- Overview
- GUI Overview
- Configuring Primary Authentication
- Configuring RBAC
- Configuring Trusted Points
- Configuring System Profiles
- Configuring VM Managers
- Configuring Tenants
- Configuring InterCloud Resources
- Configuring Service Policies and Profiles
- Configuring Device Policies and Profiles
- Configuring Managed Resources
- Configuring Administrative Operations
Configuring Primary Authentication
This section includes the following topics:
- Primary Authentication
- Remote Authentication Providers
- Creating an LDAP Provider
- Editing an LDAP Provider
- Deleting an LDAP Provider
- Selecting a Primary Authentication Service
Primary Authentication
Prime Network Services Controller supports two methods to authenticate user logins:
Remote Authentication Providers
If a system is configured for a supported remote authentication service, you must create a provider for that service to ensure that Prime Network Services Controller and the system configured with the service can communicate.
User Accounts in Remote Authentication Services
You can create user accounts in Prime Network Services Controller or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through the Prime Network Services Controller GUI.
User Roles and Locales in Remote Authentication Services
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles and locales those users require for working in Prime Network Services Controller and that the names of those roles and locales match the names used in Prime Network Services Controller. If an account does not have the required roles and locales, the user is granted only read-only privileges.
LDAP Attribute for User
In Prime Network Services Controller, the LDAP attribute that holds the LDAP user roles and locales is preset. This attribute is always a name-value pair. For example, by default CiscoAvPair specifies the role and locale information for the user, and if the filter is specified, the LDAP search is restricted to those values that match the defined filter. By default, the filter is sAMAccountName=$userid. The user can change these values to match the setting on the LDAP server. When a user logs in, Prime Network Services Controller checks for the value of the attribute when it queries the remote authentication service and validates the user. The value should be identical to the username.
Creating an LDAP Provider
Configure users with the attribute that holds the user role and locale information for Prime Network Services Controller. You can use an existing LDAP attribute that is mapped to the Prime Network Services Controller user roles and locales, or you can create a custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1. When you add the LDAP user to the LDAP server, specify the role and locale in the attribute (for example, shell:roles=network,aaa shell:locale=sanjose,dallas).
- Hostname/IP Address—Provider-blr-sam-aaa-10.cisco.com
- Key—xxxxxx (The password of the LDAP database account specified in the Root DN field.)
- Root DN— CN=bob,DC=cisco,DC=com (The value of CN is the name of a user with query privileges. DC refers to the location in the LDAP directory where a user is created.)
- Port—389
- Enable SSL—check box
Select LDAP as the primary authentication service. For more information, see Selecting a Primary Authentication Service.
Editing an LDAP Provider
Step 1 | Choose Administration > Access Control > LDAP. | ||||||||||||||||
Step 2 | In the content pane, select the required LDAP provider. | ||||||||||||||||
Step 3 | Click Edit. | ||||||||||||||||
Step 4 | In the Edit dialog box, modify the settings as required, using the following table as a guide:
| ||||||||||||||||
Step 5 | Click OK, then click Save. |
Deleting an LDAP Provider
Selecting a Primary Authentication Service
Note | If the default authentication is set to LDAP, and the LDAP servers are not operating or are unreachable, the local admin user can log in at any time and make changes to the authentication, authorization, and accounting (AAA) system. |
Step 1 | Choose Administration > Access Control > Authentication. | ||||||
Step 2 | In the Properties tab, specify the information as described in the following table, then click OK.
|