The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes the following sections:
Cisco UCS Central uses LDAP for remote authentication, but excludes RADIUS and TACACS+ authentication in this release. However, RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.
If a system is configured for one of the supported remote authentication services, you must create a provider for that service to ensure that Cisco UCS Central can communicate with it. In addition, you need to be aware of the following guidelines that impact user authorization:
User accounts can exist locally in Cisco UCS Central or in the remote authentication server. The temporary sessions for users who log in through remote authentication services can be viewed through Cisco UCS Central GUI or Cisco UCS Central CLI.
If you create user accounts in the remote authentication server, you must ensure that the accounts include the roles those users require for working in Cisco UCS Central and that the names of those roles match the names used in Cisco UCS Central. Depending on the role policy, a user may not be allowed to log in or will be granted only read-only privileges.
Cisco UCS Central uses LDAP for remote authentication, but excludes RADIUS and TACACS+ authentication in this release. However, RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains.
When a user logs in, Cisco UCS Central does the following:
The following is a sample OID for a custom CiscoAVPair attribute:
CN=CiscoAVPair,CN=Schema, CN=Configuration,CN=X objectClass: top objectClass: attributeSchema cn: CiscoAVPair distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X instanceType: 0x4 uSNCreated: 26318654 attributeID: 1.3.6.1.4.1.9.287247.1 attributeSyntax: 2.5.5.12 isSingleValued: TRUE showInAdvancedViewOnly: TRUE adminDisplayName: CiscoAVPair adminDescription: UCS User Authorization Field oMSyntax: 64 lDAPDisplayName: CiscoAVPair name: CiscoAVPair objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X
The LDAP group rule is used to determine whether Cisco UCS should use LDAP groups when assigning user roles and locales to a remote user.
Configuring LDAP Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
The following example shows how to set the LDAP attribute to CiscoAvPair, the base distinguished name to "DC=cisco-ucsm-aaa3,DC=qalab,DC=com", the filter to sAMAccountName=$userid, and the timeout interval to 5 seconds, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # set attribute CiscoAvPair UCSC(policy-mgr) /domain-group/security/ldap* # set basedn "DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCSC(policy-mgr) /domain-group/security/ldap* # set filter sAMAccountName=$userid UCSC(policy-mgr) /domain-group/security/ldap* # set timeout 5 UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap #
Create an LDAP provider.
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server to bind with Cisco UCS. This account should be given a non-expiring password.
The following example shows how to create an LDAP server instance named 10.193.169.246, configure the binddn, password, order, port, and SSL settings, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # create server 10.193.169.246 UCSC(policy-mgr) /domain-group/security/ldap/server* # set binddn "cn=Administrator,cn=Users,DC=cisco-ucsm-aaa3,DC=qalab,DC=com" UCSC(policy-mgr) /domain-group/security/ldap/server* # set password Enter the password: Confirm the password: UCSC(policy-mgr) /domain-group/security/ldap/server* # set order 2 UCSC(policy-mgr) /domain-group/security/ldap/server* # set port 389 UCSC(policy-mgr) /domain-group/security/ldap/server* # set ssl yes UCSC(policy-mgr) /domain-group/security/ldap/server* # set timeout 30 UCSC(policy-mgr) /domain-group/security/ldap/server* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap/server #
The following example shows how to set the LDAP group rule to enable authorization, set the member of attribute to memberOf, set the traversal to non-recursive, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # scope server ldapprovider UCSC(policy-mgr) /domain-group/security/ldap/server # scope ldap-group-rule UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule # set authorization enable UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set member-of-attribute memberOf UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # set traversal non-recursive UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap/server/ldap-group-rule #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope ldap | Enters security LDAP mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/ldap # delete server serv-name | Deletes the specified server. |
Step 6 | UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete the LDAP server called ldap1 and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # delete server ldap1 UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap #
For organizations that already use LDAP groups to restrict access to LDAP databases, group membership information can be used by Cisco UCS domains to assign a role or locale to an LDAP user during login. This eliminates the need to define role or locale information in the LDAP user object when Cisco UCS Central is deployed.
