Cisco UCS
supports two methods to authenticate user logins:
Through user accounts local to
Cisco UCS Manager
Remotely through one of the following protocols:
LDAP
RADIUS
TACACS+
Guidelines and Recommendations for Remote Authentication Providers
If a system is configured for one of the supported remote
authentication services, you must create a provider for that service to ensure
that
Cisco UCS Manager
can communicate with it. In addition, you need to be aware of the following
guidelines that impact user authorization:
User Accounts in Remote Authentication Services
User accounts can exist locally in
Cisco UCS Manager
or in the remote authentication server.
The temporary sessions for users who log in through remote
authentication services can be viewed through Cisco UCS Manager GUI or Cisco UCS Manager CLI.
User Roles in Remote Authentication Services
If you create user accounts in the remote authentication server, you
must ensure that the accounts include the roles those users require for working
in
Cisco UCS Manager
and that the names of those roles match the names used in
Cisco UCS Manager.
Depending on the role policy, a user may not be allowed to log in or will be granted only read-only privileges.
User Attributes in Remote Authentication Providers
You must configure a user attribute for Cisco UCS in each remote authentication provider through which users log in to Cisco UCS Manager. This user attribute holds the roles and locales assigned to each user.
When a user logs in, Cisco UCS Manager
does the following:
Queries the remote authentication service.
Validates the user.
If the user is validated, checks for the roles and locales assigned to that user.
The following table contains a comparison of the user attribute requirements for the remote authentication providers supported by Cisco UCS. Table 1 Comparison of User Attributes by Remote Authentication Provider
Authentication Provider
Custom Attribute
Schema Extension
Attribute ID Requirements
LDAP
Optional
Optional. You can choose to do either of the following:
Do not extend the LDAP schema and configure an existing, unused attribute that meets the requirements.
Extend the LDAP schema and create a custom attribute with a unique name, such as CiscoAVPair.
The Cisco LDAP implementation requires a unicode type attribute.
If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1
A sample OID is provided in the following section.
RADIUS
Optional
Optional. You can choose to do either of the following:
Do not extend the RADIUS schema and use an existing, unused attribute that meets the requirements.
Extend the RADIUS schema and create a custom attribute with a unique name, such as cisco-avpair.
The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.
The following syntax example shows how to specify multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.
TACACS+
Required
Required. You must extend the schema and create a custom attribute with the name cisco-av-pair.
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.
The following syntax example shows how to specify multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales="L1 abc". Use a space as the delimiter to separate multiple values.
Sample OID for LDAP User Attribute
The following is a sample OID for a custom CiscoAVPair attribute:
The LDAP group rule is used to determine whether Cisco UCS should use LDAP groups when assigning user roles and locales to a remote user.
Configuring LDAP Providers
Configuring Properties for LDAP Providers
The properties that you configure in this task apply to all LDAP provider connections.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scope security
Enters security mode.
Step 2
UCS-A /security #
scope ldap
Enters security LDAP mode.
Step 3
UCS-A /security/ldap #
set attributeattribute
Restricts database searches to records that contain the specified
attribute.
Step 4
UCS-A /security/ldap #
set basedndistinguished-name
Restricts database searches to records that contain the specified
distinguished name.
Step 5
UCS-A /security/ldap #
set filterfilter
Restricts database searches to records that contain the specified
filter.
Step 6
UCS-A /security/ldap #
set timeoutseconds
(Optional)
Sets the time interval the system waits for a response from the
LDAP server before noting the server as down.
Step 7
UCS-A /security/ldap #
commit-buffer
Commits the transaction to the system configuration.
The following example sets the LDAP attribute to CiscoAvPair, the base
distinguished name to "DC=cisco-ucsm-aaa3,DC=qalab,DC=com", the filter to
sAMAccountName=$userid, and the timeout interval to 5 seconds, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope ldap
UCS-A /security/ldap # set attribute CiscoAvPair
UCS-A /security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCS-A /security/ldap* # set filter sAMAccountName=$userid
UCS-A /security/ldap* # set timeout 5
UCS-A /security/ldap* # commit-buffer
UCS-A /security/ldap #
What to Do Next
Create an LDAP provider.
