Overview
The following figure illustrates the workflow to setup your environment using Cisco IMC Supervisor:
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter contains the following topics:
The following figure illustrates the workflow to setup your environment using Cisco IMC Supervisor:
Cisco IMC Supervisor should have been successfully installed, with a correctly configured IP address.
Verify if Cisco IMC Supervisor is installed successfully.
Ensure you have the IP address configured during the Cisco IMC Supervisor installation.
Type the Cisco IMC Supervisor IP address in any browser URL and log in with the following credentials:
|
You can use the License menu to view the license details and the usage of resources. The following licensing procedures are available from menu.
Tab |
Description |
||
---|---|---|---|
License Keys |
This tab displays the details of the license used in Cisco IMC Supervisor. You can also use this tab to update, replace and migrate the license. You can update the license when a new version of Cisco IMC Supervisor is available. |
||
License Utilization |
This tab shows the licenses in use and details about each license, including license limit, available quantity, status, and remarks. License audits can also be run from this page.
|
||
Resource Usage Data |
This tabs displays the details of the various resources used. |
||
Deactivated Licenses |
This tab displays a list of deactivated licenses. |
You must perform the following procedure to update the license before you start using Cisco IMC Supervisor. For the list of valid licenses, see About Licenses. You must generate a license key, claim and register the Product Access Key. After installing Cisco IMC Supervisor, the license is validated and you can start using Cisco IMC Supervisor.
If you received a zipped license file by email, extract and save the .lic file to your local machine.
Step 1 |
Choose . |
Step 2 |
On the License page, choose License Keys. |
Step 3 |
On the License Keys page, click Update License. |
Step 4 |
On the Update License screen, do one of the following:
|
Step 5 |
Click Submit. |
You can use this procedure to replace a license in the system. This action will deactivate all other existing licenses on the systems.
Step 1 |
Choose . |
Step 2 |
On the License page, choose License Keys. |
Step 3 |
Choose Replace License. |
Step 4 |
In the Upload License field, you can either drag and drop a PAK file or click Select a File to browse and select a file. |
Step 5 |
(Optional) Check Enter License Text to copy and paste the license text. |
Step 6 |
Click Submit. All existing licenses are replaced with the new license. |
You can view the list of deactivated licenses from the user interface. You can view the following information on deactivated licenses:
PAK file name
File ID
License Entry
Licence Value
Expiry Date
Deactivated Time
Name of user who deactivated the license
Step 1 |
Choose . |
Step 2 |
On the License page, choose Deactivated Licenses. |
Step 3 |
Review the information displayed for all the deactivated licenses. |
Cisco IMC Supervisor allows you to migrate a license using the graphical user interface. For example, you can migrate from a perpetual license to a subscription license.
Step 1 |
Choose . |
Step 2 |
On the License page, choose License Keys. |
Step 3 |
On the License Keys page, click Migrate License. |
Step 4 |
In the Upload License field, you can either drag and drop a PAK file or click Select a File to browse and select a file. |
Step 5 |
(Optional) Check Enter License Text to copy and paste the license text. |
Step 6 |
Click Submit. |
Perform this procedure when you want run license audits.
The license should be updated. To upgrade the license, refer Updating the License.
Step 1 |
Choose . |
Step 2 |
On the License page, click License Utilization. |
Step 3 |
From the More Actions drop-down list, choose Run License Audit. |
Step 4 |
On the Run License Audit screen, click Submit. |
Managing User Access Profiles
A user can be assigned to more than one role, which is reflected in the system as a user access profile. For example, a user might log into Cisco IMC Supervisor as a group administrator and as an all-policy administrator, if both types of access are appropriate. Access profiles also define the resources that can be viewed by a user.
When LDAP users are integrated with Cisco IMC Supervisor, if a user belongs to more than one group, then the system creates a profile for each group. But by default, the domain users profile is added for LDAP users.
Note |
The Manage Profiles feature enables you to add, log into, edit, or delete a user access profile. |
Step 1 |
Choose . |
||||||||||||||||
Step 2 |
On the Users and Groups page, click Users. |
||||||||||||||||
Step 3 |
Choose a user from the list. |
||||||||||||||||
Step 4 |
From the More Actions drop-down list, choose Manage Profiles. |
||||||||||||||||
Step 5 |
On the Manage Profile page, click Add +. |
||||||||||||||||
Step 6 |
On the Add Entry to Access Profiles page, complete the following fields:
|
||||||||||||||||
Step 7 |
Click Submit. |
Create additional user access profiles as needed.
