- Preface
- Overview
- Installing the Server OS
- Managing the Server
- Viewing Server Properties
- Viewing Sensors
- Managing Remote Presence
- Managing User Accounts
- Configuring Network-Related Settings
- Managing Network Adapters
- Managing Storage Adapters
- Configuring Communication Services
- Managing Certificates and Server Security
- Configuring Platform Event Filters
- Cisco IMC Firmware Management
- Viewing Faults and Logs
- Server Utilities
- BIOS Parameters by Server Model
- BIOS Token Name Comparison for Multiple Interfaces
- Index
- Configuring Local Users
- Disabling Strong Password
- Password Expiry
- Configuring Password Expiry for Users
- LDAP Servers
- Configuring the LDAP Server
- Configuring LDAP in Cisco IMC
- Configuring LDAP Groups in Cisco IMC
- Configuring Nested Group Search Depth in LDAP Groups
- LDAP Certificates Overview
- Setting User Search Precedence
- Viewing User Sessions
- Terminating a User Session
Managing User Accounts
This chapter includes the following sections:
- Configuring Local Users
- Disabling Strong Password
- Password Expiry
- Configuring Password Expiry for Users
- LDAP Servers
- Configuring the LDAP Server
- Configuring LDAP in Cisco IMC
- Configuring LDAP Groups in Cisco IMC
- Configuring Nested Group Search Depth in LDAP Groups
- LDAP Certificates Overview
- Setting User Search Precedence
- Viewing User Sessions
- Terminating a User Session
Configuring Local Users
You must log in as a user with admin privileges to configure or modify local user accounts.
This example configures user 5 as an admin:
Server# scope user 5 Server /user # set enabled yes Server /user *# set name john Server /user *# set password Warning: Strong Password Policy is enabled! For CIMC protection your password must meet the following requirements: The password must have a minimum of 8 and a maximum of 14 characters. The password must not contain the User's Name. The password must contain characters from three of the following four categories. English uppercase characters (A through Z) English lowercase characters (a through z) Base 10 digits (0 through 9) Please enter password: Please confirm password: Server /user *# set role readonly Server /user *# commit Server /user # show User Name Role Enabled ------ ---------------- -------- -------- 5 john readonly yes
Disabling Strong Password
The Cisco IMC now implements a strong password policy wherein you are required to follow guidelines and set a strong password when you first log on to the server for the first time. The Cisco IMC CLI provides you option which allows you to disable the strong password policy and set a password of your choice by ignoring the guidelines. Once you disable the strong password, an Enable Strong Password button is displayed. By default, the strong password policy is enabled.
You must log in as a user with admin privileges to perform this action.
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope user-policy |
Enters user policy command mode. |
Step 2 | Server /user-policy # set password-policy {enabled | disabled} |
At the confirmation prompt, enter y to complete the action or n to cancel the action. Enables or disables the strong password. |
Step 3 | Server /user-policy # commit |
Commits the transaction to the system configuration. |
This example shows how to disable strong password:
Server# scope user-policy Server /user-policy # set password-policy disabled Warning: Strong password policy is being disabled. Do you wish to continue? [y/N] y Server /user-policy *# commit Server /user-policy #
Password Expiry
You can set a shelf life for a password, after which it expires. As an administrator, you can set this time in days. This configuration would be common to all users. Upon password expiry, the user is notified on login and would not be allowed to login unless the password is reset.
Note | When you downgrade to an older database, existing users are deleted. The database returns to default settings. Previously configured users are cleared and the database is empty, that is, the database has the default username - 'admin' and password - 'password'. Since the server is left with the default user database, the change default credential feature is enabled. This means that when the 'admin' user logs on to the database for the first time after a downgrade, the user must mandatorily change the default credential. |
Password Set Time
A 'Password set time' is configured for every existing user, to the time when the migration or upgrade occurred. For new users (users created after an upgrade), the Password Set time is configured to the time when the user was created, and the password is set. For users in general (new and existing), the Password Set Time is updated whenever the password is changed.