Note |
LDAP group mapping is not supported for Cisco UCS Central for this release. However, LDAP group maps are supported for locally managed Cisco UCS domains from the Cisco UCS Central Domain Group root. |
When a user logs in to Cisco UCS Central, information about the user's role and locale are pulled from the LDAP group map. If the role and locale criteria match the information in the policy, access is granted.
Role and locale definitions are configured locally in Cisco UCS Central and do not update automatically based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, it is important that you update Cisco UCS Central with the change.
Note |
Cisco UCS Central includes many out-of-the-box user roles but does not include any locales. Mapping an LDAP provider group to a locale requires that you create a custom locale. |
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope ldap | Enters security LDAP mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/ldap # create ldap-group group-dn | Creates an LDAP group map for the specified DN. |
Step 6 | UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create locale locale-name | Maps the LDAP group to the specified locale. |
Step 7 | UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create role role-name | Maps the LDAP group to the specified role. |
Step 8 | UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to map the LDAP group mapped to a DN, set the locale to pacific, set the role to admin, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # create ldap-group cn=security,cn=users,dc=lab,dc=com UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create locale pacific UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # create role admin UCSC(policy-mgr) /domain-group/security/ldap/ldap-group* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap/ldap-group #
Set the LDAP group rule.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope ldap | Enters security LDAP mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/ldap # delete ldap-group group-dn | Deletes the LDAP group map for the specified DN. |
Step 6 | UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete an LDAP group map and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # delete ldap-group cn=security,cn=users,dc=lab,dc=com UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap #
Configuring RADIUS Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
Note |
RADIUS native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central under the Domain Group root and domain groups. RADIUS may be used to create global policies for Cisco UCS domains. |
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope radius | Enters security RADIUS mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/radius # set retries retry-num | Sets the number of times to retry communicating with the RADIUS server before noting the server as down. |
Step 6 | UCSC(policy-mgr) /domain-group/security/radius* # set timeout seconds | Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down. |
Step 7 | UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to set the RADIUS retries to 4, set the timeout interval to 30 seconds, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope radius UCSC(policy-mgr) /domain-group/security/radius # set retries 4 UCSC(policy-mgr) /domain-group/security/radius* # set timeout 30 UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer UCSC(policy-mgr) /domain-group/security/radius #
Create a RADIUS provider.
Cisco UCS Central supports a maximum of 16 RADIUS providers. RADIUS native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central under the Domain Group root and domain groups. RADIUS may be used to create global policies for Cisco UCS domains.
Perform the following configuration in the RADIUS server:
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope radius | Enters security RADIUS mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/radius # create server server-name | Creates a RADIUS server instance and enters security RADIUS server mode |
Step 6 | UCSC(policy-mgr) /domain-group/security/radius/server* # set authport authport-num | (Optional) Specifies the port used to communicate with the RADIUS server. |
Step 7 | UCSC(policy-mgr) /domain-group/security/radius/server* # set key | Sets the RADIUS server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 8 | UCSC(policy-mgr) /domain-group/security/radius/server* # set order order-num | (Optional) Specifies when in the order this server will be tried. |
Step 9 | UCSC(policy-mgr) /domain-group/security/radius/server* # set retries retry-num | (Optional) Sets the number of times to retry communicating with the RADIUS server before noting the server as down. |
Step 10 | UCSC(policy-mgr) /domain-group/security/radius/server* # set timeout seconds | (Optional) Sets the time interval that the system waits for a response from the RADIUS server before noting the server as down. |
Step 11 | UCSC(policy-mgr) /domain-group/security/radius/server* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to create a server instance named radiusserv7, set the authentication port to 5858, set the key to radiuskey321, set the order to 2, set the retries to 4, set the timeout to 30, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope radius UCSC(policy-mgr) /domain-group/security/radius # create server radiusserv7 UCSC(policy-mgr) /domain-group/security/radius/server* # set authport 5858 UCSC(policy-mgr) /domain-group/security/radius/server* # set key Enter the key: radiuskey321 Confirm the key: radiuskey321 UCSC(policy-mgr) /domain-group/security/radius/server* # set order 2 UCSC(policy-mgr) /domain-group/security/radius/server* # set retries 4 UCSC(policy-mgr) /domain-group/security/radius/server* # set timeout 30 UCSC(policy-mgr) /domain-group/security/radius/server* # commit-buffer UCSC(policy-mgr) /domain-group/security/radius/server #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope radius | Enters security RADIUS mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/radius # delete server serv-name | Deletes the specified server. |
Step 6 | UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete the RADIUS server called radius1 and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope radius UCSC(policy-mgr) /domain-group/security/radius # delete server radius1 UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer UCSC(policy-mgr) /domain-group/security/radius #
Configuring TACACS+ Providers
The properties that you configure in this task are the default settings for all provider connections of this type defined in Cisco UCS Central. If an individual provider includes a setting for any of these properties, Cisco UCS uses that setting and ignores the default setting.