Creating an LDAP Provider
Cisco UCS Manager supports a maximum of 16 LDAP providers.
Before You Begin
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
In the LDAP
server, perform one of the following configurations:
Configure LDAP groups. LDAP groups contain user role and locale information.
Configure users with the attribute that holds the user role and locale information for Cisco UCS Manager. You can choose whether to extend the LDAP schema for this attribute. If you do not want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair attribute.
The Cisco LDAP implementation requires a unicode type attribute.
If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1
For a cluster configuration, add the management port IP addresses
for both fabric interconnects. This configuration ensures that remote users can
continue to log in if the first fabric interconnect fails and the system fails
over to the second fabric interconnect. All login requests are sourced from
these IP addresses, not the virtual IP address used by
Cisco UCS Manager.
If you want to use secure communications, create a trusted point containing the certificate of the root certificate authority (CA) of the LDAP server in Cisco UCS Manager.
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scope security
Enters security mode.
Step 2
UCS-A /security #
scope ldap
Enters security LDAP mode.
Step 3
UCS-A /security/ldap #
create serverserver-name
Creates an LDAP server instance and enters security LDAP server
mode. If SSL is enabled, the server-name, typically an IP address or FQDN, must exactly match a Common Name (CN) in the LDAP server's security certificate. Unless an IP address is specified, a DNS server must be configured in Cisco UCS Manager.
Step 4
UCS-A /security/ldap/server #
set attributeattr-name
(Optional)
Specifies the LDAP attribute that stores the value for user roles and locales.
If you do not specify this property, Cisco UCS Manager uses the default set on the LDAP General tab.
Step 5
UCS-A /security/ldap/server #
set basednbasedn-name
(Optional)
Specifies the distinguished name in the LDAP hierarchy where the server should begin to search when it receives an authorization request.
If the distinguished name is not set for a specific LDAP provider, it is taken from the general properties set for LDAP providers.
Step 6
UCS-A /security/ldap/server #
set binddnbinddn-name
(Optional)
Specifies the distinguished name (DN) for the LDAP database superuser account.
If you do not specify this property, Cisco UCS Manager uses the default set on the LDAP General tab.
Step 7
UCS-A /security/ldap/server #
set filterfilter-value
(Optional)
Restricts the LDAP search to those usernames that match the defined filter.
If the filter is not set for a specific LDAP provider, it is taken from the general properties set for LDAP providers.
Step 8
UCS-A /security/ldap/server #
set password
Specifies the password for the LDAP database superuser account. To set the password, press Enter after
typing the
set password command and enter the key value at the
prompt.
Step 9
UCS-A /security/ldap/server #
set orderorder-num
(Optional)
Specifies when in the order this server will be tried.
Step 10
UCS-A /security/ldap/server #
set portport-num
(Optional)
Specifies the port used to communicate with the LDAP server.
The standard port number is 389.
Step 11
UCS-A /security/ldap/server #
set ssl{yes|no}
Enables or disables the use of encryption when communicating with the
LDAP server.
The options are as follows:
yes—Encryption is required. If encryption cannot be negotiated, the connection fails.
no—Encryption is disabled. Authentication information is sent as clear text.
LDAP uses STARTTLS. This allows encrypted communication using port 389.
Step 12
UCS-A /security/ldap/server #
set timeouttimeout-num
Specifies the amount of time in seconds that the system should spend trying to contact the LDAP database before it times out.
Step 13
UCS-A /security/ldap/server #
commit-buffer
Commits the transaction to the system configuration.
The following example creates an LDAP server
instance named 10.193.169.246, configures the binddn, password, order, port, and SSL settings, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope ldap
UCS-A /security/ldap* # create server 10.193.169.246
UCS-A /security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com"
UCS-A /security/ldap/server* # set password
Enter the password:
Confirm the password:
UCS-A /security/ldap/server* # set order 2
UCS-A /security/ldap/server* # set port 389
UCS-A /security/ldap/server* # set ssl yes
UCS-A /security/ldap/server* # set timeout 30
UCS-A /security/ldap/server* # commit-buffer
UCS-A /security/ldap/server #
What to Do Next
For implementations involving a single LDAP database, select LDAP as the authentication service.
