        Managing DNS Policies

                                                                                                                        Cisco UCS Central supports global DNS policies defining the DNS server and domain name. Registered Cisco UCS domains choosing to define DNS management globally within that domain's policy resolution control will defer DNS management to its registration with Cisco UCS Central.

                                                                                                                        Configuring a DNS Policy

                                                                                                                        Before You Begin

                                                                                                                        Before configuring a DNS policy in a domain group under the Domain Group root, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                                                                                        Procedure
                                                                                                                           Command or ActionPurpose
                                                                                                                          Step 1UCSC# connect policy-mgr  

                                                                                                                          Enters policy manager mode.

                                                                                                                           
                                                                                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                           
                                                                                                                          Step 3UCSC(policy-mgr) /domain-group # scope dns-config   (Optional)

                                                                                                                          If scoping into the domain group root previously, scopes the default DNS policy's configuration mode from the Domain Group root.

                                                                                                                           
                                                                                                                          Step 4UCSC(policy-mgr) /domain-group # create dns-config   (Optional)

                                                                                                                          If scoping into a domain group previously, creates the DNS policy for that domain group.

                                                                                                                           
                                                                                                                          Step 5UCSC(policy-mgr) /domain-group/dns-config* # set domain-name server-domain-name  

                                                                                                                          Defines the DNS domain name.

                                                                                                                           
                                                                                                                          Step 6UCSC(policy-mgr) /domain-group/dns-config* # commit-buffer  

                                                                                                                          Commits the transaction to the system configuration.

                                                                                                                           

                                                                                                                          The following example shows how to scope into the domain group root (which has an existing DNS policy by default), define the DNS domain name as dnsdomain, and commit the transaction: 

                                                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope dns-config
UCSC(policy-mgr) /domain-group/domain-group # set domain-name dnsdomain
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                          The following example shows how to scope into the domain group domaingroup01, create the DNS policy for that domain group, define the DNS domain name as dnsdomain, and commit the transaction: 

                                                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # create dns-config
UCSC(policy-mgr) /domain-group/domain-group* # set domain-name dnsdomain
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                          Deleting a DNS Policy

                                                                                                                          Procedure
                                                                                                                             Command or ActionPurpose
                                                                                                                            Step 1UCSC# connect policy-mgr  

                                                                                                                            Enters policy manager mode.

                                                                                                                             
                                                                                                                            Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                                                                                            Enters a domain group under the domain group root.

                                                                                                                            Note   

                                                                                                                            Do not enter the domain group root itself. System default DNS policies cannot be deleted under the domain group root.

                                                                                                                             
                                                                                                                            Step 3UCSC(policy-mgr) /domain-group # delete dns-config  

                                                                                                                            Deletes the DNS policy for that domain group.

                                                                                                                             
                                                                                                                            Step 4UCSC(policy-mgr) /domain-group* # commit-buffer  

                                                                                                                            Commits the transaction to the system configuration.

                                                                                                                             

                                                                                                                            The following example shows how to scope into the domain group domaingroup01, delete the DNS policy for that domain group, and commit the transaction: 

                                                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group/domain-group # delete dns-config
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                            Configuring a DNS Server for a DNS Policy

                                                                                                                            Before You Begin

                                                                                                                            Configure a DNS policy.

                                                                                                                            Procedure
                                                                                                                               Command or ActionPurpose
                                                                                                                              Step 1UCSC# connect policy-mgr  

                                                                                                                              Enters policy manager mode.

                                                                                                                               
                                                                                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                               
                                                                                                                              Step 3UCSC(policy-mgr) /domain-group # scope dns-config  

                                                                                                                              Enter an existing DNS policy's configuration mode from the Domain Group root or a domain group scoped into.

                                                                                                                               
                                                                                                                              Step 4UCSC(policy-mgr) /domain-group/dns-config # create dns server-IP-address  

                                                                                                                              Creates a DNS server instance.

                                                                                                                               
                                                                                                                              Step 5UCSC(policy-mgr) /domain-group/dns-config* # commit-buffer  

                                                                                                                              Commits the transaction to the system configuration.

                                                                                                                               

                                                                                                                              The following example shows how to scope into the domain group root, create a DNS server instance named 0.0.0.0, and commit the transaction: 

                                                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope dns-config
UCSC(policy-mgr) /domain-group/domain-group # create dns 0.0.0.0
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                              The following example shows how to scope into the domain group domaingroup01, create a DNS server instance named 0.0.0.0, and commit the transaction: 

                                                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope dns-config
UCSC(policy-mgr) /domain-group/domain-group # create dns 0.0.0.0
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                              Deleting a DNS Server from a DNS Policy

                                                                                                                              Procedure
                                                                                                                                 Command or ActionPurpose
                                                                                                                                Step 1UCSC# connect policy-mgr  

                                                                                                                                Enters policy manager mode.

                                                                                                                                 
                                                                                                                                Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                 
                                                                                                                                Step 3UCSC(policy-mgr) /domain-group # scope dns-config  

                                                                                                                                Enter an existing DNS policy's configuration mode from the Domain Group root or a domain group scoped into.

                                                                                                                                 
                                                                                                                                Step 4UCSC(policy-mgr) /domain-group/dns-config # delete dns server-IP-address  

                                                                                                                                Deletes a DNS server instance.

                                                                                                                                 
                                                                                                                                Step 5UCSC(policy-mgr) /domain-group/dns-config* # commit-buffer  

                                                                                                                                Commits the transaction to the system configuration.

                                                                                                                                 

                                                                                                                                The following example shows how to scope into the domain group root, delete a DNS server instance named 0.0.0.0, and commit the transaction: 

                                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope dns-config
UCSC(policy-mgr) /domain-group/domain-group # delete dns 0.0.0.0
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                                The following example shows how to scope into the domain group domaingroup01, delete a DNS server instance named 0.0.0.0, and commit the transaction: 

                                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope dns-config
UCSC(policy-mgr) /domain-group/domain-group # delete dns 0.0.0.0
UCSC(policy-mgr) /domain-group/domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group/domain-group #

                                                                                                                                Creating a Global Power Allocation Policy

                                                                                                                                Procedure
                                                                                                                                   Command or ActionPurpose
                                                                                                                                  Step 1UCSC# connect policy-mgr  

                                                                                                                                  Enters policy manager mode.

                                                                                                                                   
                                                                                                                                  Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                   
                                                                                                                                  Step 3UCSC(policy-mgr) /domain-group # create cap-policy 

                                                                                                                                  Creates global power allocation policy for the specified domain group.