Note |
TACACS+ native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central. TACACS+ may be used to create global policies for Cisco UCS domains. |
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope tacacs | Enters security TACACS+ mode. The TACACS+ related settings will be applicable only for the Cisco UCS domains under the Domain Group root and child domain groups. |
Step 5 | UCSC(policy-mgr) /domain-group/security/tacacs # set key | Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 6 | UCSC(policy-mgr) /domain-group/security/tacacs* # set order order-num | Specifies when in the order this server will be tried. |
Step 7 | UCSC(policy-mgr) /domain-group/security/tacacs* # set timeout seconds | Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down. |
Step 8 | UCSC(policy-mgr) /domain-group/security/tacacs* # set port port-num | Specifies the port used to communicate with the TACACS+ server. |
Step 9 | UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to set the key to tacacskey321, set the order to 4, set the timeout interval to 45 seconds, set the authentication port to 5859, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope tacacs UCSC(policy-mgr) /domain-group/security/tacacs # set key Enter the key: tacacskey321 Confirm the key: tacacskey321 UCSC(policy-mgr) /domain-group/security/tacacs* # set order 4 UCSC(policy-mgr) /domain-group/security/tacacs* # set timeout 45 UCSC(policy-mgr) /domain-group/security/tacacs* # set port 5859 UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer UCSC(policy-mgr) /domain-group/security/tacacs #
Create a TACACS+ provider.
Cisco UCS Central supports a maximum of 16 TACACS+ providers. TACACS+ native authentication is not supported for this release, and cannot be used to create policies in Cisco UCS Central. TACACS+ may be used to create global policies for Cisco UCS domains.
Perform the following configuration in the TACACS+ server:
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope tacacs | Enters security TACACS+ mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/tacacs # create server server-name | Creates an TACACS+ server instance and enters security TACACS+ server mode |
Step 6 | UCSC(policy-mgr) /domain-group/security/tacacs/server* # set key | (Optional) Sets the TACACS+ server key. To set the key value, press Enter after typing the set key command and enter the key value at the prompt. |
Step 7 | UCSC(policy-mgr) /domain-group/security/tacacs/server* # set order order-num | (Optional) Specifies when in the order this server will be tried. |
Step 8 | UCSC(policy-mgr) /domain-group/security/tacacs/server* # set timeout seconds | (Optional) Sets the time interval that the system waits for a response from the TACACS+ server before noting the server as down. |
Step 9 | UCSC(policy-mgr) /domain-group/security/tacacs/server* # set port port-num | Specifies the port used to communicate with the TACACS+ server. |
Step 10 | UCSC(policy-mgr) /domain-group/security/tacacs/server* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to create a server instance named tacacsserv680, set the key to tacacskey321, set the order to 4, set the authentication port to 5859, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope tacacs UCSC(policy-mgr) /domain-group/security/tacacs # create server tacacsserv680 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set key Enter the key: tacacskey321 Confirm the key: tacacskey321 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set order 4 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set timeout 45 UCSC(policy-mgr) /domain-group/security/tacacs/server* # set port 5859 UCSC(policy-mgr) /domain-group/security/tacacs/server* # commit-buffer UCSC(policy-mgr) /domain-group/security/tacacs/server #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope tacacs | Enters security TACACS+ mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/tacacs # delete server serv-name | Deletes the specified server. |
Step 6 | UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete the TACACS server called tacacs1 and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope tacacs UCSC(policy-mgr) /domain-group/security/tacacs # delete server TACACS1 UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer UCSC(policy-mgr) /domain-group/security/tacacs #
Configuring Multiple Authentication Systems
You can configure Cisco UCS to use multiple authentication systems by configuring the following features:
Once provider groups and authentication domains have been configured in Cisco UCS Central GUI, the following syntax can be used to log in to the system using Cisco UCS Central CLI: ucs- auth-domain
When multiple authentication domains and native authentication are configured with a remote authentication service, use one of the following syntax examples to log in with SSH or Putty:
From a Linux terminal:
From a Putty client:
From a SSH client:
A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco UCS Central allows you to create a maximum of 16 provider groups, with a maximum of eight providers allowed per group.