For implementations involving multiple LDAP databases, configure an LDAP provider group.
UCS-A /security/ldap/server/ldap-group-rule # set authorization{enable | disable}
Specifies whether Cisco UCS searches LDAP groups when assigning user roles and locales to a remote user.
disable—Cisco UCS does not access any LDAP groups.
enable—Cisco UCS searches the LDAP provider groups mapped in this Cisco UCS instance. If the remote user is found, Cisco UCS assigns the user roles and locales defined for that LDAP group in the associated LDAP group map.
Note
Role and locale assignment is cumulative. If a user is included in multiple groups, or has a role or locale specified in the LDAP attribute, Cisco UCS assigns that user all the roles and locales mapped to any of those groups or attributes.
Step 6
UCS-A /security/ldap/server/ldap-group-rule # set member-of-attributeattr-name
Specifies the attribute Cisco UCS uses to determine group membership.
Step 7
UCS-A /security/ldap/server/ldap-group-rule # set traversal{non-recursive | recursive}
Specifies whether Cisco UCS takes the settings for a group member's parent group, if necessary. This can be:
non-recursive—Cisco UCS only searches those groups that the user belongs to.
recursive—Cisco UCS searches all the ancestor groups belonging to the user.
Commits the transaction to the system configuration.
The following example sets the LDAP group rule to enable authorization, sets the member of attribute to ldapdb1, sets the traversal to non-recursive, and commits the transaction:
For organizations that already use LDAP groups to restrict access to LDAP databases, group membership information can be used by UCSM to assign a role or locale to an LDAP user during login. This eliminates the need to define role or locale information in the LDAP user object when Cisco UCS Manager is deployed.
When a user logs in to Cisco UCS Manager, information about the user's role and locale are pulled from the LDAP group map. If the role and locale criteria match the information in the policy, access is granted.
Role and locale definitions are configured locally in UCSM and do not update automatically based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, it is important that you update your Cisco UCS Manager instance with the change.
An LDAP group map can be configured to include any of the following combinations of roles and locales:
Roles only
Locales only
Both roles and locales
For example, consider an LDAP group representing a group of server administrators at a specific location. The LDAP group map might be configured to include user roles like server-profile and server-equipment. To restrict access to server administrators at a specific location, the locale could be set to a particular site name.
Note
Cisco UCS Manager includes many out-of-the-box user roles but does not include any locales. Mapping an LDAP provider group to a locale requires that you create a custom locale.
Creating an LDAP Group Map
Before You Begin
Create an LDAP group in the LDAP server.
Configure the distinguished name for the LDAP group in the LDAP server.
Create locales in Cisco UCS Manager (optional).
Create custom roles in Cisco UCS Manager (optional).
Cisco UCS Manager supports a maximum of 16 RADIUS providers.
Before You Begin
Perform the following configuration in the RADIUS
server:
Configure users with the attribute that holds the user role and locale information for Cisco UCS Manager. You can choose whether to extend the RADIUS schema for this attribute. If you do not want to extend the schema, use an existing RADIUS attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the cisco-avpair attribute.
The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.
The following syntax example shows how to specify multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.
For a cluster configuration, add the management port IP addresses
for both fabric interconnects. This configuration ensures that remote users can
continue to log in if the first fabric interconnect fails and the system fails
over to the second fabric interconnect. All login requests are sourced from
these IP addresses, not the virtual IP address used by
Cisco UCS Manager.
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scope security
Enters security mode.
Step 2
UCS-A /security #
scope radius
Enters security RADIUS mode.
Step 3
UCS-A /security/radius #
create serverserver-name
Creates a RADIUS server instance and enters security RADIUS server
mode
Step 4
UCS-A /security/radius/server #
set authportauthport-num
(Optional)
Specifies the port used to communicate with the RADIUS server.
Step 5
UCS-A /security/radius/server #
set key
Sets the RADIUS server key. To set the key value, press Enter
after typing the
set key command and enter the key value at the
prompt.
Step 6
UCS-A /security/radius/server #
set orderorder-num
(Optional)
Specifies when in the order this server will be tried.