Configuring Password Expiry for Users
Command or Action | Purpose | |
---|---|---|
Step 1 | Server # scope user-policy |
Enters the user policy command mode. |
Step 2 | Server /user-policy # scope password-expiration |
Enters the password expiration command mode. |
Step 3 | Server /user-policy/password-expiration # set password-expiry-duration integer in the range 0-3650 |
The time period that you can set for the existing password to expire (from the time you set a new password or modify an existing one). The range is between 0 to 3650 days. Entering 0 disables this option. |
Step 4 | Server /user-policy/password-expiration * # set notification-period integer in the range 0-15 |
Notifies the time by when the password expires. Enter a value between 0 to 15 days. Entering 0 disables this option. |
Step 5 | Server /user-policy/password-expiration * # set grace-period integer in the range 0-5 |
Time period till when the existing password can still be used, after it expires. Enter a value between 0 to 5 days. Entering 0 disables this option. |
Step 6 | Server /user-policy/password-expiration * # set password-history integer in the range 0-5 |
The number of occurrences when a password was entered. When this is enabled, you cannot repeat a password. Enter a value between 0 to 5. Entering 0 disables this option. |
Step 7 | Server /user-policy/password-expiration *# commit |
Commits the transactions. |
Step 8 | Server /user-policy/password-expiration # show detail | (Optional)
Shows the password expiration details. |
Step 9 | Server /user-policy/password-expiration # restore | (Optional)
At the confirmation prompt, enter yes to restore the password expiry settings to default values. |
This example sets the password expiration and restore the settings to default vales:
Server # scope user-policy Server /user-policy # scope password-expiration Server /user-policy/password-expiration # set password-expiry-duration 5 Server /user-policy/password-expiration * # set notification-period 2 Server /user-policy/password-expiration *# set grace-period 1 Server /user-policy/password-expiration *# set password-history 4 Server /user-policy/password-expiration *# commit Server /user-policy/password-expiration # show detail Password expiration parameters: Valid password duration: 5 Number of stored old passwords: 4 Notification period: 2 Grace period: 1 Server /user-policy/password-expiration # Restoring the password expiry parameters to default values: Server /user-policy/password-expiration # restoreAre you sure you want to restore User password expiration parameters to defaults? Please enter 'yes' to confirm:yes Server /user-policy/password-expiration #
LDAP Servers
Cisco IMC supports directory services that organize information in a directory, and manage access to this information. Cisco IMC supports Lightweight Directory Access Protocol (LDAP), which stores and maintains directory information in a network. In addition, Cisco IMC supports Microsoft Active Directory (AD). Active Directory is a technology that provides a variety of network services including LDAP-like directory services, Kerberos-based authentication, and DNS-based naming. The Cisco IMC utilizes the Kerberos-based authentication service of LDAP.
When LDAP is enabled in the Cisco IMC, user authentication and role authorization is performed by the LDAP server for user accounts not found in the local user database. The LDAP user authentication format is username@domain.com.
By enabling encryption in the configuration of Active Directory on the server, you can require the server to encrypt data sent to the LDAP server.
Configuring the LDAP Server
The Cisco IMC can be configured to use LDAP for user authentication and authorization. To use LDAP, configure users with an attribute that holds the user role and locale information for the Cisco IMC. You can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales or you can modify the LDAP schema to add a new custom attribute, such as the CiscoAVPair attribute, which has an attribute ID of 1.3.6.1.4.1.9.287247.1.
For more information about altering the schema, see the article at http://technet.microsoft.com/en-us/library/bb727064.aspx.
Note | This example creates a custom attribute named CiscoAVPair, but you can also use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales. |
If you are using Group Authorization on the Cisco IMC LDAP configuration, then you can skip Steps 1-4 and perform the steps listed in the Configuring LDAP Settings and Group Authorization in Cisco IMC section.
The following steps must be performed on the LDAP server.
Step 1 | Ensure that the LDAP schema snap-in is installed. | ||||||||||||
Step 2 | Using the schema
snap-in, add a new attribute with the following properties:
| ||||||||||||
Step 3 | Add the CiscoAVPair attribute to the user class using the snap-in: | ||||||||||||
Step 4 | Add the
following user role values to the CiscoAVPair attribute, for the users that you
want to have access to
Cisco IMC:
|
What to Do Next
Use the Cisco IMC to configure the LDAP server.