                                                                                                                                   
                                                                                                                                  Step 4UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer 

                                                                                                                                  Commits the transaction to the system.

                                                                                                                                   

                                                                                                                                  The following example shows how to create a global power allocation policy for a domain group:

                                                                                                                                  UCSC# connect policy-mgr
UCSC(policy-mgr)# scope domain-group dg1
UCSC(policy-mgr) /domain-group # create cap-policy
UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/cap-policy #

                                                                                                                                  Deleting a Global Power Allocation Policy

                                                                                                                                  Procedure
                                                                                                                                     Command or ActionPurpose
                                                                                                                                    Step 1UCSC# connect policy-mgr  

                                                                                                                                    Enters policy manager mode.

                                                                                                                                     
                                                                                                                                    Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                     
                                                                                                                                    Step 3UCSC(policy-mgr) /domain-group # delete cap-policy 

                                                                                                                                    Deletes global power allocation policy for the specified domain group.

                                                                                                                                     
                                                                                                                                    Step 4UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer 

                                                                                                                                    Commits the transaction to the system.

                                                                                                                                     

                                                                                                                                    The following example shows how to delete a global power allocation policy for a domain group:

                                                                                                                                    UCSC# connect policy-mgr
UCSC(policy-mgr)# scope domain-group dg1
UCSC(policy-mgr) /domain-group # delete cap-policy
UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/cap-policy #

                                                                                                                                    Configuring a Global Power Allocation Policy for a Chassis Group

                                                                                                                                    Procedure
                                                                                                                                       Command or ActionPurpose
                                                                                                                                      Step 1UCSC# connect policy-mgr  

                                                                                                                                      Enters policy manager mode.

                                                                                                                                       
                                                                                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                       
                                                                                                                                      Step 3UCSC(policy-mgr) /domain-group # scope cap-policy 

                                                                                                                                      Enters the global power allocation mode.

                                                                                                                                       
                                                                                                                                      Step 4UCSC(policy-mgr) /domain-group/cap-policy # set cap-policy policy-driven-chassis-group-cap 

                                                                                                                                      Specifies global power allocation policy for chassis group in the domain group.

                                                                                                                                       
                                                                                                                                      Step 5UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer 

                                                                                                                                      Commits the transaction to the system.

                                                                                                                                       

                                                                                                                                      The following example shows how to configure a global power allocation policy for a chassis group: 

                                                                                                                                      UCSC# connect policy-mgr
UCSC(policy-mgr) /domain-group # scope domain-group dg1
UCSC(policy-mgr) /domain-group # scope cap-policy
UCSC(policy-mgr) /domain-group/cap-policy # set cap-policy policy-driven-chassis-group-cap 
UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/cap-policy #

                                                                                                                                      Configuring a Global Power Allocation Policy Manually for a Blade Server

                                                                                                                                      Procedure
                                                                                                                                         Command or ActionPurpose
                                                                                                                                        Step 1UCSC# connect policy-mgr  

                                                                                                                                        Enters policy manager mode.

                                                                                                                                         
                                                                                                                                        Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                         
                                                                                                                                        Step 3UCSC(policy-mgr) /domain-group # scope cap-policy 

                                                                                                                                        Enters the global power allocation mode.

                                                                                                                                         
                                                                                                                                        Step 4UCSC(policy-mgr) /domain-group/cap-policy # set cap-policy manual-blade-level-cap 

                                                                                                                                        Enables manual blade server level power allocation.

                                                                                                                                         
                                                                                                                                        Step 5UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer 

                                                                                                                                        Commits the transaction to the system.

                                                                                                                                         

                                                                                                                                        The following example shows how to configure manual power allocation policy for a blade server: 

                                                                                                                                        UCSC# connect policy-mgr
UCSC(policy-mgr) /domain-group # scope domain-group dg1
UCSC(policy-mgr) /domain-group # scope cap-policy
UCSC(policy-mgr) /domain-group/cap-policy # set cap-policy manual-blade-level-cap 
UCSC(policy-mgr) /domain-group/cap-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/cap-policy #

                                                                                                                                        Managing Power Policies

                                                                                                                                        Cisco UCS Central supports global equipment policies defining the global power allocation policy (based on policy driven chassis group cap or manual blade level cap methods), power policy (based on grid, n+1 or non-redundant methods). Registered Cisco UCS domains choosing to define power management and power supply units globally within that client's policy resolution control will defer power management and power supply units to its registration with Cisco UCS Central.

                                                                                                                                        Creating an Equipment Power Policy

                                                                                                                                        Procedure
                                                                                                                                           Command or ActionPurpose
                                                                                                                                          Step 1UCSC# connect policy-mgr  

                                                                                                                                          Enters policy manager mode.

                                                                                                                                           
                                                                                                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                           
                                                                                                                                          Step 3UCSC(policy-mgr) /domain-group # create psu-policy 

                                                                                                                                          Creates the power policy from the domain group.

                                                                                                                                           
                                                                                                                                          Step 4UCSC(policy-mgr) /domain-group* # commit-buffer 

                                                                                                                                          Commits the transaction to the system.

                                                                                                                                           

                                                                                                                                          The following example shows how to create an equipment power policy: 

                                                                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group dg1
UCSC(policy-mgr) /domain-group # create psu-policy
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                                                                                          Deleting an Equipment Power Policy

                                                                                                                                          Procedure
                                                                                                                                            Step 1   UCSC# connect policy-mgr

                                                                                                                                            Enters policy manager mode.

                                                                                                                                            Step 2   UCSC(policy-mgr) # scope domain-group domain-group

                                                                                                                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                            Step 3   UCSC(policy-mgr) /domain-group # delete psu-policy

                                                                                                                                            Deletes the power policy from the domain group.

                                                                                                                                            Step 4   UCSC(policy-mgr) /domain-group* # commit-buffer

                                                                                                                                            Commits the transaction to the system.

                                                                                                                                            The following example shows how to delete an equipment power policy: 

                                                                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group dg1
UCSC(policy-mgr) /domain-group # delete psu-policy
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                                                                                            Configuring an Equipment Power Policy

                                                                                                                                            Before You Begin

                                                                                                                                            Before configuring a power equipment policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                                                                                                            Procedure
                                                                                                                                               Command or ActionPurpose
                                                                                                                                              Step 1UCSC# connect policy-mgr  

                                                                                                                                              Enters policy manager mode.

                                                                                                                                               
                                                                                                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                               
                                                                                                                                              Step 3UCSC(policy-mgr) /domain-group # scope psu-policy 

                                                                                                                                              Enters the power policy mode.

