LDAP
Authentication
LDAP Providers
You can configure remote users, assign roles and locales from Cisco UCS Central the same way as you can create LDAP users from Cisco UCS Manager. You should always create the LDAP provider from Cisco UCS Central Domain Group root.
LDAP Provider Groups
You can define up to 28 LDAP provider groups and nest them up to as many levels as the Active Directory supports for nesting in Cisco UCS Central. When you assign a provider to a nested group, even if the provider is a member of a different LDAP group, they become authenticated member of the parent nested group. During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.
- Creating an LDAP Provider
- Configuring Default Settings for LDAP Providers
- Changing the LDAP Group Rule for an LDAP Provider
- Deleting an LDAP Provider
Creating an LDAP Provider
Create and configure LDAP remote users, and assign roles and locales from Cisco UCS Central, in the same manner as Cisco UCS Manager. Always create the LDAP provider from the Cisco UCS Central domain group root.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. Give this account a non-expiring password.
In the LDAP server, perform one of the following configurations:
-
Configure LDAP groups. LDAP groups contain user role and locale information.
-
Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose to extend the LDAP schema for this attribute. If you do not want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair attribute.
The Cisco LDAP implementation requires a unicode type attribute.
If you choose to create the CiscoAVPair custom attribute, use the following attribute ID: 1.3.6.1.4.1.9.287247.1
-
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
If you want to use secure communications, create a trusted point containing the certificate of the root certificate authority (CA) of the LDAP server in Cisco UCS Central.
-
Scopes into the organization
-
Creates an LDAP server instance named 10.193.169.246
-
Configures the binddn
-
Configures the password
-
Configures the order
-
Configures the port
-
Configures the SSL settings
-
Commits the transaction
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # create server 10.193.169.246 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set password Enter the password: Confirm the password: UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set order 2 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set port 389 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set ssl yes UCSC(policy-mgr) /org/device-profile/security/ldap/server* # set timeout 30 UCSC(policy-mgr) /org/device-profile/security/ldap/server* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap/server #
Configuring Default Settings for LDAP Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. Give this account a non-expiring password.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org # scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile # scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # set attribute attribute |
Restricts database searches to records that contain the specified attribute. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap* # set basedn distinguished-name |
Restricts database searches to records that contain the specified distinguished name. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/ldap* # set filter filter |
Restricts database searches to records that contain the specified filter. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/ldap* # set timeout seconds |
Sets the time interval. The system waits for a response from the LDAP server before noting the server as down. |
Step 10 | UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # set attribute CiscoAvPair UCSC(policy-mgr) /org/device-profile/security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCSC(policy-mgr) /org/device-profile/security/ldap* # set filter sAMAccountName=$userid UCSC(policy-mgr) /org/device-profile/security/ldap* # set timeout 5 UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap #
Create an LDAP provider.
Changing the LDAP Group Rule for an LDAP Provider
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. | ||
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. | ||
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. | ||
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. | ||
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. | ||
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # scope server ldap-provider |
Enters security LDAP provider mode. | ||
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap/server # scope ldap-group-rule |
Enters LDAP group rule mode. | ||
Step 8 | UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule # set authorization {enable | disable} |
Specifies if Cisco UCS searches LDAP groups when assigning user roles and locales to a remote user.
| ||
Step 9 | UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set member-of-attribute attr-name |
The attribute Cisco UCS uses to determine group membership in the LDAP database. The supported string length is 63 characters. The default string is memberOf. | ||
Step 10 | UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set traversal {non-recursive | recursive} |
Specifies if Cisco UCS inherits the settings for a group member's parent group: | ||
Step 11 | UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # scope server ldapprovider UCSC(policy-mgr) /org/device-profile/security/ldap/server # scope ldap-group-rule UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule # set authorization enable UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set member-of-attribute memberOf UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # set traversal non-recursive UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap/server/ldap-group-rule #
Deleting an LDAP Provider
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr) #scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # delete server serv-name |
Deletes the specified server. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # delete server ldap1 UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap #
LDAP Group Maps
For organizations that use LDAP groups to restrict access to LDAP databases, Cisco UCS domains can use group membership information to assign a role or locale to an LDAP user during login. This eliminates the need to define roles or locale information in the LDAP user object when Cisco UCS Central deploys.
Cisco UCS Central uses LDAP group rule to determine LDAP groups when assigning user roles and locales to a remote user. When a user logs in, Cisco UCS Central retrieves information about the user's role and locale from the LDAP group map. If the role and locale criteria match the information in the policy, Cisco UCS Central provides access to the user.
The number of LDAP group maps you can define depends upon the version of Cisco UCS Manager.