Configuring LDAP in Cisco IMC
Configure LDAP in Cisco IMC when you want to use an LDAP server for local user authentication and authorization.
You must log in as a user with admin privileges to perform this task.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode. | ||
Step 2 | Server /ldap # set enabled {yes | no} |
Enables or disables LDAP security. When enabled, user authentication and role authorization is performed by LDAP for user accounts not found in the local user database. | ||
Step 3 | Server /ldap # set domainLDAP domain name |
Specifies an LDAP domain name. | ||
Step 4 | Server /ldap # set timeout seconds |
Specifies the number of seconds the Cisco IMC waits until the LDAP search operation times out. The value must be between 0 and 1800 seconds. | ||
Step 5 | Server /ldap # set encrypted {yes | no} |
If encryption is enabled, the server encrypts all information sent to AD. | ||
Step 6 | Server /ldap # set base-dn domain-name |
Specifies the Base DN that is searched on the LDAP server. | ||
Step 7 | Server /ldap # set attribute name |
Specify an LDAP attribute that contains the role and locale information for the user. This property is always a name-value pair. The system queries the user record for the value that matches this attribute name. You can use an existing LDAP attribute that is mapped to the Cisco IMC user roles and locales or you can create a custom attribute, such as the CiscoAVPair attribute, which has the following attribute ID: 1.3.6.1.4.1.9.287247.1
| ||
Step 8 | Server /ldap # set filter-attribute |
Specifies the account name attribute. If Active Directory is used, then specify sAMAccountName for this field. | ||
Step 9 | Server /ldap # commit |
Commits the transaction to the system configuration. | ||
Step 10 | Server /ldap # show [detail] |
(Optional) Displays the LDAP configuration. |
This example configures LDAP using the CiscoAVPair attribute:
Server# scope ldap Server /ldap # set enabled yes Server /ldap *# set domain sample-domain Server /ldap *# set timeout 60 Server /ldap *# set encrypted yes Server /ldap *# set base-dn example.com Server /ldap *# set attribute CiscoAVPair Server /ldap *# set filter-attribute sAMAccountName Server /ldap *# commit Server /ldap # show detail LDAP Settings: Enabled: yes Encrypted: yes Domain: sample-domain BaseDN: example.com Timeout: 60 Filter-Attribute: sAMAccountName Attribute: CiscoAvPair Server /ldap #
If you want to use LDAP groups for group authorization, see Configuring LDAP Groups in Cisco IMC.
Configuring LDAP Groups in Cisco IMC
Note | When Active Directory (AD) group authorization is enabled and configured, user authentication is also done on the group level for users that are not found in the local user database or who are not individually authorized to use Cisco IMC in the Active Directory. |
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode for AD configuration. |
Step 2 | Server /ldap# scope ldap-group-rule |
Enters the LDAP group rules command mode for AD configuration. |
Step 3 | Server /ldap/ldap-group-rule # set group-auth {yes | no} |
Enables or disables LDAP group authorization. |
Step 4 | Server /ldap # scope role-group index |
Selects one of the available group profiles for configuration, where index is a number between 1 and 28. |
Step 5 | Server /ldap/role-group # set name group-name |
Specifies the name of the group in the AD database that is authorized to access the server. |
Step 6 | Server /ldap/role-group # set domain domain-name |
Specifies the AD domain the group must reside in. |
Step 7 | Server /ldap/role-group # set role {admin | user | readonly} |
Specifies the permission level (role) assigned to all users in this AD group. This can be one of the following: |
Step 8 | Server /ldap/role-group # commit |
Commits the transaction to the system configuration. |
This example shows how to configure LDAP group authorization:
Server# scope ldap Server /ldap # scope ldap-group-rule Server /ldap/ldap-group-rule # set group-auth yes Server /ldap *# scope role-group 5 Server /ldap/role-group # set name Training Server /ldap/role-group* # set domain example.com Server /ldap/role-group* # set role readonly Server /ldap/role-group* # commit ucs-c250-M2 /ldap # show role-group Group Group Name Domain Name Assigned Role ------ ----------- -------------- -------------- 1 (n/a) (n/a) admin 2 (n/a) (n/a) user 3 (n/a) (n/a) readonly 4 (n/a) (n/a) (n/a) 5 Training example.com readonly Server /ldap/role-group #
Configuring Nested Group Search Depth in LDAP Groups
You can search for an LDAP group nested within another defined group in an LDAP group map.
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode for AD configuration. |
Step 2 | Server /ldap# scope ldap-group-rule |
Enters the LDAP group rules command mode for AD configuration. |
Step 3 | Server /ldap/ldap-group-rule # set group-search-depth value |
Enables search for a nested LDAP group. |
Step 4 | Server /ldap/role-group-rule # commit |
Commits the transaction to the system configuration. |
This example shows how to search for run a search for an LDAP group nested within another defined group.
Server# scope ldap Server /ldap # scope ldap-group-rule Server /ldap/ldap-group-rule # set group-search-depth 10 Server /ldap/role-group-rule* # commit Server /ldap/role-group-rule # show detail Group rules for LDAP: Group search attribute: memberOf Enable Group Authorization: yes Nested group search depth: 10 Server/ldap/ldap-group-rule #
LDAP Certificates Overview
Cisco C-series servers allow an LDAP client to validate a directory server certificate against an installed CA certificate or chained CA certificate during an LDAP binding step. This feature is introduced in the event where anyone can duplicate a directory server for user authentication and cause a security breach due to the inability to enter a trusted point or chained certificate into the Cisco IMC for remote user authentication.
An LDAP client needs a new configuration option to validate the directory server certificate during the encrypted TLS/SSL communication.
- Exporting LDAP CA Certificate
- Downloading LDAP CA Certificate Content by Copying Content
- Downloading LDAP CA Certificate Using Remote Server
- Testing LDAP Binding
- Deleting LDAP CA Certificate
Exporting LDAP CA Certificate
You must log in as a user with admin privileges to perform this task.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode. | ||
Step 2 | Server# /ldap scope binding-certificate |
Enters the LDAP CA certificate binding command mode. | ||
Step 3 | Server /ldap/binding-certificate # export-ca-certificate remote-protocol IP Adderss LDAP CA Certificate file |
Initiates the export of the certificate. |
This example exports the LDAP certificate:
Server # scope ldap Server /ldap # scope binding-certificate Server /ldap/binding-certificate # export-ca-certificate tftp 172.22.141.66 test.csv Initiating Export % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1262 0 0 100 1262 0 1244 0:00:01 0:00:01 --:--:-- 1653 100 1262 0 0 100 1262 0 1237 0:00:01 0:00:01 --:--:-- 1237 LDAP CA Certificate is exported successfully Server /ldap/binding-certificate #
Downloading LDAP CA Certificate Content by Copying Content
You must log in as a user with admin privileges to perform this task.
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode. |
Step 2 | Server# /ldap scope binding-certificate |
Enters the LDAP CA certificate binding command mode. |
Step 3 | Server# /ldap/binding-certificate set enabled {yes | no} |
Enables or disables LDAP CA certificate binding. |
Step 4 | Server /ldap/binding-certificate* # commit |
Commits the transaction to the system configuration. |
Step 5 | Server /ldap/binding-certificate # paste-ca-certificate |
Prompts you to paste the certificate content. |
Step 6 | Paste the certificate content and press CTRL+D. |
Confirmation prompt appears. |
Step 7 | At the confirmation prompt, enter y. |
This begins the download of the LDAP CA certificate. |
This example downloads the LDAP certificate:
Server # scope ldap Server /ldap # scope binding-certificate Server /ldap/binding-certificate # set enabled yes Server /ldap/binding-certificate *# commit Server /ldap/binding-certificate # show detail LDAP binding with Certificate: Enabled: yes Server /ldap/binding-certificate # paste-ca-certificate Please paste your certificate here, when finished, press CTRL+D. -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIQV06yJcJPAYNO8Cp+FYQttjANBgkqhkiG9w0BAQsFADBO MRIwEAYKCZImiZPyLGQBGRYCaW4xGzAZBgoJkiaJk/IsZAEZFgs0T0JKUkEySkhC UTEbMBkGA1UEAxMSV0lOLTRPQkpSQTJKSEJRLUNBMB4XDTE2MDIyNTE3MDczNloX DTIxMDIyNTE3MTczM1owTjESMBAGCgmSJomT8ixkARkWAmluMRswGQYKCZImiZPy LGQBGRYLNE9CSlJBMkpIQlExGzAZBgNVBAMTEldJTi00T0JKUkEySkhCUS1DQTCC ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMM2cdgmrPTkZe4K2zI+EbeZ mfQnjfiUz8OIY97w8lC/2S4qK46T+fnX13rXe8vvVHAO5wgPDVQTGS4nlF46A6Ba FK+krKcIgFrQB1gnF74qs/ln1YtKHNBjrvg5KyeWFrA7So6Mi2XEw8w/zMPL0d8T b+LM1YnhnuXA9G8gVCJ/iUhXfMpB20L8sv30Mek7bw8x2cxJYTuJAviVIrjSwU5j fO3WKttRuyFpeOIi00weklpF0+8D3Z9mBinoTbL2pl0U32am6wTI+8WmtJ+8W68v jH4Y8YBY/kzMHdpwjpdZkC5pE9BcM0rL9xKoIu6X0kSNEssoGnepFyNaH3t8vnMC AwEAAaNRME8wCwYDVR0PBAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE FBAUulHTAWBT1OBz8IgAEzXsfcCsMBAGCSsGAQQBgjcVAQQDAgEAMA0GCSqGSIb3 DQEBCwUAA4IBAQAzUMZr+0r1dWkVfFNBd7lu8tQbAEJf/A7PIKnJGNoUq8moAGs4 pMndoxdpNGZhYCWDWX3GWdeF1HqZHhb38gGQ9ylu0pIK7tgQufZmeCBH6T7Tzq/w Dq+TMFGIjXF84xW3N665y4ePgUcUI7e/6aBGcGkGeUYodBPtExe28tQyeuYwD4Zj nLuZKkT+I4PAYygVCqxDGsvfRHDpGneb3R+GeonOf4ED/0tn5PLSL9khb9qkHu/V dO3/HmKVzUhloTDBuAMq/wES2WZAWhGr3hBc4nWQNjZWEMOKDpYZVK/GhBmNF+xi eRcFqgh64oEmH9qAp0caGS1e7UyYaN+LtPRe -----END CERTIFICATE----- CTRL+D You are going to overwrite the LDAP CA Certificate. Are you sure you want to proceed and overwrite the LDAP CA Certificate? [y|N] y Server /ldap/binding-certificate #
Downloading LDAP CA Certificate Using Remote Server
You must log in as a user with admin privileges to perform this task.
Command or Action | Purpose | |||
---|---|---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode. | ||
Step 2 | Server# /ldap scope binding-certificate |
Enters the LDAP CA certificate binding command mode. | ||
Step 3 | Server# /ldap/binding-certificate set enabled {yes | no} |
Enables or disables LDAP CA certificate binding. | ||
Step 4 | Server /ldap/binding-certificate* # commit |
Commits the transaction to the system configuration. | ||
Step 5 | Server /ldap/binding-certificate # download-ca-certificate remote-protocol IP Address LDAP CA Certificate file |
| ||
Step 6 | At the confirmation prompt, enter y. |
This begins the download of the LDAP CA certificate. |
This example downloads the LDAP certificate:
Server # scope ldap Server /ldap # scope binding-certificate Server /ldap/binding-certificate # set enabled yes Server /ldap/binding-certificate *# commit Server /ldap/binding-certificate # show detail LDAP binding with Certificate: Enabled: yes Server /ldap/binding-certificate # download-ca-certificate tftp 172.22.141.66 new_com_chain.cer % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1282 100 1282 0 0 1247 0 0:00:01 0:00:01 --:--:-- 1635 100 1282 100 1282 0 0 1239 0 0:00:01 0:00:01 --:--:-- 1239 You are going to overwrite the LDAP CA Certificate. Are you sure you want to proceed and overwrite the LDAP CA Certificate? [y|N]y LDAP CA Certificate is downloaded successfully Server /ldap/binding-certificate #
Testing LDAP Binding
You must log in as a user with admin privileges to perform this task.
Note | If you checked the Enable Encryption and the Enable Binding CA Certificate check boxes, enter the fully qualified domain name (FQDN) of the LDAP server in the LDAP Server field. To resolve the FQDN of the LDAP server, configure the preferred DNS of Cisco IMC network with the appropriate DNS IP address. |
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode. |
Step 2 | Server# /ldap scope binding-certificate |
Enters the LDAP CA certificate binding command mode. |
Step 3 | Server /ldap/binding-certificate # test-ldap-binding username |
Password prompt appears. |
Step 4 | Enter the corresponding password. |
Authenticates the user. |
This example tests the LDAP user binding:
Server # scope ldap Server /ldap # scope binding-certificate Server /ldap/binding-certificate # test-ldap-binding user Password: diagldapbinding: Authenticated by LDAP User user authenticated successfully. Server /ldap/binding-certificate #
Deleting LDAP CA Certificate
You must log in as a user with admin privileges to perform this task.
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope ldap |
Enters the LDAP command mode. |
Step 2 | Server# /ldap scope binding-certificate |
Enters the LDAP CA certificate binding command mode. |
Step 3 | Server /ldap/binding-certificate # delete-ca-certificate |
Confirmation prompt appears. |
Step 4 | At the confirmation prompt, enter y. |
This deletes the LDAP CA certificate. |
This example deletes the LDAP certificate:
Server # scope ldap Server /ldap # scope binding-certificate Server /ldap/binding-certificate # delete-ca-certificate You are going to delete the LDAP CA Certificate. Are you sure you want to proceed and delete the LDAP CA Certificate? [y|N]y LDAP CA Certificate is deleted successfully Server /ldap/binding-certificate #
Setting User Search Precedence
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# scope ldap |
Enters the BIOS command mode. |
Step 2 | Server# /ldap set userSearchPrecedence {localUserDB | ldapUserDB} |
Sets the user search precedence to the LDAP database or the local user database depending on the option you choose. |
Step 3 | Server# /ldap * commit |
Commits the transaction. |
Step 4 | Server# /ldap show detail | (Optional)
Shows the LDAP details. |
This example sets the user search precedence:
Server # scope ldap Server /ldap # set userSearchPrecedence localUserDB Server /ldap * # commit Server /ldap # show detail LDAP Settings: Enabled: yes Encrypted: no Local User Search Precedence: localUserDB Domain: new.com Base DN: DC=new,DC=com Timeout: 60 Filter Attribute: sAMAccountName Attribute: CiscoAvPair Server /ldap #
Viewing User Sessions
Command or Action | Purpose |
---|
The command output displays the following information about current user sessions:
Name | Description |
---|---|
Session ID column |
The unique identifier for the session. |
User name column |
The username for the user. |
IP Address column |
The IP address from which the user accessed the server. If this is a serial connection, it displays N/A. |
Type column |
|
Action column |
This column displays N/A when the SOL is enabled and Terminate when the SOL is disabled. You can terminate a session by clicking Terminate on the web UI. |
This example displays information about current user sessions:
Server# show user-session ID Name IP Address Type Killable ------ ---------------- ----------------- ------------ -------- 15 admin 10.20.30.138 CLI yes Server /user #
Terminating a User Session
You must log in as a user with admin privileges to terminate a user session.
Command or Action | Purpose | |
---|---|---|
Step 1 | Server# show user-session |
Displays information about current user sessions. The user session to be terminated must be eligible to be terminated (killable) and must not be your own session. |
Step 2 | Server /user-session # scope user-session session-number |
Enters user session command mode for the numbered user session that you want to terminate. |
Step 3 | Server /user-session # terminate |
Terminates the user session. |
This example shows how the admin at user session 10 terminates user session 15:
Server# show user-session ID Name IP Address Type Killable ------ ---------------- ----------------- ------------ -------- 10 admin 10.20.41.234 CLI yes 15 admin 10.20.30.138 CLI yes Server# scope user-session 15 Server /user-session # terminate User session 15 terminated. Server /user-session #