Step 7
UCS-A /security/radius #
set retriesretry-num
(Optional)
Sets the number of times to retry communicating with the RADIUS
server before noting the server as down.
Step 8
UCS-A /security/radius #
set timeoutseconds
(Optional)
Sets the time interval that the system waits for a response from the
RADIUS server before noting the server as down.
Step 9
UCS-A /security/radius/server #
commit-buffer
Commits the transaction to the system configuration.
The following example creates a server instance named radiusserv7, sets the
authentication port to 5858, sets the key to radiuskey321, sets the order to 2, sets the retries to 4, sets the timeout to 30, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope radius
UCS-A /security/radius # create server radiusserv7
UCS-A /security/radius/server* # set authport 5858
UCS-A /security/radius/server* # set key
Enter the key: radiuskey321
Confirm the key: radiuskey321
UCS-A /security/radius/server* # set order 2
UCS-A /security/radius/server* # set retries 4
UCS-A /security/radius/server* # set timeout 30
UCS-A /security/radius/server* # commit-buffer
UCS-A /security/radius/server #
What to Do Next
For implementations involving a single RADIUS database, select RADIUS as the primary authentication service.
For implementations involving multiple RADIUS databases, configure a RADIUS provider group.
Deleting a RADIUS Provider
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope security
Enters security mode.
Step 2
UCS-A /security # scope RADIUS
Enters security RADIUS mode.
Step 3
UCS-A /security/radius # delete serverserv-name
Deletes the specified server.
Step 4
UCS-A /security/radius # commit-buffer
Commits the transaction to the system configuration.
The following example deletes the RADIUS server called radius1 and commits the transaction:
Cisco UCS Manager supports a maximum of 16 TACACS+ providers.
Before You Begin
Perform the following configuration in the TACACS+
server:
Create the cisco-av-pair attribute. You cannot use an existing TACACS+ attribute.
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.
The following syntax example shows how to specify multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales="L1 abc". Use a space as the delimiter to separate multiple values.
For a cluster configuration, add the management port IP addresses
for both fabric interconnects. This configuration ensures that remote users can
continue to log in if the first fabric interconnect fails and the system fails
over to the second fabric interconnect. All login requests are sourced from
these IP addresses, not the virtual IP address used by
Cisco UCS Manager.
Procedure
Command or Action
Purpose
Step 1
UCS-A#
scope security
Enters security mode.
Step 2
UCS-A /security #
scope tacacs
Enters security TACACS+ mode.
Step 3
UCS-A /security/tacacs #
create serverserver-name
Creates an TACACS+ server instance and enters security TACACS+
server mode
Step 4
UCS-A /security/tacacs/server #
set key
(Optional)
Sets the TACACS+ server key. To set the key value, press Enter
after typing the
set key command and enter the key value at the
prompt.
Step 5
UCS-A /security/tacacs/server #
set orderorder-num
(Optional)
Specifies when in the order this server will be tried.
Step 6
UCS-A /security/tacacs/server #
set portport-num
Specifies the port used to communicate with the TACACS+ server.
Step 7
UCS-A /security/tacacs/server #
commit-buffer
Commits the transaction to the system configuration.
The following example creates a server instance named tacacsserv680, sets the key to tacacskey321,
sets the order to 4, sets the authentication port to 5859, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope tacacs
UCS-A /security/tacacs # create server tacacsserv680
UCS-A /security/tacacs/server* # set key
Enter the key: tacacskey321
Confirm the key: tacacskey321
UCS-A /security/tacacs/server* # set order 4
UCS-A /security/tacacs/server* # set port 5859
UCS-A /security/tacacs/server* # commit-buffer
UCS-A /security/tacacs/server #
What to Do Next
For implementations involving a single TACACS+ database, select TACACS+ as the primary authentication service.
For implementations involving multiple TACACS+ databases, configure a TACACS+ provider group.
Deleting a TACACS+ Provider
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope security
Enters security mode.
Step 2
UCS-A /security # scope tacacs
Enters security TACACS mode.
Step 3
UCS-A /security/tacacs # delete serverserv-name
Deletes the specified server.
Step 4
UCS-A /security/tacacs # commit-buffer
Commits the transaction to the system configuration.