As a user in the system, if you have multiple profiles for your account, then you can log in to the system with a specific profile.
Step 1 |
On the Cisco IMC Supervisor login page, enter your username in the Username field, in the format Username: Access Profile Name. For example, Alex: GrpAdmin |
Step 2 |
In the Password field, enter your password. |
Step 3 |
Click Login. |
The default profile is the first profile that you created in the system. You can change the default to another profile. Using the new default profile, you log in by entering the username and password.
Step 1 |
In the user interface, click the username displayed on the top right corner. The username is displayed to the left of the logout option. |
||
Step 2 |
On the User Information page, choose the Access Profiles tab. |
||
Step 3 |
Choose a user profile, and click Set as Default Profile.
|
You can configure an authentication preference with a fallback choice for LDAP. You can also configure a preference with no fallback for Verisign Identity Protection (VIP) authentication.
Name |
Description |
---|---|
Local First, fallback to LDAP |
Authentication is done first at the local server (Cisco IMC Supervisor). If the user is unavailable at the local server, the LDAP server is checked. |
Verisign Identity Protection |
VIP Authentication Service (two-factor authentication) is enabled. |
Perform this procedure when you want to change the login authentication type.
Step 1 |
Choose . |
Step 2 |
Choose Authentication Preferences. |
Step 3 |
From the Authentication Preferences drop-down list, you can choose one of the following options:
|
Step 4 |
If you select Verisign Identity Protection, complete the following steps: |
Step 5 |
Click Save. |
Configuring LDAP in Cisco IMC Supervisor involves adding LDAP configurations and configuring LDAP servers. You can also test the LDAP connectivity and view LDAP summary information. The following sections explain how to perform these procedures.
You can use LDAP integration to synchronize the LDAP server’s users with Cisco IMC Supervisor. LDAP authentication enables synchronized users to authenticate with the LDAP server. You can synchronize LDAP users automatically or manually. While adding an LDAP account, you can specify a frequency at which the LDAP account is synchronized automatically with Cisco IMC Supervisor. Optionally, you can manually trigger the LDAP synchronization by using the LDAPSyncTask system task.
When new organizational units (OU) are added in the LDAP directory, and a synchronization process is run, either manually or automatically, the recently added LDAP users are displayed in Cisco IMC Supervisor.
In addition to running a system task, Cisco IMC Supervisor also provides an additional option for you tosynchronize the LDAP directory with the system:
Cleanup LDAP Users system task—This system task determines if the synchronized users in the system are deleted from the LDAP directories or not. If there are user records that have been deleted from the LDAP directories, then after this system task is run, these users are marked as disabled in the system. As an administrator, you can unassign resources of these inactive users. By default, this task is in the enabled mode. It is only after you restart the services twice that this system task is set to the disabled mode.
You cannot choose users that exist locally or are synchronized externally in Cisco IMC Supervisor.
Important |
Users that do not belong to a group or a domain user’s group display in LDAP as Users with No Group. These users are added under the domain user’s group in Cisco IMC Supervisor. You can add LDAP users that are in different LDAP server accounts but have the same name. The domain name is appended to the login user name to differentiate the multiple user records. For example, abc@vxedomain.com. This rule applies to user groups as well. When a single LDAP account is added, and a user logs in by specifying only the user name, Cisco IMC Supervisor first determines if the user is a local user or is an LDAP user. If the user is identified as a local user and as an external LDAP user, then at the login stage, if the user name matches the local user name, then the local user is authenticated into Cisco IMC Supervisor. Alternatively, if the user name matches that of the external user, then the LDAP user is authenticated into Cisco IMC Supervisor. |
Group Synchronization Rules
If a chosen LDAP group already exists in Cisco IMC Supervisor and the source is type Local, the group is ignored during synchronization.
If a chosen LDAP group already exists in Cisco IMC Supervisor and the group source is type External, the group’s description and email attributes are updated in Cisco IMC Supervisor.
While adding an LDAP server, you can now specify user filters and group filters. When you specify a group filter, all users that belong to the specified group are added to the system. In addition, the following actions are also performed:
If the specified group includes sub-groups, then the group, the sub-groups and the users in those sub-groups are added to the system (only applicable when you manually synchronize the LDAP directory).
If the user is part of multiple groups, and the other groups do not match the group specified as the group filter, then those additional groups are not added to the system.
A user can be part of multiple user groups. However, the group that is mentioned first in the list of groups that the user is part of is set as the default primary group for the user. If the user is not part of any group, then the default primary group is set as Domain Users.