                                                                                                                                               
                                                                                                                                              Step 4UCSC(policy-mgr) /domain-group # set descr power-policy-description-text 

                                                                                                                                              Specifies the description for the power policy.

                                                                                                                                               
                                                                                                                                              Step 5UCSC(policy-mgr) /domain-group # set redundancy grid | n-plus-1 | non-redund  

                                                                                                                                              Specifies the redundancy for the power policy for Grid (grid), N-Plus-1 (n-plus-1), or non-redundancy (non-redund).

                                                                                                                                               

                                                                                                                                              The following example scopes the domain group dg1 and configures the equipment power policy for that domain group: 

                                                                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group dg1
UCSC(policy-mgr) /domain-group/psu-policy # set descr "Power policy for sector 24"
UCSC(policy-mgr) /domain-group/psu-policy* # set redundancy grid   
UCSC(policy-mgr) /domain-group/psu-policy* # commit-buffer
UCSC(policy-mgr) /domain-group/psu-policy #

                                                                                                                                              Viewing an Equipment Power Policy

                                                                                                                                              Procedure
                                                                                                                                                 Command or ActionPurpose
                                                                                                                                                Step 1UCSC# connect policy-mgr  

                                                                                                                                                Enters policy manager mode.

                                                                                                                                                 
                                                                                                                                                Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                 
                                                                                                                                                Step 3UCSC(policy-mgr) /domain-group # show psu-policy 

                                                                                                                                                Enters the power policy mode.

                                                                                                                                                 

                                                                                                                                                The following example shows how to create an equipment power policy: 

                                                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group dg1
UCSC(policy-mgr) /domain-group # scope psu-policy
UCSC(policy-mgr) /domain-group/psu-policy # show
PSU Policy:
    Domain Group Redundancy Description
    ------------ ---------- -----------
    root/dg1     NPlus1
UCSC(policy-mgr) /domain-group #

                                                                                                                                                Managing Time Zones

                                                                                                                                                Cisco UCS Central supports global date and time policies based on international time zones and defined NTP server. Registered Cisco UCS Manager clients choosing to define date and time globally within that client's policy resolution control will defer the configuration for date and time to its registration with Cisco UCS Central.

                                                                                                                                                Configuring a Date and Time Policy

                                                                                                                                                Procedure
                                                                                                                                                   Command or ActionPurpose
                                                                                                                                                  Step 1UCSC# connect policy-mgr  

                                                                                                                                                  Enters policy manager mode.

                                                                                                                                                   
                                                                                                                                                  Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                  Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                   
                                                                                                                                                  Step 3UCSC(policy-mgr) /domain-group # create domain-group domain-group   (Optional)

                                                                                                                                                  This step is only necessary to create a new domain group under the Domain Group root (or creates a domain group under the domain group scoped into).

                                                                                                                                                   
                                                                                                                                                  Step 4UCSC(policy-mgr) /domain-group* # commit-buffer   (Optional)

                                                                                                                                                  This step is only necessary after creating a new domain group under the Domain Group root (or creating a domain group under the domain group scoped into). Commits the new domain group to the system configuration.

                                                                                                                                                   
                                                                                                                                                  Step 5UCSC(policy-mgr) /domain-group # create timezone-ntp-config   (Optional)

                                                                                                                                                  This step is only necessary the first time a date and time policy is configured for the newly created domain group under the Domain Group root that was created in the previous step, then enter the time zone NTP configuration mode. A date and time policy was created by the system for the Domain Group root, and is ready to be configured.

                                                                                                                                                   
                                                                                                                                                  Step 6UCSC(policy-mgr) /domain-group* # scope timezone-ntp-config   (Optional)

                                                                                                                                                  This step is only necessary if entering an existing date and time policy's time zone NTP configuration mode from the Domain Group root or a domain group scoped into. Skip this step if creating a date and time policy.

                                                                                                                                                   
                                                                                                                                                  Step 7UCSC(policy-mgr) /domain-group/timezone-ntp-config* # set timezone  

                                                                                                                                                  To set the time zone, press Enter after typing the set timezone command and enter the key value at the prompt. Configures the NTP server time zone. The attribute options are as follows:

                                                                                                                                                  • 1 —Africa

                                                                                                                                                  • 2 —Americas

                                                                                                                                                  • 3 —Antarctica

                                                                                                                                                  • 4 —Arctic Ocean

                                                                                                                                                  • 5 —Asia

                                                                                                                                                  • 6 —Atlantic Ocean

                                                                                                                                                  • 7 —Australia

                                                                                                                                                  • 8 —Europe

                                                                                                                                                  • 9 —India Ocean

                                                                                                                                                  • 10 —Pacific Ocean

                                                                                                                                                   
                                                                                                                                                  Step 8UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer  

                                                                                                                                                  Commits the transaction to the system configuration.

                                                                                                                                                   

                                                                                                                                                  The following example shows how to scope the Domain Group root, configure the time zone setting to India Ocean ("a continent or ocean") and Maldives ("a country"), and commit the transaction: 

                                                                                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # set timezone
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa            4) Arctic Ocean     7) Australia       10) Pacific Ocean
2) Americas          5) Asia             8) Europe
3) Antarctica        6) Atlantic Ocean   9) Indian Ocean
#? 9
Please select a country.
1) British Indian Ocean Territory       7) Maldives
2) Christmas Island                     8) Mauritius
3) Cocos (Keeling) Islands              9) Mayotte
4) Comoros                             10) Reunion
5) French Southern & Antarctic Lands   11) Seychelles
6) Madagascar
#? 7
The following information has been given:
        Maldives
Therefore timezone 'Indian/Maldives' will be set.
Local time is now:      Thu Oct 25 01:58:03 MVT 2012.
Universal Time is now:  Wed Oct 24 20:58:03 UTC 2012.
Is the above information OK?
1) Yes
2) No
#? 1
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                  The following example shows how to create a new domain group called domaingroup01 under the Domain Group root, commit the transaction, create a date and time policy, configure the time zone setting to India Ocean ("a continent or ocean") and Maldives ("a country"), and commit the transaction: 

