Authentication Services
Cisco UCS Central supports the following methods for authenticating user logins:
-
Local user authentication for user accounts that exist locally in Cisco UCS Central
-
Remote user authentication for registered UCS domains with one of the following protocols:
-
LDAP
-
RADIUS
-
TACACS+
-
Guidelines and Recommendations for Remote Authentication Providers
If you configure a system for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Central can communicate with it. In addition, be aware of the following guidelines that impact user authorization:
User Accounts in Remote Authentication Services
User accounts can exist locally in Cisco UCS Central or in the remote authentication server. You can view the temporary sessions for users who log in through remote authentication services through Cisco UCS Central GUI or Cisco UCS Central CLI.
User Roles in Remote Authentication Services
-
Accounts include the roles those users require for working in Cisco UCS Central.
-
Names of those roles match the names used in Cisco UCS Central.
Local and Remote User Authentication Support
Cisco UCS Central uses LDAP, RADIUS and TACACS+ for remote authentication.
User Attributes in Remote Authentication Providers
When a user logs in, Cisco UCS Central:
-
Queries the remote authentication service.
-
Validates the user.
-
Checks for the roles and locales assigned to that user, (if user passed validation).
The following table contains a comparison of the user attribute requirements for the remote authentication providers supported by Cisco UCS Central.
Authentication Provider | Custom Attribute | Schema Extension | Attribute ID Requirements |
---|---|---|---|
LDAP |
Optional |
Do one of the following:
|
The Cisco LDAP implementation requires a unicode type attribute. If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1 The following section contains a sample OID (object identifier). |
RADIUS |
Optional |
Do one of the following:
|
The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001. The following
syntax example specifies multiples user roles and locales if you choose to
create the cisco-avpair attribute:
|
TACACS+ |
Required |
You must extend the schema and create a custom attribute with the name cisco-av-pair. |
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider. The following
syntax example specifies multiples user roles and locales when you create the
cisco-av-pair attribute:
|
Sample OID for LDAP User Attribute
The following is a sample OID for a custom CiscoAVPair attribute:
CN=CiscoAVPair,CN=Schema,
CN=Configuration,CN=X
objectClass: top
objectClass: attributeSchema
cn: CiscoAVPair
distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X
instanceType: 0x4
uSNCreated: 26318654
attributeID: 1.3.6.1.4.1.9.287247.1
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: CiscoAVPair
adminDescription: UCS User Authorization Field
oMSyntax: 64
lDAPDisplayName: CiscoAVPair
name: CiscoAVPair
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X
Configuring Multiple Authentication Systems
Multiple Authentication Systems
You can configure Cisco UCS to use multiple authentication systems by configuring the following features:
-
Provider groups
-
Authentication domains
Once you have configured provider groups and authentication domains in Cisco UCS Central, you can use the following syntax to log in to the system using Cisco UCS Central CLI: ucs- auth-domain
When you configure multiple authentication domains and native authentication with a remote authentication service, use one of the following syntax examples to log in with SSH or Putty:
From a Linux terminal:
-
ssh ucs-auth-domain\\ username@ Cisco UCS domain-ip-address
ssh ucs-example\\jsmith@192.0.20.11
-
ssh -l ucs-auth-domain\\ username {Cisco UCS domain-ip-address | Cisco UCS domain-host-name}
ssh -l ucs-example\\jsmith 192.0.20.11
-
ssh {Cisco UCS domain-ip-address | Cisco UCS domain-host-name} -l ucs-auth-domain\\ username
ssh 192.0.20.11 -l ucs-example\\jsmith
From a Putty client:
-
Login as: ucs-auth-domain\\ username
Login as: ucs-example\\jsmith
From a SSH client:
-
Host Name: Cisco UCS domain-ip-address
User Name: ucs-auth-domain\\ username
Host Name: 192.0.20.11
User Name: ucs-example\\jsmith
Provider Groups
A provider group is a set of providers that Cisco UCS uses during the authentication process. Cisco UCS Central allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.
During authentication, all of the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.
Creating an LDAP Provider Group
Creating an LDAP provider group allows you to authenticate using multiple LDAP databases.
Before you begin
Create one or more LDAP providers.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/ldap # create auth-server-group auth-server-group-name |
Creates an LDAP provider group. Enters authentication server group security LDAP mode. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap-provider-name |
Adds the specified LDAP provider to the LDAP provider group. Enters server reference authentication server group security LDAP mode. |
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # set order order-num |
Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Creates an LDAP provider group called ldapgroup
-
Adds two previously configured providers called ldap1 and ldap2 to the provider group
-
Sets the order
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # create auth-server-group ldapgroup
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap1
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # up
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group* # create server-ref ldap2
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap/auth-server-group/server-ref #
What to do next
Configure an authentication domain or select a default authentication service.
Deleting an LDAP Provider Group
Before you begin
Remove the provider group from an authentication configuration.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC#connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)#scope org |
|
Step 3 |
UCSC(policy-mgr) /org#scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile#scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/ldap # delete auth-server-group auth-server-group-name |
Deletes the LDAP provider group. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Deletes an LDAP provider group called ldapgroup
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope ldap
UCSC(policy-mgr) /org/device-profile/security/ldap # delete auth-server-group ldapgroup
UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/ldap #
Creating a RADIUS Provider Group
Creating a RADIUS provider group allows you to authenticate using multiple RADIUS databases.
Before you begin
Create one or more RADIUS providers.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope radius |
Enters RADIUS security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/radius # create auth-server-group auth-server-group-name |
Creates a RADIUS provider group. Enters authentication server group security RADIUS mode. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group* # create server-ref radius-provider-name |
Adds the specified RADIUS provider to the RADIUS provider group. Enters server reference authentication server group security RADIUS mode. |
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group* # set order order-num |
Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Creates a RADIUS provider group called radiusgroup
-
Adds two previously configured providers called radius1 and radius2 to the provider group
-
Sets the order
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope radius
UCSC(policy-mgr) /org/device-profile/security/radius # create auth-server-group radiusgroup
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group* # create server-ref radius1
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group/server-ref* # up
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group* # create server-ref radius2
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group/server-ref* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/radius/auth-server-group/server-ref #
What to do next
Configure an authentication domain or select a default authentication service.
Deleting a RADIUS Provider Group
Remove the provider group from an authentication configuration.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope radius |
Enters RADIUS security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/radius # delete auth-server-group auth-server-group-name |
Deletes the RADIUS provider group. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/radius* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Deletes a RADIUS provider group called radiusgroup
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope radius
UCSC(policy-mgr) /org/device-profile/security/radius # delete auth-server-group radiusgroup
UCSC(policy-mgr) /org/device-profile/security/radius* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/radius #
Creating a TACACS+ Provider Group
Creating a TACACS+ provider group allows you to authenticate using multiple TACACS+ databases.
Before you begin
Create a TACACS+ provider.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope tacacs |
Enters TACACS+ security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/tacacs # create auth-server-group auth-server-group-name |
Creates a TACACS+ provider group and enters authentication server group security TACACS+ mode. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group* # create server-ref ldap-provider-name |
Adds the specified TACACS+ provider to the TACACS+ provider group. Enters server reference authentication server group security TACACS+ mode. |
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group* # set order order-num |
Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Creates a TACACS+ provider group called tacacsgroup
-
Adds two previously configured providers called tacacs1 and tacacs2 to the provider group
-
Sets the order
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope tacacs
UCSC(policy-mgr) /org/device-profile/security/tacacs # create auth-server-group tacacsgroup
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group* # create server-ref tacacs1
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group/server-ref* # set order 1
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group/server-ref* # up
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group* # create server-ref tacacs2
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group/server-ref* # set order 2
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group/server-ref* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/tacacs/auth-server-group/server-ref #
What to do next
Configure an authentication domain or select a default authentication service.
Deleting a TACACS+ Provider Group
Remove the provider group from an authentication configuration.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope tacacs |
Enters TACACS+ security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/tacacs # delete auth-server-group auth-server-group-name |
Deletes the TACACS+ provider group. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/tacacs* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Deletes a TACACS+ provider group called tacacsgroup
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope tacacs
UCSC(policy-mgr) /org/device-profile/security/tacacs # delete auth-server-group tacacsgroup
UCSC(policy-mgr) /org/device-profile/security/tacacs* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/tacacs #
Authentication Domains
Cisco UCS Central uses authentication domains to leverage multiple authentication systems. You specify and configure each authentication domain during login. If you do not specify an authentication domain, Cisco UCS Central uses the default authentication service configuration.
You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Domain. If no provider group is specified, all servers within the realm are used.
Creating an Authentication Domain
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
||
Step 2 |
UCSC(policy-mgr)#scope org |
|
||
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
||
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
||
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm |
Enters authentication realm mode. |
||
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm # create auth-domain domain-name |
Creates an authentication domain and enters authentication domain mode. The Radius related settings are applicable only for the sub-domains in the domain group root and sub-domain groups.
|
||
Step 7 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # set refresh-period seconds |
(Optional)
When a web client connects to Cisco UCS Central, the client must send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain. If the client exceeds the time limit, Cisco UCS Central considers the web session inactive, but it does not terminate the session. Specify an integer between 60 and 172800. The default is 600 seconds. |
||
Step 8 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # set session-timeout seconds |
(Optional)
The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If the client exceeds the time limit, Cisco UCS Central automatically terminates the web session. Specify an integer between 60 and 172800. The default is 7200 seconds. |
||
Step 9 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # create default-auth |
(Optional)
Creates a default authentication for the specified authentication domain. |
||
Step 10 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set auth-server-group auth-serv-group-name |
(Optional)
Specifies the provider group for the specified authentication domain. |
||
Step 11 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set realm {ldap | local | radius | tacacs} |
Specifies the realm for the specified authentication domain. |
||
Step 12 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Creates an authentication domain called domain1
-
Creates a web refresh period of 3600 seconds (1 hour)
-
Creates a session timeout period of 14400 seconds (4 hours)
-
Configures domain1 to use the providers in ldapgroup1
-
Sets the realm type to ldap
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm
UCSC(policy-mgr) /org/device-profile/security/auth-realm # create auth-domain domain1
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # set refresh-period 3600
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # set session-timeout 14400
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain* # create default-auth
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set auth-server-group ldapgroup1
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # set realm ldap
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/auth-realm/auth-domain/default-auth #
Selecting the Console Authentication Service
Before you begin
If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr) #scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm |
Enters authentication realm security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm # scope console-auth |
Enters console authorization security mode. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth # set realm auth-type |
Specifies the console authentication, where the auth-type argument is one of the following keywords:
|
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth* # set auth-server-group auth-serv-group-name |
The associated provider group, if any. |
Step 9 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Sets the authentication to LDAP
-
Sets the console authentication provider group to provider1
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm
UCSC(policy-mgr) /org/device-profile/security/auth-realm # scope console-auth
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth # set realm local
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth* # set auth-server-group provider1
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/auth-realm/console-auth #
Selecting a Primary Authentication Service
Selecting the Default Authentication Service
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)#scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm |
Enters authentication realm security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm # scope default-auth |
Enters default authorization security mode. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/default-auth # set realm auth-type |
Specifies the default authentication, where auth-type is one of the following keywords:
|
Step 8 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/default-auth* # set auth-server-group auth-serv-group-name |
(Optional)
The associated provider group, if any. |
Step 9 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/default-auth* # set refresh-period seconds |
(Optional)
When a web client connects to Cisco UCS Central, the client must send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain. If the client exceeds the time limit, Cisco UCS Central considers the web session inactive, but it does not terminate the session. |
Step 10 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/auth-realm/default-auth* # set session-timeout seconds |
(Optional)
The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If the client exceeds the time limit, Cisco UCS Central automatically terminates the web session. Specify an integer between 60 and 172800. The default is 7200 seconds. |
Step 11 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm/default-auth* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Sets the default authentication to LDAP
-
Sets the default authentication provider group to provider1
-
Sets the refresh period to 7200 seconds (2 hours)
-
Sets the session timeout period to 28800 seconds (8 hours)
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm
UCSC(policy-mgr) /org/device-profile/security/auth-realm # scope default-auth
UCSC(policy-mgr) /org/device-profile/security/default-auth # set realm ldap
UCSC(policy-mgr) /org/device-profile/security/default-auth* # set auth-server-group provider1
UCSC(policy-mgr) /org/device-profile/security/default-auth* # set refresh-period 7200
UCSC(policy-mgr) /org/device-profile/security/default-auth* # set session-timeout 28800
UCSC(policy-mgr) /org/device-profile/security/default-auth* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/default-auth #
Role Policy for Remote Users
By default, if you do not configure user roles in Cisco UCS Central, then it grants read-only access to all users logging in from a remote server.
-
assign-default-role
Does not restrict user access to Cisco UCS Central based on user roles. Cisco UCS Central grants read-only access to all users unless you defined other user roles in Cisco UCS Central.
This is the default behavior.
-
no-login
Restricts user access to Cisco UCS Central based on user roles. If you did not assign user roles for the remote authentication system, access is denied.
For security reasons, you can restrict access to those users matching an established user role in Cisco UCS Central.
Configuring the Role Policy for Remote Users
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)#scope org |
|
Step 3 |
UCSC(policy-mgr) /org #scope device-profile |
|
Step 4 |
UCSC(policy-mgr) /org/device-profile #scope security |
|
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm |
Enters authentication realm security mode. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm # set remote-user default-role {assign-default-role | no-login} |
Specifies if user access to Cisco UCS Central is restricted based on user roles. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/auth-realm* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Sets the role policy for remote users
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope auth-realm
UCSC(policy-mgr) /org/device-profile/security/auth-realm # set remote-user default-role assign-default-role
UCSC(policy-mgr) /org/device-profile/security/auth-realm* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/auth-realm #