Note |
You can view information on all the groups that a user is part of only after the LDAPSyncTask system task is run. |
When an LDAP group is synchronized, all users that are in the group are first added to the system. Also, if users in the specified LDAP group are associated with other groups that are in the same OU or in a different OU, then those groups are also retrieved and added to the system.
The LDAP synchronization process will retrieve the specified LDAP groups for the system, along with nested groups, if any.
Prior to this release, a user was part of only one group. After an upgrade to the current release, and only after the LDAPSyncTask system task is run, the Manage Profiles dialog box displays the other groups that the user is part of. This is applicable only when the other groups match the group filters that you specified while configuring the LDAP server.
User Synchronization Rules
LDAP users that have special characters in their names are now added to Cisco IMC Supervisor.
While adding an LDAP server, you can now specify user filters and group filters. When you specify a user filter, all the users that match the filter you specified, and the groups that they belong to, are retrieved for the system.
Cisco IMC Supervisor now displays the User Principal Name (UPN) for each user that is added into the system. This is applicable for users that have been added into the system in prior releases. Users can log in to the system using their login name or their user principal name. Logging in using the user principal name along with the profile name is not supported.
If a chosen LDAP user already exists in Cisco IMC Supervisor and the source is type Local, the user is ignored during synchronization.
If a chosen LDAP user already exists in Cisco IMC Supervisor and the source type is External, the user’s name, description, email, and other attributes are updated for use.
If a user account is created in two different LDAP directories, then the user details of the LDAP directory that was synchronized first is displayed. The user details from the other LDAP directory is not displayed.
After LDAP directories are synchronized, the LDAP external users must login to Cisco IMC Supervisor by specifying the complete domain name along with the user name. For example, vxedomain.cisco.com\username. However, this rule does not apply if there is only one LDAP server directory added to Cisco IMC Supervisor.
User Synchronization Limitations
If a user has multiple group membership, that user has single group membership in Cisco IMC Supervisor.
Note |
|
The synchronization of thousands of LDAP objects to Cisco IMC Supervisor can lead to some performance issues in the appliance. Use the following procedure to synchronize only the required LDAP objects.
Create LDAP groups that contain all users that should have access to Cisco IMC Supervisor.
Synchronize only those groups to Cisco IMC Supervisor.
Perform this procedure to add LDAP configurations.
Step 1 |
Choose . |
||||||||||||||||||||
Step 2 |
Click + to add LDAP configurations. |
||||||||||||||||||||
Step 3 |
On the Add LDAP Configurations page, complete the following fields:
|
||||||||||||||||||||
Step 4 |
Click Next. |
||||||||||||||||||||
Step 5 |
On the LDAP Search Base page, click Select and choose search criteria for retrieving users based on OU from the table displayed.
|
||||||||||||||||||||
Step 6 |
Click Select in the Select dialog box. The search criteria you have selected is displayed next to the Search Base field. |
||||||||||||||||||||
Step 7 |
Click Next in the LDAP Search Base dialog box. |
||||||||||||||||||||
Step 8 |
Click + to add entry to user role filters table in the LDAP User Role Filter dialog box. |
||||||||||||||||||||
Step 9 |
Enter the user role details in the Add Entry to User Role Filters dialog box. |
||||||||||||||||||||
Step 10 |
Click Submit. You can edit or delete these filters. You can also use the up or down arrows to move the filters to set priority. |
||||||||||||||||||||
Step 11 |
Click Submit in the LDAP User Role Filter dialog box. |
You can configure multiple LDAP servers and accounts in Cisco IMC Supervisor. While adding LDAP accounts, you can specify the following:
An organization unit (OU) that is part of the search base distinguished name (DN).
A frequency at which the LDAP account is automatically synchronized with the system.
A group or user filter to limit the results, and specify an LDAP role filter on the groups and users
Soon after an LDAP server account is added, a system task for this account is created automatically, and it immediately begins to synchronize the data. All the users and groups in the LDAP server account are added to the system. By default, all the users from the LDAP account are automatically assigned to the service end-user profile.
You should have set the authentication preferences to Local First, fallback to LDAP.
Step 1 |
Choose . |
||||||||||||||||||||||
Step 2 |
Click Add. |
||||||||||||||||||||||
Step 3 |
On the LDAP Server Configuration page, complete the following fields:
|
||||||||||||||||||||||
Step 4 |
Click Next. |
||||||||||||||||||||||
Step 5 |
In the LDAP Search Base pane, click Select to specify LDAP search base entries and click Select. All organization units (OU) that are available in Cisco IMC Supervisor are displayed in this list. |
||||||||||||||||||||||
Step 6 |
Click Next. |
||||||||||||||||||||||
Step 7 |
In the Configure User and Group Filters pane, complete the following fields:
Based on the filters, the groups or users are retrieved. |
||||||||||||||||||||||
Step 8 |
Click Next. |
||||||||||||||||||||||
Step 9 |
In the LDAP User Role Filter pane, click the + sign to add a user role filter. |
||||||||||||||||||||||
Step 10 |
In the Add Entry to User Role Filters dialog box, complete the following fields:
|
||||||||||||||||||||||
Step 11 |
Click Submit. The user role filters are added to the User Role Filters table.
|
If you have not set the authentication preference to LDAP, then you are prompted to modify the authentication preference. See Configuring Authentication Preferences.
Perform this procedure to view the summary information of the LDAP server.
Step 1 |
Choose . |
Step 2 |
Choose an LDAP account name from the table. |
Step 3 |
Click View. The View LDAP Account Information screen displays LDAP account summary information. |
Step 4 |
Click Close. |
Perform this procedure to text the LDAP connection.
Step 1 |
Choose . |
Step 2 |
Choose an LDAP account name from the table. |
Step 3 |
Click Test Connection. The status of the connection is displayed. |
Step 4 |
Click Close in the Test LDAP Connectivity dialog box. |
Perform this procedure to search the BaseDN.
Step 1 |
Choose . |
||
Step 2 |
Click Search BaseDN.
|
||
Step 3 |
Click Select in the LDAP Search Base dialog box. |
||
Step 4 |
Choose one or more users and click Select in the Select dialog box. |
||
Step 5 |
Click Submit in the LDAP Search Base dialog box. |
Requesting manual LDAP synchronization enables you to specify either basic or advanced search criteria to retrieve LDAP users and groups. Perform this procedure for manual LDAP synchronization.
Step 1 |
Choose . |
||||||||
Step 2 |
Click Request Manual LDAP Sync. |
||||||||
Step 3 |
On the Manual LDAP Sync page, complete the following fields:
|
||||||||
Step 4 |
For basic search, click Select to specify the search base. |
||||||||
Step 5 |
Choose the search base DN, and click Select and continue to Step 9. |
||||||||
Step 6 |
For advanced search, in the Advanced Filtering Options pane, add or edit attribute names for User Filters and Group Filters. |
||||||||
Step 7 |
Click Next. |
||||||||
Step 8 |
On the Select Users and Groups page, complete the following fields:
|
||||||||
Step 9 |
Click Submit. Choose Users to see the synchronized users. and click |
Perform this procedure to execute and view the LDAP synchronized results.
Step 1 |
Choose . |
Step 2 |
On the System page, click System Tasks. |
Step 3 |
Expand User and Group Tasks and select LDAPSyncTask. |
Step 4 |
Click Run Now. |
Step 5 |
Click Submit. |
Step 6 |
(Optional) Click Manage Task to enable or disable the synchronization process. |
The results of the synchronization process are displayed in Cisco IMC Supervisor. On the LDAP Integration page, select an LDAP account and click Results to view the summary of the synchronization process.
You can only modify the following details for a configured LDAP server:
Port numbers and SSL configuration
User name and password
Synchronization frequency
Search BaseDN selections
User roles and groups that are mapped
Perform the following procedure to modify the LDAP server details.
Step 1 |
Choose . |
||||||||||||
Step 2 |
Select an LDAP account. |
||||||||||||
Step 3 |
Click Modify. |
||||||||||||
Step 4 |
On the LDAP Server Configuration page, edit the following fields:
|
||||||||||||
Step 5 |
Click Next. |
||||||||||||
Step 6 |
Edit the LDAP Search Base entries and click Next. |
||||||||||||
Step 7 |
Select and edit the required attributes in the User Filters and Group Filters table and click Next. |
||||||||||||
Step 8 |
Select and edit entries in the LDAP User Role Filter table. |
||||||||||||
Step 9 |
Click add, edit, delete, or move table entries using up and down arrows. |
||||||||||||
Step 10 |
Click Submit. |
Any user in the system can be part of multiple user groups. When a user is added to the system, all groups that the user is part of are also added to the system. However, the group that the user was most recently added to is set as the default primary group for the user. If the user is not part of any group, then the default primary group is set as Domain Users. While you can use the Manage Profiles option to view and modify group membership for users, Cisco IMC Supervisor also provides you with an additional option to view a list of all groups that a specific user is part of.
Step 1 |
Choose . |
Step 2 |
Click Users. |
Step 3 |
Select a user from the table. |
Step 4 |
Click Group Membership. The Member Of screen displays all the groups that the user is part of. |
Step 5 |
Click Close. |
Deleting an LDAP server account only results in deleting the search criteria, BaseDNs, and system entries related to this LDAP server. Users attached to the LDAP server are not deleted. Perform this procedure to delete the LDAP server information.
Step 1 |
Choose . |
Step 2 |
Choose LDAP Integration. |
Step 3 |
Choose an LDAP account name from the table. |
Step 4 |
Click Delete. |
Step 5 |
In the confirmation dialog box, click Delete. This initiates the deletion of the LDAP account in Cisco IMC Supervisor. Based on the number of users in the LDAP account, this deletion process could take a few minutes to complete. During such time, the LDAP account may still be visible in Cisco IMC Supervisor. Click Refresh to ensure that the account has been deleted. |
SCP user is used by server diagnostics and tech support upload operations for transferring file to the Cisco IMC Supervisor appliance using SCP protocol. An scp user account cannot be used to login to the Cisco IMC Supervisor UI or the shelladmin. Perform this procedure for configuring scp user password.
Step 1 |
Choose . |
Step 2 |
Click SCP User Configuration. |
Step 3 |
Enter the scp user password in the Password field. |
Step 4 |
Click Submit. |
All outgoing emails from Cisco IMC Supervisor require an SMTP server. Cisco IMC Supervisor generated emails such as alerts for faults and so on are sent to the mail setup you have configured using the following procedure. For more information about adding email alert rules, see Adding Email Alert Rules for Server Faults.
Step 1 |
Choose . |
||||||||||||||||
Step 2 |
Click Mail Setup. |
||||||||||||||||
Step 3 |
On the Mail Setup page, complete the following fields:
|
||||||||||||||||
Step 4 |
Click Save. |
You can configure Cisco user credentials and proxy details from Cisco IMC Supervisor. Cisco smart call home also uses these proxy details.
. The Cisco.com user and proxy credentials are application wide settings. These credentials are automatically used for firmware image download and updatingPerform this procedure when you want to configure your Cisco.com user name and password.
Step 1 |
Choose . |
||||||
Step 2 |
On the System page, click Cisco.com User Configuration. |
||||||
Step 3 |
Complete the following fields for configuring the Cisco.com user:
|
||||||
Step 4 |
Click Save. |
Perform this procedure when you want to configure your proxy settings.
Step 1 |
Choose . |
||||||
Step 2 |
On the System page, click Proxy Configuration. |
||||||
Step 3 |
Complete the following for proxy configuration:
|
||||||
Step 4 |
Click Save. |
The Configuration Management Database (CMDB) is used to track and manage changes in the system. CMDB typically displays ADD, DELETE, or MODIFY event types on resources such as service requests, groups, and so on.
Step 1 |
Choose . |
||||||||||||||||||||
Step 2 |
On the Integration page, click CMDB Integration Setup. |
||||||||||||||||||||
Step 3 |
In the CMDB Integration Setup screen, complete the required fields, including the following:
|
||||||||||||||||||||
Step 4 |
Click Save. |
A login page can be configured to display a logo that is associated with a domain name. When the end user logs in from that domain, the user sees the custom logo on the login page. The optimal image size for a logo is 890 pixels wide and 470 pixels high, with 255 pixels allowed for white space. Cisco recommends that you keep the image size small to enable faster downloads.
Perform this procedure when you want to add a new login branding page.
Step 1 |
Choose . |
||||||||
Step 2 |
Click Login Page Branding. |
||||||||
Step 3 |
Click Add. |
||||||||
Step 4 |
On the Domain Branding page, complete the following:
|
||||||||
Step 5 |
Click Submit. |
||||||||
Step 6 |
In the confirmation dialog box, click OK.
|
You can use this procedure to customize the Cisco IMC Supervisor application. You can modify the application header, the administrator and end-user portal based on your requirement. The header containing the logo, application name, and links such as logout can also be hidden.
Step 1 |
Choose . |
||||||||||||||||||||||||||||||
Step 2 |
On the User Interface Settings page, complete the following:
|
||||||||||||||||||||||||||||||
Step 3 |
Click Save. |