During authentication, all the providers within a provider group are tried in order. If all of the configured servers are unavailable or unreachable, Cisco UCS Central automatically falls back to the local authentication method using the local username and password.
Note |
Authenticating with a single LDAP database does not require you to set up an LDAP provider group. |
Create one or more LDAP providers.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope ldap | Enters security LDAP mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/ldap # create auth-server-group auth-server-group-name | Creates an LDAP provider group and enters authentication server group security LDAP mode. |
Step 6 | UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap-provider-name | Adds the specified LDAP provider to the LDAP provider group and enters server reference authentication server group security LDAP mode. |
Step 7 | UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # set order order-num | Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 8 | UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to create an LDAP provider group called ldapgroup, add two previously configured providers called ldap1 and ldap2 to the provider group, set the order, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # create auth-server-group ldapgroup UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap1 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # set order 1 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # up UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group* # create server-ref ldap2 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # set order 2 UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap/auth-server-group/server-ref #
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope ldap | Enters security LDAP mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/ldap # delete auth-server-group auth-server-group-name | Deletes the LDAP provider group. |
Step 6 | UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete an LDAP provider group called ldapgroup and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope ldap UCSC(policy-mgr) /domain-group/security/ldap # delete auth-server-group ldapgroup UCSC(policy-mgr) /domain-group/security/ldap* # commit-buffer UCSC(policy-mgr) /domain-group/security/ldap #
Note |
Authenticating with a single RADIUS database does not require you to set up a RADIUS provider group. |
Create one or more RADIUS providers.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope radius | Enters security RADIUS mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/radius # create auth-server-group auth-server-group-name | Creates a RADIUS provider group and enters authentication server group security RADIUS mode. |
Step 6 | UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref ldap-provider-name | Adds the specified RADIUS provider to the RADIUS provider group and enters server reference authentication server group security RADIUS mode. |
Step 7 | UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # set order order-num | Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 8 | UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to create a RADIUS provider group called radiusgroup, add two previously configured providers called radius1 and radius2 to the provider group, set the order, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope radius UCSC(policy-mgr) /domain-group/security/radius # create auth-server-group radiusgroup UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref radius1 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # set order 1 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # up UCSC(policy-mgr) /domain-group/security/radius/auth-server-group* # create server-ref radius2 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # set order 2 UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref* # commit-buffer UCSC(policy-mgr) /domain-group/security/radius/auth-server-group/server-ref #
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope radius | Enters security RADIUS mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/radius # delete auth-server-group auth-server-group-name | Deletes the RADIUS provider group. |
Step 6 | UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete a RADIUS provider group called radiusgroup and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope radius UCSC(policy-mgr) /domain-group/security/radius # delete auth-server-group radiusgroup UCSC(policy-mgr) /domain-group/security/radius* # commit-buffer UCSC(policy-mgr) /domain-group/security/radius #
Note |
Authenticating with a single TACACS+ database does not require you to set up a TACACS+ provider group. |
Create a TACACS+ provider.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope tacacs | Enters security TACACS+ mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/tacacs # create auth-server-group auth-server-group-name | Creates a TACACS+ provider group and enters authentication server group security TACACS+ mode. |
Step 6 | UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref ldap-provider-name | Adds the specified TACACS+ provider to the TACACS+ provider group and enters server reference authentication server group security TACACS+ mode. |
Step 7 | UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # set order order-num | Specifies the order in which Cisco UCS uses this provider to authenticate users. Valid values include no-value and 0-16, with the lowest value indicating the highest priority. Setting the order to no-value is equivalent to giving that server reference the highest priority. |
Step 8 | UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to create a TACACS+ provider group called tacacsgroup, add two previously configured providers called tacacs1 and tacacs2 to the provider group, set the order, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope tacacs UCSC(policy-mgr) /domain-group/security/tacacs # create auth-server-group tacacsgroup UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref tacacs1 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # set order 1 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # up UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group* # create server-ref tacacs2 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # set order 2 UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref* # commit-buffer UCSC(policy-mgr) /domain-group/security/tacacs/auth-server-group/server-ref #
Configure an authentication domain or select a default authentication service.