You can nest LDAP group maps up to as many levels as the Windows Active Directory supports for nesting in Cisco UCS Central. When you assign a provider to a nested group, even if the provider is a member of a different LDAP group, they become an authenticated member of the parent nested group. During authentication, Cisco UCS Central tries all of the providers within a provider group in order. If Cisco UCS Central cannot reach all of the configured servers, it automatically falls back to the local authentication method using the local username and password.
Role and locale definitions are configured locally in Cisco UCS Central and do not update automatically based on changes to an LDAP directory. If you delete or rename LDAP groups in the LDAP directory, make sure to update the changes in Cisco UCS Central.
You can configure an LDAP group map to include any of the following combinations of roles and locales:
For example, if you want to configure authentication for an LDAP group representing a group of server administrators at a specific location, you can include user roles such as server-profile and server-equipment to the LDAP group. If you want to restrict access to server administrators at a specific location, you can specify locales with specific site names.
Note | Cisco UCS Central includes many out-of-the-box user roles but does not include any locales. You must create a custom locale to map an LDAP provider group to a locale. |
Nested LDAP Groups
You can nest LDAP groups as members of other groups to consolidate accounts and reduce replication.
By default, an LDAP group inherits user rights when nested within another group. For example, if you make Group_1 a member of Group_2, the users in Group_1 will have the same permissions as the members of Group_2. You can then search users that are members of Group_1 by choosing only Group_2 in the LDAP group map, instead of having to search Group_1 and Group_2 separately.
You can search nested groups that are defined in LDAP group maps. Nesting groups eliminates the need to create subgroups.
Note | Searching nested LDAP groups is supported for Microsoft Active Directory servers only. The supported versions are Microsoft Windows 2003 SP3, Microsoft Windows 2008 R2, and Microsoft Windows 2012. If you include special characters in nested group names, make sure to escape them using the syntax shown in the following example. create ldap-group CN=test1\\(\\),CN=Users,DC=ucsm,DC=qasam-lab,DC=in |
Creating an LDAP Group Map
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # create ldap-group group-dn |
Creates an LDAP group map for the specified DN. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create locale locale-name |
Maps the LDAP group to the specified locale. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create role role-name |
Maps the LDAP group to the specified role. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create locale pacific UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # create role admin UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap/ldap-group #
Set the LDAP group rule.
Deleting an LDAP Group Map
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope ldap |
Enters LDAP security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/ldap # delete ldap-group group-dn |
Deletes the LDAP group map for the specified DN. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope ldap UCSC(policy-mgr) /org/device-profile/security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com UCSC(policy-mgr) /org/device-profile/security/ldap* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/ldap #
Configuring RADIUS Providers
Configuring Properties for RADIUS Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope radius |
Enters RADIUS security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/radius # set retries retry-num |
Sets the number of times to retry communicating with the RADIUS server before noting the server as down. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/radius* # set timeout seconds |
Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/radius* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope radius UCSC(policy-mgr) /org/device-profile/security/radius # set retries 4 UCSC(policy-mgr) /org/device-profile/security/radius* # set timeout 30 UCSC(policy-mgr) /org/device-profile/security/radius* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/radius #
Create a RADIUS provider.
Creating a RADIUS Provider
Cisco UCS Central supports a maximum of 16 RADIUS providers.
Perform the following configuration in the RADIUS server:
-
Configure users with the attribute that holds the user role and locale information for Cisco UCS Central. You can choose to extend the RADIUS schema for this attribute. If you do not want to extend the schema, use an existing RADIUS attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the cisco-avpair attribute.
The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.
The following syntax example specifies multiples user roles and locales if you choose to create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma "," as the delimiter to separate multiple values.