                                                                                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # create domain-group domaingroup01
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group # create timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # set timezone
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa            4) Arctic Ocean     7) Australia       10) Pacific Ocean
2) Americas          5) Asia             8) Europe
3) Antarctica        6) Atlantic Ocean   9) Indian Ocean
#? 9
Please select a country.
1) British Indian Ocean Territory       7) Maldives
2) Christmas Island                     8) Mauritius
3) Cocos (Keeling) Islands              9) Mayotte
4) Comoros                             10) Reunion
5) French Southern & Antarctic Lands   11) Seychelles
6) Madagascar
#? 7
The following information has been given:
        Maldives
Therefore timezone 'Indian/Maldives' will be set.
Local time is now:      Thu Oct 25 01:58:03 MVT 2012.
Universal Time is now:  Wed Oct 24 20:58:03 UTC 2012.
Is the above information OK?
1) Yes
2) No
#? 1
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                  The following example shows how to scope to domaingroup01 under the Domain Group root, create a date and time policy, configure the time zone setting to India Ocean ("a continent or ocean") and Maldives ("a country"), and commit the transaction: 

                                                                                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr) /domain-group # scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # create timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # set timezone
Please identify a location so that time zone rules can be set correctly.
Please select a continent or ocean.
1) Africa            4) Arctic Ocean     7) Australia       10) Pacific Ocean
2) Americas          5) Asia             8) Europe
3) Antarctica        6) Atlantic Ocean   9) Indian Ocean
#? 9
Please select a country.
1) British Indian Ocean Territory       7) Maldives
2) Christmas Island                     8) Mauritius
3) Cocos (Keeling) Islands              9) Mayotte
4) Comoros                             10) Reunion
5) French Southern & Antarctic Lands   11) Seychelles
6) Madagascar
#? 7
The following information has been given:
        Maldives
Therefore timezone 'Indian/Maldives' will be set.
Local time is now:      Thu Oct 25 01:58:03 MVT 2012.
Universal Time is now:  Wed Oct 24 20:58:03 UTC 2012.
Is the above information OK?
1) Yes
2) No
#? 1
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #
                                                                                                                                                  What to Do Next

                                                                                                                                                  Configure an NTP server for a date and time policy.

                                                                                                                                                  Deleting a Date and Time Policy

                                                                                                                                                  Procedure
                                                                                                                                                     Command or ActionPurpose
                                                                                                                                                    Step 1UCSC# connect policy-mgr  

                                                                                                                                                    Enters policy manager mode.

                                                                                                                                                     
                                                                                                                                                    Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                                                                                                                    Enters a domain group under the domain group root.

                                                                                                                                                    Note   

                                                                                                                                                    Do not enter the domain group root itself. System default date and time policies cannot be deleted under the domain group root.

                                                                                                                                                     
                                                                                                                                                    Step 3UCSC(policy-mgr) /domain-group # delete timezone-ntp-config  

                                                                                                                                                    Deletes the domain group's time zone policy.

                                                                                                                                                     
                                                                                                                                                    Step 4UCSC(policy-mgr) /domain-group* # commit-buffer  

                                                                                                                                                    Commits the transaction to the system configuration.

                                                                                                                                                     

                                                                                                                                                    The following example shows how to scope the domain group domaingroup01, delete that domain group's date and time policy, and commit the transaction: 

                                                                                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # delete timezone-ntp-config
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                                                                                                    The following example shows how to scope the domain group root, attempt to delete that domain group's date and time policy, commit the transaction and recover from an error message (leaving the buffer in an unrecoverable uncommitted state) by initiating a clean exit and reconnecting to Policy Manager to clear the buffer: 

                                                                                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # delete timezone-ntp-config
UCSC(policy-mgr) /domain-group* # commit-buffer
Error: Update failed: 
[Timezone and NTP configuration under domain group root cannot be deleted]
UCSC(policy-mgr) /domain-group* # exit
UCSC(policy-mgr)* # exit
UCSC# connect policy-mgr
Cisco UCS Central
UCSC(policy-mgr)#

                                                                                                                                                    Note

                                                                                                                                                    In the event you mistakenly scope to the domain group root, and enter the command delete timezone-ntp-config, the buffer will encounter an unrecoverable error, remaining in an uncommitted state and preventing subsequent commit-buffer commands from saving to the buffer. You must immediately exit and reconnect to the Policy Manager to clear the buffer.

                                                                                                                                                    Configuring an NTP Server for a Date and Time Policy

                                                                                                                                                    Procedure
                                                                                                                                                       Command or ActionPurpose
                                                                                                                                                      Step 1UCSC# connect policy-mgr  

                                                                                                                                                      Enters policy manager mode.

                                                                                                                                                       
                                                                                                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                       
                                                                                                                                                      Step 3UCSC(policy-mgr) /domain-group # scope timezone-ntp-config  

                                                                                                                                                      Enters time zone NTP configuration mode.

                                                                                                                                                       
                                                                                                                                                      Step 4UCSC(policy-mgr) /domain-group/timezone-ntp-config # create ntp server-name  

                                                                                                                                                      Creates an NTP server instance.

                                                                                                                                                       
                                                                                                                                                      Step 5UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer  

                                                                                                                                                      Commits the transaction to the system configuration.

                                                                                                                                                       

                                                                                                                                                      The following example shows how to scope into the domain group root, create an NTP server instance named domaingroupNTP01, and commit the transaction: 

                                                                                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # create ntp domaingroupNTP01
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                      The following example shows how to scope to the domain group domaingroup01 under the domain group root, create an NTP server instance named domaingroupNTP01, and commit the transaction: 

                                                                                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # create ntp domaingroupNTP01
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #
                                                                                                                                                      What to Do Next

                                                                                                                                                      Configure a date and time policy.

                                                                                                                                                      Configuring Properties for an NTP Server

                                                                                                                                                      The properties of an NTP server consist of its name. Changing those properties, unlike steps in the GUI involving configuring the NTP server's properties, requires deleting that NTP server and recreating it with a new name.

                                                                                                                                                      Procedure
                                                                                                                                                         Command or ActionPurpose
                                                                                                                                                        Step 1UCSC# connect policy-mgr  

                                                                                                                                                        Enters policy manager mode.

                                                                                                                                                         
                                                                                                                                                        Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                        Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                         
                                                                                                                                                        Step 3UCSC(policy-mgr) /domain-group # scope timezone-ntp-config  

                                                                                                                                                        Enters time zone NTP configuration mode.

                                                                                                                                                         
                                                                                                                                                        Step 4UCSC(policy-mgr) /domain-group/timezone-ntp-config # delete ntp server-name  

                                                                                                                                                        Deletes an NTP server instance that requires renaming.

                                                                                                                                                         
                                                                                                                                                        Step 5UCSC(policy-mgr) /domain-group/timezone-ntp-config* # create ntp server-name  

                                                                                                                                                        Creates an NTP server instance to replace the deleted NTP server instance.