The following example deletes the TACACS server called tacacs1 and commits the transaction:
You can configure Cisco UCS to use multiple authentication systems by configuring the following features:
Provider groups
Authentication domains
Once provider groups and authentication domains have been configured in Cisco UCS Manager, the following syntax can be used to log in to the system using Cisco UCS Manager CLI: ucs:auth-domain\user-name
Provider Groups
A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco UCS Manager allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.
During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Manager automatically falls back to the local authentication method using the local username and password.
Creating an LDAP Provider Group
Creating an LDAP provider group allows you to authenticate using multiple LDAP databases.
Note
Authenticating with a single LDAP database does not require you to set up an LDAP provider group.
Adds the specified LDAP provider to the LDAP provider group and enters server reference authentication server group security LDAP mode.
Step 5
UCS-A /security/ldap/auth-server-group/server-ref # set orderorder-num
Specifies the order in which Cisco UCS uses this provider to authenticate users.
Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.
Commits the transaction to the system configuration.
The following example creates an LDAP provider group called ldapgroup, adds two previously configured providers called ldap1 and ldap2 to the provider group, sets the order, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope ldap
UCS-A /security/ldap # create auth-server-group ldapgroup
UCS-A /security/ldap/auth-server-group* # create server-ref ldap1
UCS-A /security/ldap/auth-server-group/server-ref* # set order 1
UCS-A /security/ldap/auth-server-group/server-ref* # up
UCS-A /security/ldap/auth-server-group* # create server-ref ldap2
UCS-A /security/ldap/auth-server-group/server-ref* # set order 2
UCS-A /security/ldap/auth-server-group/server-ref* # commit-buffer
UCS-A /security/ldap/auth-server-group/server-ref #
What to Do Next
Configure an authentication domain or select a default authentication service.
Deleting an LDAP Provider Group
Before You Begin
Remove the provider group from an authentication configuration.
Adds the specified RADIUS provider to the RADIUS provider group and enters server reference authentication server group security RADIUS mode.
Step 5
UCS-A /security/radius/auth-server-group/server-ref # set orderorder-num
Specifies the order in which Cisco UCS uses this provider to authenticate users.
Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.
Commits the transaction to the system configuration.
The following example creates a RADIUS provider group called radiusgroup, adds two previously configured providers called radius1 and radius2 to the provider group, sets the order, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope radius
UCS-A /security/radius # create auth-server-group radiusgroup
UCS-A /security/radius/auth-server-group* # create server-ref radius1
UCS-A /security/radius/auth-server-group/server-ref* # set order 1
UCS-A /security/radius/auth-server-group/server-ref* # up
UCS-A /security/radius/auth-server-group* # create server-ref radius2
UCS-A /security/radius/auth-server-group/server-ref* # set order 2
UCS-A /security/radius/auth-server-group/server-ref* # commit-buffer
UCS-A /security/radius/auth-server-group/server-ref #
What to Do Next
Configure an authentication domain or select a default authentication service.
Deleting a RADIUS Provider Group
Remove the provider group from an authentication configuration.
Adds the specified TACACS provider to the TACACS provider group and enters server reference authentication server group security TACACS mode.
Step 5
UCS-A /security/tacacs/auth-server-group/server-ref # set orderorder-num
Specifies the order in which Cisco UCS uses this provider to authenticate users.
Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority.
Commits the transaction to the system configuration.
The following example creates a TACACS provider group called tacacsgroup, adds two previously configured providers called tacacs1 and tacacs2 to the provider group, sets the order, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope tacacs
UCS-A /security/tacacs # create auth-server-group tacacsgroup
UCS-A /security/tacacs/auth-server-group* # create server-ref tacacs1
UCS-A /security/tacacs/auth-server-group/server-ref* # set order 1
UCS-A /security/tacacs/auth-server-group/server-ref* # up
UCS-A /security/tacacs/auth-server-group* # create server-ref tacacs2
UCS-A /security/tacacs/auth-server-group/server-ref* # set order 2
UCS-A /security/tacacs/auth-server-group/server-ref* # commit-buffer
UCS-A /security/tacacs/auth-server-group/server-ref #
What to Do Next
Configure an authentication domain or select a default authentication service.