Remove the provider group from an authentication configuration.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope tacacs | Enters security TACACS+ mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/tacacs # delete auth-server-group auth-server-group-name | Deletes the TACACS+ provider group. |
Step 6 | UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to delete a TACACS+ provider group called tacacsgroup and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope tacacs UCSC(policy-mgr) /domain-group/security/tacacs # delete auth-server-group tacacsgroup UCSC(policy-mgr) /domain-group/security/tacacs* # commit-buffer UCSC(policy-mgr) /domain-group/security/tacacs #
Authentication domains are used by Cisco UCS Domain to leverage multiple authentication systems. Each authentication domain is specified and configured during login. If no authentication domain is specified, the default authentication service configuration is used.
You can create up to eight authentication domains. Each authentication domain is associated with a provider group and realm in Cisco UCS Domain. If no provider group is specified, all servers within the realm are used.
Note |
Authentication domains for LDAP are not supported for Cisco UCS Central for this release. However, Authentication domains are supported for managed Cisco UCS domains from the Cisco UCS Central Domain Group root. |
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
||
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
||
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
||
Step 4 | UCSC(policy-mgr) /domain-group/security # scope auth-realm | Enters authentication realm mode. |
||
Step 5 | UCSC(policy-mgr) /domain-group/security/auth-realm # create auth-domain domain-name | Creates an authentication domain and enters authentication domain mode. The Radius related settings will be applicable only for the Cisco UCS domains under the Domain Group root and child domain groups.
|
||
Step 6 | UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set refresh-period seconds | (Optional) When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain. If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session. Specify an integer between 60 and 172800. The default is 600 seconds. |
||
Step 7 | UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set session-timeout seconds | (Optional) The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session. Specify an integer between 60 and 172800. The default is 7200 seconds. |
||
Step 8 | UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # create default-auth | (Optional) Creates a default authentication for the specified authentication domain. |
||
Step 9 | UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set auth-server-group auth-serv-group-name | (Optional) Specifies the provider group for the specified authentication domain. |
||
Step 10 | UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set realm {ldap | local | radius | tacacs} | Specifies the realm for the specified authentication domain. |
||
Step 11 | UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # commit-buffer | Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope auth-realm UCSC(policy-mgr) /domain-group/security/auth-realm # create auth-domain domain1 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set refresh-period 3600 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # set session-timeout 14400 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain* # create default-auth UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set auth-server-group ldapgroup1 UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # set realm ldap UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth* # commit-buffer UCSC(policy-mgr) /domain-group/security/auth-realm/auth-domain/default-auth #
Selecting a Primary Authentication Service
If the system uses a remote authentication service, create a provider for that authentication service. If the system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope auth-realm | Enters authentication realm security mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/auth-realm # scope console-auth | Enters console authorization security mode. |
Step 6 | UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # set realm auth-type | Specifies the console authentication, where the auth-type argument is one of the following keywords: |
Step 7 | UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # set auth-server-group auth-serv-group-name | The associated provider group, if any. |
Step 8 | UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to set the authentication to LDAP, set the console authentication provider group to provider1, and commit the transaction:
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope auth-realm UCSC(policy-mgr) /domain-group/security/auth-realm # scope console-auth UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth # set realm local UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # set auth-server-group provider1 UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth* # commit-buffer UCSC(policy-mgr) /domain-group/security/auth-realm/console-auth #
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope auth-realm | Enters authentication realm security mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/auth-realm # scope default-auth | Enters default authorization security mode. |
Step 6 | UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth # set realm auth-type | Specifies the default authentication, where auth-type is one of the following keywords: |
Step 7 | UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set auth-server-group auth-serv-group-name | (Optional) The associated provider group, if any. |
Step 8 | UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set refresh-period seconds | (Optional) When a web client connects to Cisco UCS Central, the client needs to send refresh requests to Cisco UCS Central to keep the web session active. This option specifies the maximum amount of time allowed between refresh requests for a user in this domain. If this time limit is exceeded, Cisco UCS Central considers the web session to be inactive, but it does not terminate the session. |
Step 9 | UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # set session-timeout seconds | (Optional) The maximum amount of time that can elapse after the last refresh request before Cisco UCS Central considers a web session to have ended. If this time limit is exceeded, Cisco UCS Central automatically terminates the web session. Specify an integer between 60 and 172800. The default is 7200 seconds. |
Step 10 | UCSC(policy-mgr) /domain-group/security/auth-realm/default-auth* # commit-buffer | Commits the transaction to the system configuration. |
The following example shows how to set the default authentication to LDAP, set the default authentication provider group to provider1, set the refresh period to 7200 seconds (2 hours), set the session timeout period to 28800 seconds (8 hours), and commit the transaction.
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope auth-realm UCSC(policy-mgr) /domain-group/security/auth-realm # scope default-auth UCSC(policy-mgr) /domain-group/security/default-auth # set realm ldap UCSC(policy-mgr) /domain-group/security/default-auth* # set auth-server-group provider1 UCSC(policy-mgr) /domain-group/security/default-auth* # set refresh-period 7200 UCSC(policy-mgr) /domain-group/security/default-auth* # set session-timeout 28800 UCSC(policy-mgr) /domain-group/security/default-auth* # commit-buffer UCSC(policy-mgr) /domain-group/security/default-auth #
By default, if user roles are not configured in Cisco UCS Central read-only access is granted to all users logging in to Cisco UCS Central from a remote server using the LDAP protocol (excluding RADIUS and TACACS+ authentication in this release).
Note |
RADIUS, TACACS+ and LDAP authentication are supported in locally managed Cisco UCS domains. |
For security reasons, it might be desirable to restrict access to those users matching an established user role in Cisco UCS Central.
Command or Action | Purpose | |
---|---|---|
Step 1 | UCSC# connect policy-mgr | Enters policy manager mode. |
Step 2 | UCSC(policy-mgr)# scope domain-group domain-group | Enters domain group root mode and (optionally) enters a domain group under the domain group root. To enter the domain group root mode, type / as the domain-group. |
Step 3 | UCSC(policy-mgr) /domain-group # scope security | Enters security mode. |
Step 4 | UCSC(policy-mgr) /domain-group/security # scope auth-realm | Enters authentication realm security mode. |
Step 5 | UCSC(policy-mgr) /domain-group/security/auth-realm # set remote-user default-role {assign-default-role | no-login} | Specifies whether user access to Cisco UCS Central is restricted based on user roles. |
Step 6 | UCSC(policy-mgr) /domain-group/security/auth-realm* # commit-buffer | Commits the transaction to the system configuration. |
UCSC # connect policy-mgr UCSC(policy-mgr)# scope domain-group UCSC(policy-mgr) /domain-group # scope security UCSC(policy-mgr) /domain-group/security # scope auth-realm UCSC(policy-mgr) /domain-group/security/auth-realm # set remote-user default-role assign-default-role UCSC(policy-mgr) /domain-group/security/auth-realm* # commit-buffer UCSC(policy-mgr) /domain-group/security/auth-realm #