                                                                                                                                                         
                                                                                                                                                        Step 6UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer  

                                                                                                                                                        Commits the transaction to the system configuration.

                                                                                                                                                         

                                                                                                                                                        The following example shows how to scope into the domain group root, delete an NTP server instance named domaingroupNTP01 with a name that is no longer relevant, create a new NTP server instance named domaingroupNTP02 to replace the deleted NTP server, and commit the transaction: 

                                                                                                                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # delete ntp domaingroupNTP01
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # create ntp domaingroupNTP02
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                        The following example shows how to scope to the domain group domaingroup01 under the domain group root, delete an NTP server instance named domaingroupNTP01 with a name that is no longer relevant, create a new NTP server instance named domaingroupNTP02 to replace the deleted NTP server, and commit the transaction: 

                                                                                                                                                        UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # delete ntp domaingroupNTP01
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # create ntp domaingroupNTP02
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                        Deleting an NTP Server for a Date and Time Policy

                                                                                                                                                        Procedure
                                                                                                                                                           Command or ActionPurpose
                                                                                                                                                          Step 1UCSC# connect policy-mgr  

                                                                                                                                                          Enters policy manager mode.

                                                                                                                                                           
                                                                                                                                                          Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                          Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                           
                                                                                                                                                          Step 3UCSC(policy-mgr) /domain-group # scope timezone-ntp-config  

                                                                                                                                                          Enters time zone NTP configuration mode.

                                                                                                                                                           
                                                                                                                                                          Step 4UCSC(policy-mgr) /domain-group/timezone-ntp-config # delete ntp server-name  

                                                                                                                                                          Deletes an NTP server instance.

                                                                                                                                                           
                                                                                                                                                          Step 5UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer  

                                                                                                                                                          Commits the transaction to the system configuration.

                                                                                                                                                           

                                                                                                                                                          The following example shows how to scope the date and time policy in the domain group root, delete the NTP server instance domaingroupNTP01, and commit the transaction: 

                                                                                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # delete ntp domaingroupNTP01
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                          The following example shows how to scope the date and time policy in domaingroup01 under the domain group root, delete the NTP server instance domaingroupNTP01, and commit the transaction: 

                                                                                                                                                          UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope timezone-ntp-config
UCSC(policy-mgr) /domain-group/timezone-ntp-config # delete ntp domaingroupNTP01
UCSC(policy-mgr) /domain-group/timezone-ntp-config* # commit-buffer
UCSC(policy-mgr) /domain-group/timezone-ntp-config #

                                                                                                                                                          SNMP Policies

                                                                                                                                                          Cisco UCS Central supports global SNMP policies enabling or disabling, defining SNMP traps and SNMP users (with regular and privacy passwords, authentication types of md5 or sha, and encryption types DES and AES-128). Registered Cisco UCS domains choosing to define SNMP policies globally within that client's policy resolution control will defer all SNMP policies to its registration with Cisco UCS Central.

                                                                                                                                                          The SNMP Agent functionality provides the ability to remotely monitor the Cisco UCS Central. You can also change the Cisco UCS Central host IP, and then restart the SNMP agent on the new IP. SNMP is run on both the active and standby Cisco UCS Central servers and the configuration is persisted on both. Cisco UCS Central offers read-only access to only the operating system managed information base (MIB).Through the Cisco UCS Central CLI you can configure the community strings for SNMP v1, v2c, and create and delete the SNMPv3 users.

                                                                                                                                                          SNMP Functional Overview

                                                                                                                                                          The SNMP framework consists of three parts:

                                                                                                                                                          • An SNMP manager—The system used to control and monitor the activities of network devices using SNMP.

                                                                                                                                                          • An SNMP agent—The software component within Cisco UCS Central, the managed device, that maintains the data for Cisco UCS Central and reports the data, as needed, to the SNMP manager. Cisco UCS Central includes the agent and a collection of MIBs. To enable the SNMP agent and create the relationship between the manager and agent, enable and configure SNMP in Cisco UCS Central.

                                                                                                                                                          • A managed information base (MIB)—The collection of managed objects on the SNMP agent. Cisco UCS Central supports only the OS MIBs.

                                                                                                                                                          Cisco UCS Central supports SNMPv1, SNMPv2c and SNMPv3. Both SNMPv1 and SNMPv2c use a community-based form of security. The following RFCs define the SNMP:

                                                                                                                                                          SNMP Notifications

                                                                                                                                                          A key feature of SNMP is the ability to generate notifications from an SNMP agent. These notifications do not require that requests be sent from the SNMP manager. Notifications can indicate improper user authentication, restarts, the closing of a connection, loss of connection to a neighbor router, or other significant events.

                                                                                                                                                          Cisco UCS Central generates SNMP notifications as traps. Traps are less reliable because the SNMP manager does not send any acknowledgment when it receives a trap, and Cisco UCS Central cannot determine if the trap was received.

                                                                                                                                                          SNMP Security Features

                                                                                                                                                          SNMPv3 provides secure access to devices by a combination of authenticating and encrypting frames over the network. SNMPv3 authorizes management operations only by configured users and encrypts SNMP messages. The SNMPv3 User-Based Security Model (USM) refers to SNMP message-level security and offers the following services:

                                                                                                                                                          • Message integrity—Ensures that messages have not been altered or destroyed in an unauthorized manner and that data sequences have not been altered to an extent greater than can occur non-maliciously.

                                                                                                                                                          • Message origin authentication—Ensures that the claimed identity of the user on whose behalf received data was originated is confirmed.

                                                                                                                                                          • Message confidentiality and encryption—Ensures that information is not made available or disclosed to unauthorized individuals, entities, or processes.

                                                                                                                                                          SNMP Security Levels and Privileges

                                                                                                                                                          SNMPv1, SNMPv2c, and SNMPv3 each represent a different security model. The security model combines with the selected security level to determine the security mechanism applied when the SNMP message is processed.

                                                                                                                                                          The security level determines the privileges required to view the message associated with an SNMP trap. The privilege level determines whether the message needs to be protected from disclosure or authenticated. The supported security level depends upon which security model is implemented. SNMP security levels support one or more of the following privileges:

                                                                                                                                                          • noAuthNoPriv—No authentication or encryption

                                                                                                                                                          • authNoPriv—Authentication but no encryption

                                                                                                                                                          • authPriv—Authentication and encryption

                                                                                                                                                          SNMPv3 provides for both security models and security levels. A security model is an authentication strategy that is set up for a user and the role in which the user resides. A security level is the permitted level of security within a security model. A combination of a security model and a security level determines which security mechanism is employed when handling an SNMP packet.

                                                                                                                                                          SNMP Security Models and Levels

                                                                                                                                                          The following table describes the combinations of SNMP security models and levels supported in Cisco UCS Central.

                                                                                                                                                          Table 2  SNMP Security Models and Levels

                                                                                                                                                          Model

                                                                                                                                                          Level

                                                                                                                                                          Authentication

                                                                                                                                                          Encryption

                                                                                                                                                          What Happens

                                                                                                                                                          v1

                                                                                                                                                          noAuthNoPriv

                                                                                                                                                          Community string

                                                                                                                                                          No

                                                                                                                                                          Uses a community string match for authentication.

                                                                                                                                                          v2c

                                                                                                                                                          noAuthNoPriv

                                                                                                                                                          Community string

                                                                                                                                                          No

                                                                                                                                                          Uses a community string match for authentication.

                                                                                                                                                          v3

                                                                                                                                                          noAuthNoPriv

                                                                                                                                                          Username

                                                                                                                                                          No

                                                                                                                                                          Uses a username match for authentication.

                                                                                                                                                          v3

                                                                                                                                                          authNoPriv

                                                                                                                                                          HMAC-MD5 or HMAC-SHA

                                                                                                                                                          No

                                                                                                                                                          Provides authentication based on the Hash-Based Message Authentication Code (HMAC) Message Digest 5 (MD5) algorithm or the HMAC Secure Hash Algorithm (SHA).

                                                                                                                                                          v3

                                                                                                                                                          authPriv

                                                                                                                                                          HMAC-MD5 or HMAC-SHA

                                                                                                                                                          DES

                                                                                                                                                          Provides authentication based on the HMAC-MD5 or HMAC-SHA algorithms. Provides Data Encryption Standard (DES) 56-bit encryption in addition to authentication based on the Cipher Block Chaining (CBC) DES (DES-56) standard.

                                                                                                                                                          SNMP Support in Cisco UCS Central

                                                                                                                                                          Support for MIBs

                                                                                                                                                          Cisco UCS Central supports read-only access to OS MIBs. No set operations are available for the MIBs. The following MIBs are supported by Cisco UCS Central:

                                                                                                                                                          • SNMP MIB-2 System
                                                                                                                                                          • HOST-RESOURCES-MIB

                                                                                                                                                            • hrSystem

                                                                                                                                                            • hrStorage

                                                                                                                                                            • hrDevice

                                                                                                                                                            • hrSWRun

                                                                                                                                                            • hrSWRunPerf

                                                                                                                                                          • UCD-SNMP-MIB

                                                                                                                                                            • Memory

                                                                                                                                                            • dskTable

                                                                                                                                                            • systemStats

                                                                                                                                                            • fileTable

                                                                                                                                                          • SNMP MIB-2 Interfaces

                                                                                                                                                            • ifTable

                                                                                                                                                          • IP-MIB

                                                                                                                                                          • SNMP-FRAMEWORK-MIB

                                                                                                                                                            • snmpEngine

                                                                                                                                                          • IF-MIB

                                                                                                                                                          • DISMAN-EVENT-MIB

                                                                                                                                                          • SNMP MIB-2 snmp


                                                                                                                                                          Note

                                                                                                                                                          Cisco UCS Central does not provide support for IPV6 andCisco UCS Central MIBs.

                                                                                                                                                          Authentication Protocols for SNMPv3 Users

                                                                                                                                                          Cisco UCS Central supports the following authentication protocols for SNMPv3 users:

                                                                                                                                                          • HMAC-MD5-96 (MD5)

                                                                                                                                                          • HMAC-SHA-96 (SHA)

                                                                                                                                                          AES Privacy Protocol for SNMPv3 Users

                                                                                                                                                          Cisco UCS Central uses Advanced Encryption Standard (AES) as one of the privacy protocols for SNMPv3 message encryption and conforms with RFC 3826. If AES is disabled but privacy password is set, then DES is used for encryption.

                                                                                                                                                          If you enable AES-128 configuration and include a privacy password for an SNMPv3 user, Cisco UCS Central uses the privacy password to generate a 128-bit AES key. The AES privacy password can have a minimum of eight characters. If the passphrases are specified in clear text, you can specify a maximum of 64 characters.

                                                                                                                                                          Configuring an SNMP Policy

                                                                                                                                                          Before You Begin

                                                                                                                                                          Before configuring a SNMP policy under a domain group, this policy must first be created. Policies under the Domain Groups root were already created by the system and ready to configure.

                                                                                                                                                          Procedure
                                                                                                                                                             Command or ActionPurpose
                                                                                                                                                            Step 1UCSC# connect policy-mgr  

                                                                                                                                                            Enters policy manager mode.

                                                                                                                                                             
                                                                                                                                                            Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                            Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                             
                                                                                                                                                            Step 3UCSC(policy-mgr) /domain-group # create snmp   (Optional)

                                                                                                                                                            If scoping into a domain group previously, creates the SNMP policy for that domain group.

                                                                                                                                                             
                                                                                                                                                            Step 4UCSC(policy-mgr) /domain-group # scope snmp   (Optional)

                                                                                                                                                            If scoping into the domain group root previously, scopes the default SNMP policy's configuration mode from the Domain Group root.

                                                                                                                                                             
                                                                                                                                                            Step 5UCSC(policy-mgr) /domain-group/snmp* # enable | disable snmp  

                                                                                                                                                            Enable or disable SNMP services for this policy.

                                                                                                                                                             
                                                                                                                                                            Step 6UCSC(policy-mgr) /domain-group/snmp* # set community snmp-community-name-text  

                                                                                                                                                            Enter a name for the SNMP community.

                                                                                                                                                             
                                                                                                                                                            Step 7UCSC(policy-mgr) /domain-group/snmp* # set syscontact syscontact-name-text  

                                                                                                                                                            Enter a name for the SNMP system contact.

                                                                                                                                                             
                                                                                                                                                            Step 8UCSC(policy-mgr) /domain-group/snmp* # set syslocation syslocation-name-text  

                                                                                                                                                            Enter a name for the SNMP system location.

                                                                                                                                                             
                                                                                                                                                            Step 9UCSC(policy-mgr) /domain-group/snmp* # commit-buffer  

                                                                                                                                                            Commits the transaction to the system configuration.

                                                                                                                                                             

                                                                                                                                                            The following example shows how to scope into the Domain Group root, scope the SNMP policy, enable SNMP services, set the SNMP community name to SNMPCommunity01, set the SNMP system contact name to SNMPSysAdmin01, set the SNMP system location to SNMPWestCoast01, and commit the transaction: 

                                                                                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # enable snmp
UCSC(policy-mgr) /domain-group/snmp* # set community SNMPCommunity01
UCSC(policy-mgr) /domain-group/snmp* # set syscontact SNMPSysAdmin01
UCSC(policy-mgr) /domain-group/snmp* # set syslocation SNMPWestCoast01
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp #

                                                                                                                                                            The following example shows how to scope into the Domain Group domaingroup01, create the SNMP policy, enable SNMP services, set the SNMP community name to SNMPCommunity01, set the SNMP system contact name to SNMPSysAdmin01, set the SNMP system location to SNMPWestCoast01, and commit the transaction: 

                                                                                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # create snmp
UCSC(policy-mgr) /domain-group/snmp* # enable snmp
UCSC(policy-mgr) /domain-group/snmp* # set community SNMPCommunity01
UCSC(policy-mgr) /domain-group/snmp* # set syscontact SNMPSysAdmin01
UCSC(policy-mgr) /domain-group/snmp* # set syslocation SNMPWestCoast01
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp #

                                                                                                                                                            The following example shows how to scope into the domain group domaingroup01, scope the SNMP policy, disable SNMP services, and commit the transaction: 

                                                                                                                                                            UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # disable snmp
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp #

                                                                                                                                                            Configuring an SNMP Trap

                                                                                                                                                            Procedure
                                                                                                                                                               Command or ActionPurpose
                                                                                                                                                              Step 1UCSC# connect policy-mgr  

                                                                                                                                                              Enters policy manager mode.

                                                                                                                                                               
                                                                                                                                                              Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                              Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                               
                                                                                                                                                              Step 3UCSC(policy-mgr) /domain-group # scope snmp  

                                                                                                                                                              Scopes the default SNMP policy's configuration mode.

                                                                                                                                                               
                                                                                                                                                              Step 4UCSC(policy-mgr) /domain-group/snmp # create snmp-trap snmp-trap-ip   (Optional)

                                                                                                                                                              If scoping into a domain group previously, creates the snmp-trap IP address for that domain group (in format 0.0.0.0), and enters SNMP trap configuration mode.

                                                                                                                                                               
                                                                                                                                                              Step 5UCSC(policy-mgr) /domain-group/snmp # scope snmp-trap snmp-trap-ip   (Optional)

                                                                                                                                                              If scoping into the domain group root previously, scopes the snmp-trap IP address for that domain group (in format 0.0.0.0), and enters SNMP trap configuration mode.

                                                                                                                                                               
                                                                                                                                                              Step 6UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set community snmp-trap-community-host-config-string  

                                                                                                                                                              Enter the SNMP trap community string to configure the SNMP trap host.

                                                                                                                                                               
                                                                                                                                                              Step 7UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set notificationtype traps  

                                                                                                                                                              Enter the notification type for the SNMP trap as SNMP Trap Notifications (traps).

                                                                                                                                                               
                                                                                                                                                              Step 8UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set port port-number  

                                                                                                                                                              Enter the SNMP trap port number (1-65535).

                                                                                                                                                               
                                                                                                                                                              Step 9UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set v3privilege auth | noauth | priv  

                                                                                                                                                              Enter a V3 Privilege security level for the SNMP trap of authNoPriv Security Level (auth), noAuthNoPriv Security Level (noauth), or authPriv Security Level (priv).

                                                                                                                                                               
                                                                                                                                                              Step 10UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set version v1 | v2c | v3  

                                                                                                                                                              Enter a version for the SNMP trap of SNMP v1, v2c, or v3.

                                                                                                                                                               
                                                                                                                                                              Step 11UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # commit-buffer  

                                                                                                                                                              Commits the transaction to the system configuration.

                                                                                                                                                               

                                                                                                                                                              The following example shows how to scope into the Domain Group root, scope the SNMP policy, create the SNMP trap with IP address 0.0.0.0, set the SNMP community host string to snmptrap01, set the SNMP notification type to traps, set the SNMP port to 1, set the v3privilege to priv, set the version to v1, and commit the transaction: 

                                                                                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # create snmp-trap 0.0.0.0
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set community snmptrap01
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set notificationtype traps
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set port 1
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set v3privilege priv
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set version v1
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp/snmp-trap #

                                                                                                                                                              The following example shows how to scope into the domain group domaingroup01, scope the SNMP policy, scope the SNMP trap IP address 0.0.0.0, set the SNMP community host string to snmptrap02, set the SNMP notification type to traps, set the SNMP port to 65535, set the v3privilege to auth, set the version to v2c, and commit the transaction: 

                                                                                                                                                              UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # scope snmp-trap 0.0.0.0
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set community snmptrap02
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set notificationtype traps 
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set port 65535
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set v3privilege auth
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # set version v2c
UCSC(policy-mgr) /domain-group/snmp/snmp-trap* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp/snmp-trap #

                                                                                                                                                              Configuring an SNMP User

                                                                                                                                                              Procedure
                                                                                                                                                                 Command or ActionPurpose
                                                                                                                                                                Step 1UCSC# connect policy-mgr  

                                                                                                                                                                Enters policy manager mode.

                                                                                                                                                                 
                                                                                                                                                                Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                                Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                                 
                                                                                                                                                                Step 3UCSC(policy-mgr) /domain-group # scope snmp  

                                                                                                                                                                Scopes the SNMP policy's configuration mode.

                                                                                                                                                                 
                                                                                                                                                                Step 4UCSC(policy-mgr) /domain-group/snmp # create snmp-user snmp-user  

                                                                                                                                                                Enter a name for the SNMP user.

                                                                                                                                                                 
                                                                                                                                                                Step 5UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set aes-128 yes | no  

                                                                                                                                                                Use AES-128 for the SNMP user (yes or no).

                                                                                                                                                                 
                                                                                                                                                                Step 6UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth md5 | sha  

                                                                                                                                                                Use MD5 or Sha authorization mode for the SNMP user.

                                                                                                                                                                 
                                                                                                                                                                Step 7UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set password password  

                                                                                                                                                                Enter and confirm a password for the SNMP user.

                                                                                                                                                                 
                                                                                                                                                                Step 8UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set priv-password private-password  

                                                                                                                                                                Enter and confirm a private password for the SNMP user.

                                                                                                                                                                 
                                                                                                                                                                Step 9UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer  

                                                                                                                                                                Commits the transaction to the system configuration.

                                                                                                                                                                 

                                                                                                                                                                The following example shows how to scope into the Domain Group root, scope the SNMP policy, scope into the SNMP user named snmpuser01, set aes-128 mode to enabled, set authorization to sha mode, set password to userpassword01, set private password to userpassword02, and commit the transaction: 

                                                                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # scope snmp-user snmpuser01
UCSC(policy-mgr) /domain-group/snmp/snmp-user # set aes-128 yes
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth sha
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set password userpassword01
Enter a password: userpassword01
Confirm the password: userpassword01
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set priv-password userpassword02
Enter a password: userpassword02
Confirm the password: userpassword02
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp/snmp-user #

                                                                                                                                                                The following example shows how to scope into the domain group domaingroup01, scope the SNMP policy, create the SNMP user named snmpuser01, set aes-128 mode to enabled, set authorization to md5 mode, set password to userpassword01, set private password to userpassword02, and commit the transaction: 

                                                                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # create snmp-user snmpuser01
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set aes-128 yes
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth md5
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set password userpassword01
Enter a password: userpassword01
Confirm the password: userpassword01
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set priv-password userpassword02
Enter a password: userpassword02
Confirm the password: userpassword02
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp/snmp-user #

                                                                                                                                                                The following example shows how to scope into the Domain Group root, scope the SNMP policy, scope into the SNMP user named snmpuser01, set aes-128 mode to disabled, set authorization to md5 mode, and commit the transaction: 

                                                                                                                                                                UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # scope snmp-user snmpuser01
UCSC(policy-mgr) /domain-group/snmp/snmp-user # set aes-128 no
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # set auth md5
UCSC(policy-mgr) /domain-group/snmp/snmp-user* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp/snmp-user #

                                                                                                                                                                Deleting an SNMP Policy

                                                                                                                                                                A SNMP policy is deleted from a domain group under the domain group root. SNMP policies under the domain groups root cannot be deleted.

                                                                                                                                                                Deleting an SNMP policy will remove all SNMP trap and SNMP User settings within that policy.

                                                                                                                                                                Procedure
                                                                                                                                                                   Command or ActionPurpose
                                                                                                                                                                  Step 1UCSC# connect policy-mgr  

                                                                                                                                                                  Enters policy manager mode.

                                                                                                                                                                   
                                                                                                                                                                  Step 2UCSC(policy-mgr)# scope domain-group domain-group  

                                                                                                                                                                  Enters a domain group under the domain group root.

                                                                                                                                                                  Note   

                                                                                                                                                                  Do not enter the domain group root itself. System default Management Interfaces Monitoring policies cannot be deleted under the domain group root.

                                                                                                                                                                   
                                                                                                                                                                  Step 3UCSC(policy-mgr) /domain-group # delete snmp  

                                                                                                                                                                  Deletes the SNMP policy for that domain group.

                                                                                                                                                                   
                                                                                                                                                                  Step 4UCSC(policy-mgr) /domain-group* # commit-buffer  

                                                                                                                                                                  Commits the transaction to the system configuration.

                                                                                                                                                                   

                                                                                                                                                                  The following example shows how to scope into the domain group domaingroup01, delete the SNMP policy, and commit the transaction: 

                                                                                                                                                                  UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # delete snmp
UCSC(policy-mgr) /domain-group* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                                                                                                                  Deleting an SNMP Trap

                                                                                                                                                                  Procedure
                                                                                                                                                                     Command or ActionPurpose
                                                                                                                                                                    Step 1UCSC# connect policy-mgr  

                                                                                                                                                                    Enters policy manager mode.

                                                                                                                                                                     
                                                                                                                                                                    Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                                    Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                                     
                                                                                                                                                                    Step 3UCSC(policy-mgr) /domain-group # scope snmp  

                                                                                                                                                                    Scopes the default SNMP policy's configuration mode.

                                                                                                                                                                     
                                                                                                                                                                    Step 4UCSC(policy-mgr) /domain-group/snmp # delete snmp-trap snmp-trap-ip  

                                                                                                                                                                    Deletes the snmp-trap IP address for that domain group.

                                                                                                                                                                     
                                                                                                                                                                    Step 5UCSC(policy-mgr) /domain-group/snmp* # commit-buffer  

                                                                                                                                                                    Commits the transaction to the system configuration.

                                                                                                                                                                     

                                                                                                                                                                    The following example shows how to scope into the Domain Group root, scope the SNMP policy, delete the SNMP trap IP address 0.0.0.0, and commit the transaction: 

                                                                                                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # delete snmp-trap 0.0.0.0
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                                                                                                                    The following example shows how to scope into the domain group domaingroup01, scope the SNMP policy, delete the SNMP trap IP address 0.0.0.0, and commit the transaction: 

                                                                                                                                                                    UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # delete snmp-trap 0.0.0.0
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group #

                                                                                                                                                                    Deleting an SNMP User

                                                                                                                                                                    Procedure
                                                                                                                                                                       Command or ActionPurpose
                                                                                                                                                                      Step 1UCSC# connect policy-mgr  

                                                                                                                                                                      Enters policy manager mode.

                                                                                                                                                                       
                                                                                                                                                                      Step 2UCSC(policy-mgr) # scope domain-group domain-group  

                                                                                                                                                                      Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group.

                                                                                                                                                                       
                                                                                                                                                                      Step 3UCSC(policy-mgr) /domain-group # scope snmp  

                                                                                                                                                                      Scopes the SNMP policy's configuration mode.

                                                                                                                                                                       
                                                                                                                                                                      Step 4UCSC(policy-mgr) /domain-group/snmp # delete snmp-user snmp-user  

                                                                                                                                                                      Delete the SNMP user.

                                                                                                                                                                       
                                                                                                                                                                      Step 5UCSC(policy-mgr) /domain-group/snmp* # commit-buffer  

                                                                                                                                                                      Commits the transaction to the system configuration.

                                                                                                                                                                       

                                                                                                                                                                      The following example shows how to scope into the Domain Group root, scope the SNMP policy, delete the SNMP user named snmpuser01, and commit the transaction: 

                                                                                                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group /
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # delete snmp snmpuser01
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp #

                                                                                                                                                                      The following example shows how to scope into the Domain Group domaingroup01, scope the SNMP policy, delete the SNMP user named snmpuser02, and commit the transaction: 

                                                                                                                                                                      UCSC # connect policy-mgr
UCSC(policy-mgr)# scope domain-group domaingroup01
UCSC(policy-mgr) /domain-group # scope snmp
UCSC(policy-mgr) /domain-group/snmp # delete snmp snmpuser02
UCSC(policy-mgr) /domain-group/snmp* # commit-buffer
UCSC(policy-mgr) /domain-group/snmp #