Deleting a TACACS Provider Group
Remove the provider group from an authentication configuration.
Authentication domains are used by Cisco UCS Manager to leverage multiple authentication systems. Each authentication domain is specified and configured during login. If no authentication domain is specified, the default authentication service configuration is used.
You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Manager. If no provider group is specified, all servers within the realm are used.
Creating an Authentication Domain
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope security
Enters security mode.
Step 2
UCS-A /security # create auth-domaindomain-name
Creates an authentication domain and enters authentication domain mode.
Step 3
UCS-A /security/auth-domain # create default-auth
Creates a default authentication for the specified authentication domain.
Step 4
UCS-A /security/auth-domain/default-auth # set auth-server-groupauth-serv-group-name
(Optional)
Specifies the provider group for the specified authentication domain.
Step 5
UCS-A /security/auth-domain/default-auth # set realm{ldap | local | radius | tacacs}
Specifies the realm for the specified authentication domain.
Commits the transaction to the system configuration.
The following example creates an authentication domain called domain1 that uses the providers in ldapgroup1, sets the realm type to ldap, and commits the transaction.
If the system uses a remote authentication
service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope security
Enters security mode.
Step 2
UCS-A /security # scope console-auth
Enters console authorization security mode.
Step 3
UCS-A /security/console-auth # set realmauth-type
Specifies the console authentication, where the auth-type argument is one of the following keywords:
ldap—Specifies LDAP authentication
local—Specifies local authentication
none—Allows local users to log on without specifying a password
radius—Specifies RADIUS authentication
tacacs—Specifies TACACS+ authentication
Step 4
UCS-A /security/console-auth # set auth-server-groupauth-serv-group-name
(Optional)
The associated provider group, if any.
Step 5
UCS-A /security/console-auth # commit-buffer
Commits the transaction to the system configuration.
The following example sets the authentication to LDAP, sets the console authentication provider group to provider1, and commits the transaction:
UCS-A# scope security
UCS-A /security # scope console-auth
UCS-A /security/console-auth # set realm local
UCS-A /security/console-auth # set auth-server-group provider1
UCS-A /security/console-auth* # commit-buffer
UCS-A /security/console-auth #
Selecting the Default Authentication Service
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope security
Enters security mode.
Step 2
UCS-A /security # scope default-auth
Enters default authorization security mode.
Step 3
UCS-A /security/default-auth # set realmauth-type
Specifies the default authentication, where the auth-type argument is one of the following keywords:
ldap—Specifies LDAP authentication
local—Specifies local authentication
none—Allows local users to log on without specifying a password
radius—Specifies RADIUS authentication
tacacs—Specifies TACACS+ authentication
Step 4
UCS-A /security/default-auth # set auth-server-groupauth-serv-group-name
(Optional)
The associated provider group, if any.
Step 5
UCS-A /security/default-auth # commit-buffer
Commits the transaction to the system configuration.
The following example sets the default authentication to LDAP, sets the default authentication provider group to provider1, and commits the transaction:
By default, if user roles are not configured in Cisco UCS Manager read-only access is granted to all users logging in to Cisco UCS Manager from a remote server using the LDAP, RADIUS, or TACACS protocols. For security reasons, it might be desirable to restrict access to those users matching an established user role in Cisco UCS Manager.
You can configure the role policy for remote users in the following ways:
assign-default-role
Does not restrict user access to Cisco UCS Manager based on user roles. Read-only access is granted to all users unless other user roles have been defined in Cisco UCS Manager.
This is the default behavior.
no-login
Restricts user access to Cisco UCS Manager based on user roles. If user roles have not been assigned for the remote authentication system, access is denied.
Configuring the Role Policy for Remote Users
Procedure
Command or Action
Purpose
Step 1
UCS-A# scope security
Enters security mode.
Step 2
UCS-A /security # set remote-user default-role{assign-default-role | no-login}
Specifies whether user access to Cisco UCS Manager is restricted based on user roles.
Step 3
UCS-A /security # commit-buffer
Commits the transaction to the system configuration.
The following example sets the role policy for remote users and commits the transaction: