Cisco UCS Central User Accounts
Access the system with user accounts. You can configure up to 128 user accounts in each Cisco UCS Central domain. Each user account must have a unique username and password.
You can setup a user account with an SSH public key, in either of the two formats: OpenSSH or SECSH.
Admin Account
The Cisco UCS Central admin account is the default user account. You cannot modify or delete it. This account is the system administrator, or superuser account, and has full privileges. There is no default password assigned to the admin account. You must choose the password during the initial system setup.
The admin account is always active and does not expire. You cannot configure the admin account as inactive.
The local admin user can login for fail over, even when authentication is set to remote.
Locally Authenticated User Accounts
A locally authenticated user account is authenticated through the Cisco UCS Central user database. Anyone with admin or aaa privileges can enable or disable it. Once you disable a local user account, the user cannot log in.
Note |
Cisco UCS Central does not delete configuration details for disabled local user accounts from the database. If you re-enable a disabled local user account, the account becomes active again with the existing configuration, including username and password. |
Remotely Authenticated User Accounts
A remotely authenticated user account is any Cisco UCS Central user account that is authenticated through LDAP. Cisco UCS domains support LDAP, RADIUS and TACACS+.
If a user maintains a local user account and a remote user account simultaneously, the roles defined in the local user account override those maintained in the remote user account.
Expiration of User Accounts
You can configure user accounts to expire at a predefined time. When the user account reaches the expiration time, the account disables.
By default, user accounts do not expire.
Note |
After you configure a user account with an expiration date, you cannot reconfigure the account to not expire. You can, however, configure the account to expire with the farthest expiration date available. |
Guidelines for Creating Usernames
The username is also used as the login ID for Cisco UCS Central. When you assign login IDs to Cisco UCS Central user accounts, consider the following guidelines and restrictions:
-
The login ID can contain between 1 and 32 characters, including the following:
-
Any alphabetic character
-
Any digit
-
_ (underscore)
-
- (dash)
-
. (dot)
-
-
The login ID must be unique within Cisco UCS Central.
-
The login ID must start with an alphabetic character. It cannot start with a number or a special character, such as an underscore.
-
The login ID is case-sensitive.
-
You cannot create an all-numeric login ID.
-
After you create a user account, you cannot change the login ID. You must delete the user account and create a new one.
Reserved Words: Locally Authenticated User Accounts
You cannot use the following words when creating a local user account in Cisco UCS.
-
root
-
bin
-
daemon
-
adm
-
lp
-
sync
-
shutdown
-
halt
-
news
-
uucp
-
operator
-
games
-
gopher
-
nobody
-
nscd
-
mailnull
-
mail
-
rpcuser
-
rpc
-
mtsuser
-
ftpuser
-
ftp
-
man
-
sys
-
samdme
-
debug
Creating a Locally Authenticated User Account
At a minimum, Cisco recommends that you create the following users:
-
Server administrator account
-
Network administrator account
-
Storage administrator
Before you begin
Perform the following tasks, if the system includes any of the following:
-
Remote authentication services—Ensures that the users exist in the remote authentication server with the appropriate roles and privileges.
-
Multitenancy with organizations—Creates one or more locales. If you do not have any locales, all users are created in root and are assigned roles and privileges in all organizations.
-
SSH authentication—Obtains the SSH key.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
||
Step 2 |
UCSC(policy-mgr)# scope org / |
Enters the organization root. |
||
Step 3 |
UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
||
Step 4 |
UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
||
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # create local-user local-user-name |
Creates a user account for the specified local user and enters security local user mode. |
||
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status {active | inactive} |
Specifies whether the local user account is enabled or disabled. The admin user account is always set to active. It cannot be modified.
|
||
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/local-user* # set password password |
Sets the password for the user account |
||
Step 8 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/local-user* # set firstname first-name |
(Optional)
Specifies the first name of the user. |
||
Step 9 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/local-user* # set lastname last-name |
(Optional)
Specifies the last name of the user. |
||
Step 10 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/local-user* # set expiration month day-of-month year |
(Optional)
Specifies the date that the user account expires. The month argument is the first three letters of the month name.
|
||
Step 11 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/local-user* # set email email-addr |
(Optional)
Specifies the user e-mail address. |
||
Step 12 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/local-user* # set phone phone-num |
(Optional)
Specifies the user phone number. |
||
Step 13 |
(Optional) UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey ssh-key |
(Optional)
Specifies the SSH key used for passwordless access. |
||
Step 14 |
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer |
Commits the transaction. |
Example
-
Creates the user account named kikipopo
-
Enables the user account
-
Sets the password to foo12345
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create local-user kikipopo
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user* # set password
Enter a password:
Confirm the password:
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/local-user #
-
Creates the user account named lincey
-
Enables the user account
-
Sets an OpenSSH key for passwordless access
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create local-user lincey
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey "ssh-rsa AAAAB3NzaC1yc2EAAAA
BIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw85lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4
VcOelBxlsGk5luq5ls1ob1VOIEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8="
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/local-user #
-
Creates the user account named hpotter
-
Enables the user account,
-
Sets a Secure SSH key for passwordless access
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # create local-user hpotter
UCSC(policy-mgr) /org/device-profile/security/local-user* # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user* # set sshkey
Enter lines one at a time. Enter ENDOFBUF to finish. Press ^C to abort.
User's SSH key:
> ---- BEGIN SSH2 PUBLIC KEY ----
> AAAAB3NzaC1yc2EAAAABIwAAAIEAuo9VQ2CmWBI9/S1f30klCWjnV3lgdXMzO0WUl5iPw8
> 5lkdQqap+NFuNmHcb4KiaQB8X/PDdmtlxQQcawclj+k8f4VcOelBxlsGk5luq5ls1ob1VO
> IEwcKEL/h5lrdbNlI8y3SS9I/gGiBZ9ARlop9LDpDm8HPh2LOgyH7Ei1MI8=
> ---- END SSH2 PUBLIC KEY ----
> ENDOFBUF
UCSC(policy-mgr) /org/device-profile/security/local-user* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/local-user #
Deleting a Locally Authenticated User Account
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)# scope org / |
Enters the organization root. |
Step 3 |
UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
Step 4 |
UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # delete local-user local-user-name |
Deletes the local-user account. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security* # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Deletes the foo user account
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org
UCSC(policy-mgr)/org# scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # delete local-user foo
UCSC(policy-mgr) /org/device-profile/security* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security #
Enabling the Password Strength Check for Locally Authenticated Users
You must have privileges to enable the password strength check. If enabled, does not permit a user to choose a password that does not meet the guidelines for a strong password.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)# scope org / |
Enters the organization root. |
Step 3 |
UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
Step 4 |
UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope password-profile. |
Specifies whether the password strength check is enabled or disabled. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/password-profile # set enforce-strong-password {yes | no} |
Specifies whether the password strength check is enabled or disabled. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer |
Commits the transaction. |
Example
-
Enables the password strength check
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope password-profile
UCSC(policy-mgr) /org/device-profile/security/password-profile # set enforce-strong-password yes
UCSC(policy-mgr) /org/device-profile/security/password-profile # commit-buffer
Clearing the Password History for a Locally Authenticated User
You must have admin, aaa, or org/device-profile-management privileges to change the password profile properties.
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
Step 2 |
UCSC(policy-mgr)# scope org / |
Enters the organization root. |
Step 3 |
UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
Step 4 |
UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope local-user local-user-name |
Commits the transaction. |
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/local-user # scope password-profile |
Enters password profile security mode. |
Step 7 |
UCSC(policy-mgr) /org/device-profile/security/password-profile # set history-count 0 |
Setting the History Count field to 0 (the default setting) disables the history count and allows users to reuse previously used passwords at any time. |
Step 8 |
UCSC(policy-mgr) /org/device-profile/security/password-profile # commit-buffer |
Commits the transaction to the system configuration. |
Example
-
Clears the password history count for the user account named kikipopo
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope local-user kikipopo
UCSC(policy-mgr) /org/device-profile/security/local-user # scope password-profile
UCSC(policy-mgr) /org/device-profile/security/password-profile # set history-count 0
UCSC(policy-mgr) /org/device-profile/security/password-profile* # commit-buffer
UCSC(policy-mgr) /org/device-profile/security/password-profile #
Enabling or Disabling a User Account
You must have privileges to enable or disable a local user account.
Before you begin
Create a local user account.
Procedure
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 |
UCSC# connect policy-mgr |
Enters policy manager mode. |
||
Step 2 |
UCSC(policy-mgr)# scope org |
Enters the organization root. |
||
Step 3 |
UCSC(policy-mgr) /org # scope device-profile |
Enters device profile mode for the specified organization. |
||
Step 4 |
UCSC(policy-mgr) /org/device-profile # scope security |
Enters security mode. |
||
Step 5 |
UCSC(policy-mgr) /org/device-profile/security # scope local-user |
Enters local-user security mode. |
||
Step 6 |
UCSC(policy-mgr) /org/device-profile/security/local-user # set account-status {active | inactive} |
Specifies whether the local user account is enabled or disabled. The admin user account is always set to active. It cannot be modified.
|
Example
-
Enables a local user account called accounting
-
Commits the transaction
UCSC # connect policy-mgr
UCSC(policy-mgr)# scope org /
UCSC(policy-mgr) /org # scope device-profile
UCSC(policy-mgr) /org/device-profile # scope security
UCSC(policy-mgr) /org/device-profile/security # scope local-user accounting
UCSC(policy-mgr) /org/device-profile/security/local-user # set account-status active
UCSC(policy-mgr) /org/device-profile/security/local-user # commit-buffer
Web Session Limits for User Accounts
Cisco UCS Manager uses web session limits to restrict the number of web sessions (both GUI and XML) that a given user account is permitted to access at any one time.
Monitoring User Sessions
Procedure
Command or Action | Purpose | |
---|---|---|
Step 1 |
UCSC# scope system |
Enters system mode. |
Step 2 |
UCSC /system # scope security |
Enters security mode. |
Step 3 |
UCSC /security # show user-sessions {local | remote} [detail] |
Displays session information for all users logged in to the system. An asterisk (*) next to the session ID denotes the current login session. |
Example
The following example lists all of the local users logged in to the system. The asterisk indicates which session is the current login session.
UCSC# scope system
UCSC /system # scope security
UCSC /security # show user-sessions local
Session Id User Host Login Time
--------------- --------------- -------------------- ----------
pts_25_1_31264* steve 192.168.100.111 2012-05-09T14:06:59.000
ttyS0_1_3532 jeff console 2012-05-02T15:11:08.000
web_25277_A faye 192.168.100.112 2012-05-15T22:11:25.000
The following example displays detailed information on all local users logged in to the system:
UCSC# scope system
UCSC /system # scope security
UCSC /security # show user-sessions local detail
Session Id pts_25_1_31264:
Fabric Id: A
Term: pts/25
User: steve
Host: 64.101.53.93
Pid: 31264
Login Time: 2012-05-09T14:06:59.000
Session Id ttyS0_1_3532:
Fabric Id: A
Term: ttyS0
User: jeff
Host: console
Pid: 3532
Login Time: 2012-05-02T15:11:08.000
Session Id web_25277_A:
Fabric Id: A
Term: web_25277
User: faye
Host: 192.168.100.112
Pid: 3518
Login Time: 2012-05-15T22:11:25.000