-
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr) #scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope radius |
Enters RADIUS security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/radius # create server server-name |
Creates a RADIUS server instance and enters security RADIUS server mode. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/radius/server* # set authport authport-num | (Optional)
Specifies the port used to communicate with the RADIUS server. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/radius/server* # set key |
Sets the RADIUS server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/radius/server* # set order order-num | (Optional)
Specifies when in the order this server is tried. |
Step 10 | UCSC(policy-mgr) /org/device-profile/security/radius/server* # set retries retry-num | (Optional)
Sets the number of times to retry communicating with the RADIUS server before noting the server as down. |
Step 11 | UCSC(policy-mgr) /org/device-profile/security/radius/server* # set timeout seconds | (Optional)
Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down. |
Step 12 | UCSC(policy-mgr) /org/device-profile/security/radius/server* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope radius UCSC(policy-mgr) /org/device-profile/security/radius # create server radiusserv7 UCSC(policy-mgr) /org/device-profile/security/radius/server* # set authport 5858 UCSC(policy-mgr) /org/device-profile/security/radius/server* # set key Enter the key: radiuskey321 Confirm the key: radiuskey321 UCSC(policy-mgr) /org/device-profile/security/radius/server* # set order 2 UCSC(policy-mgr) /org/device-profile/security/radius/server* # set retries 4 UCSC(policy-mgr) /org/device-profile/security/radius/server* # set timeout 30 UCSC(policy-mgr) /org/device-profile/security/radius/server* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/radius/server #
Deleting a RADIUS Provider
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters security policy manager mode. |
Step 2 | UCSC(policy-mgr) #scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope radius |
Enters RADIUS security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/radius # delete server serv-name |
Deletes the specified server. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/radius* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope radius UCSC(policy-mgr) /org/device-profile/security/radius # delete server radius1 UCSC(policy-mgr) /org/device-profile/security/radius* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/radius #
Configuring TACACS+ Providers
Configuring Properties for TACACS+ Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope tacacs |
Enters TACACS+ security mode. The TACACS+ related settings are applicable only for the Cisco UCS domains under the domain group root and sub-domain groups. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/tacacs # set key |
Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/tacacs* # set order order-num |
Specifies when in the order this server will be tried. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/tacacs* # set timeout seconds |
Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/tacacs* # set port port-num |
Specifies the port used to communicate with the TACACS+ server. |
Step 10 | UCSC(policy-mgr) /org/device-profile/security/tacacs* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope tacacs UCSC(policy-mgr) /org/device-profile/security/tacacs # set key Enter the key: tacacskey321 Confirm the key: tacacskey321 UCSC(policy-mgr) /org/device-profile/security/tacacs* # set order 4 UCSC(policy-mgr) /org/device-profile/security/tacacs* # set timeout 45 UCSC(policy-mgr) /org/device-profile/security/tacacs* # set port 5859 UCSC(policy-mgr) /org/device-profile/security/tacacs* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/tacacs #
Create a TACACS+ provider.
Creating a TACACS+ Provider
Cisco UCS Central supports a maximum of 16 TACACS+ providers.
Perform the following configuration in the TACACS+ server:
-
Create the cisco-av-pair attribute. You cannot use an existing TACACS+ attribute.
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.
The following syntax example specifies multiples user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales*"L1 abc"
Using an asterisk (*) in the cisco-av-pair attribute syntax flags the locale as optional, preventing authentication failures for other Cisco devices that use the same authorization profile. Use a space as the delimiter to separate multiple values. -
For a cluster configuration, add the management port IP addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by Cisco UCS Central.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)#scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope tacacs |
Enters TACACS+ security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/tacacs # create server server-name |
Creates an TACACS+ server instance and enters security TACACS+ server mode |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set key | (Optional)
Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 8 | UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set order order-num | (Optional)
Specifies when in the order this server is tried. |
Step 9 | UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set timeout seconds | (Optional)
Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down. |
Step 10 | UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set port port-num |
Specifies the port used to communicate with the TACACS+ server. |
Step 11 | UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org# scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope tacacs UCSC(policy-mgr) /org/device-profile/security/tacacs # create server tacacsserv680 UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set key Enter the key: tacacskey321 Confirm the key: tacacskey321 UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set order 4 UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set timeout 45 UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # set port 5859 UCSC(policy-mgr) /org/device-profile/security/tacacs/server* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/tacacs/server #
Deleting a TACACS+ Provider
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 | UCSC(policy-mgr) #scope org | Enters organization mode for the specified organization. |
Step 3 | UCSC(policy-mgr) /org #scope device-profile | Enters device profile mode for the specified organization. |
Step 4 | UCSC(policy-mgr) /org/device-profile #scope security | Enters security mode. |
Step 5 | UCSC(policy-mgr) /org/device-profile/security # scope tacacs |
Enters TACACS+ security mode. |
Step 6 | UCSC(policy-mgr) /org/device-profile/security/tacacs # delete server serv-name |
Deletes the specified server. |
Step 7 | UCSC(policy-mgr) /org/device-profile/security/tacacs* # commit-buffer |
Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope org UCSC(policy-mgr) /org # scope device-profile UCSC(policy-mgr) /org/device-profile # scope security UCSC(policy-mgr) /org/device-profile/security # scope tacacs UCSC(policy-mgr) /org/device-profile/security/tacacs # delete server TACACS1 UCSC(policy-mgr) /org/device-profile/security/tacacs* # commit-buffer UCSC(policy-mgr) /org/device-profile/security/tacacs #