Configuring Authentication
This chapter includes the following sections:
• Authentication Services, page 1
• Guidelines and Recommendations for Remote Authentication Providers, page 2
• User Attributes in Remote Authentication Providers, page 2
• LDAP Group Rule, page 4
• Configuring LDAP Providers, page 4
• Configuring RADIUS Providers, page 12
• Configuring TACACS+ Providers, page 14
• Configuring Multiple Authentication Systems, page 16
• Selecting a Primary Authentication Service, page 21
Authentication Services
Cisco UCS supports two methods to authenticate user logins:
• Through user accounts local to Cisco UCS Manager
• Remotely through one of the following protocols:
◦ LDAP
◦ RADIUS
◦ TACACS+
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
1
Configuring Authentication
Guidelines and Recommendations for Remote Authentication Providers
Guidelines and Recommendations for Remote Authentication
Providers
If a system is configured for one of the supported remote authentication services, you must create a provider
for that service to ensure that Cisco UCS Manager can communicate with it. In addition, you need to be aware
of the following guidelines that impact user authorization:
User Accounts in Remote Authentication Services
User accounts can exist locally in Cisco UCS Manager or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through
Cisco UCS Manager GUI or Cisco UCS Manager CLI.
User Roles in Remote Authentication Services
If you create user accounts in the remote authentication server, you must ensure that the accounts include the
roles those users require for working in Cisco UCS Manager and that the names of those roles match the
names used in Cisco UCS Manager. Depending on the role policy, a user may not be allowed to log in or will
be granted only read-only privileges.
User Attributes in Remote Authentication Providers
For RADIUS and TACACS+ configurations, you must configure a user attribute for Cisco UCS in each remote
authentication provider through which users log in to Cisco UCS Manager. This user attribute holds the roles
and locales assigned to each user.
Note
This step is not required for LDAP configurations that use LDAP Group Mapping to assign roles and
locales.
When a user logs in, Cisco UCS Manager does the following:
1 Queries the remote authentication service.
2 Validates the user.
3 If the user is validated, checks for the roles and locales assigned to that user.
The following table contains a comparison of the user attribute requirements for the remote authentication
providers supported by Cisco UCS.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
2
OL-25712-04
Configuring Authentication
User Attributes in Remote Authentication Providers
Table 1: Comparison of User Attributes by Remote Authentication Provider
Authentication
Provider
Custom
Attribute
Schema Extension
Attribute ID Requirements
LDAP
Not required if
group mapping
is used
Optional. You can choose to do
either of the following:
The Cisco LDAP implementation
requires a unicode type attribute.
Optional if
group mapping
is not used
• Do not extend the LDAP
schema and configure an
existing, unused attribute
that meets the requirements.
If you choose to create the
CiscoAVPair custom attribute, use
the following attribute ID:
1.3.6.1.4.1.9.287247.1
• Extend the LDAP schema A sample OID is provided in the
and create a custom attribute following section.
with a unique name, such as
CiscoAVPair.
RADIUS
Optional
Optional. You can choose to do
either of the following:
The vendor ID for the Cisco
RADIUS implementation is 009 and
the vendor ID for the attribute is
• Do not extend the RADIUS 001.
schema and use an existing,
unused attribute that meets The following syntax example
shows how to specify multiples user
the requirements.
roles and locales if you choose to
• Extend the RADIUS schema create the cisco-avpair attribute:
and create a custom attribute shell:roles="admin,aaa"
with a unique name, such as shell:locales="L1,abc". Use a
cisco-avpair.
comma "," as the delimiter to
separate multiple values.
TACACS+
Required
Required. You must extend the
schema and create a custom
attribute with the name
cisco-av-pair.
The cisco-av-pair name is the string
that provides the attribute ID for the
TACACS+ provider.
The following syntax example
shows how to specify multiples user
roles and locales when you create
the cisco-av-pair attribute:
cisco-av-pair=shell:roles="admin
aaa" shell:locales*"L1 abc".
Using an asterisk (*) in the
cisco-av-pair attribute syntax flags
the locale as optional, preventing
authentication failures for other
Cisco devices that use the same
authorization profile. Use a space
as the delimiter to separate multiple
values.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
3
Configuring Authentication
LDAP Group Rule
Sample OID for LDAP User Attribute
The following is a sample OID for a custom CiscoAVPair attribute:
CN=CiscoAVPair,CN=Schema,
CN=Configuration,CN=X
objectClass: top
objectClass: attributeSchema
cn: CiscoAVPair
distinguishedName: CN=CiscoAVPair,CN=Schema,CN=Configuration,CN=X
instanceType: 0x4
uSNCreated: 26318654
attributeID: 1.3.6.1.4.1.9.287247.1
attributeSyntax: 2.5.5.12
isSingleValued: TRUE
showInAdvancedViewOnly: TRUE
adminDisplayName: CiscoAVPair
adminDescription: UCS User Authorization Field
oMSyntax: 64
lDAPDisplayName: CiscoAVPair
name: CiscoAVPair
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,CN=X
LDAP Group Rule
The LDAP group rule is used to determine whether Cisco UCS should use LDAP groups when assigning user
roles and locales to a remote user.
Configuring LDAP Providers
Configuring Properties for LDAP Providers
The properties that you configure in this task are the default settings for all provider connections of this type
defined in Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco
UCS uses that setting and ignores the default setting.
Before You Begin
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server
to bind with Cisco UCS. This account should be given a non-expiring password.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
On the Admin tab, expand All > User Management > LDAP.
Complete the following fields in the Properties area:
Cisco UCS Manager GUI Configuration Guide, Release 2.0
4
OL-25712-04
Configuring Authentication
Creating an LDAP Provider
Name
Description
Timeout field
The length of time in seconds the system should spend trying to
contact the LDAP database before it times out.
Enter an integer from 1 to 60 seconds. The default value is 30
seconds.
This property is required.
Attribute field
An LDAP attribute that stores the values for the user roles and
locales. This property is always a name-value pair. The system
queries the user record for the value that matches this attribute
name.
If you do not want to extend your LDAP schema, you can configure
an existing, unused LDAP attribute with the Cisco UCS roles and
locales. Alternatively, you can create an attribute named
CiscoAVPair in the remote authentication service with the following
attribute ID: 1.3.6.1.4.1.9.287247.1
Base DN field
The specific distinguished name in the LDAP hierarchy where the
server should begin a search when a remote user logs in and the
system attempts to get the user's DN based on their username. The
maximum supported string length is 127 characters.
This property is required. If you do not specify a base DN on this
tab then you must specify one on the General tab for every LDAP
provider defined in this Cisco UCS domain.
Filter field
The LDAP search is restricted to those usernames that match the
defined filter.
This property is required. If you do not specify a filter on this tab
then you must specify one on the General tab for every LDAP
provider defined in this Cisco UCS domain.
Step 4
Click Save Changes.
What to Do Next
Create an LDAP provider.
Creating an LDAP Provider
Cisco UCS Manager supports a maximum of 16 LDAP providers.
Before You Begin
If you are using Active Directory as your LDAP server, create a user account in the Active Directory server
to bind with Cisco UCS. This account should be given a non-expiring password.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
5
Configuring Authentication
Creating an LDAP Provider
• In the LDAP server, perform one of the following configurations:
◦ Configure LDAP groups. LDAP groups contain user role and locale information.
◦ Configure users with the attribute that holds the user role and locale information for Cisco UCS
Manager. You can choose whether to extend the LDAP schema for this attribute. If you do not
want to extend the schema, use an existing LDAP attribute to hold the Cisco UCS user roles and
locales. If you prefer to extend the schema, create a custom attribute, such as the CiscoAVPair
attribute.
The Cisco LDAP implementation requires a unicode type attribute.
If you choose to create the CiscoAVPair custom attribute, use the following attribute ID:
1.3.6.1.4.1.9.287247.1
◦ For a cluster configuration, add the management port IP addresses for both fabric interconnects.
This configuration ensures that remote users can continue to log in if the first fabric interconnect
fails and the system fails over to the second fabric interconnect. All login requests are sourced
from these IP addresses, not the virtual IP address used by Cisco UCS Manager.
• If you want to use secure communications, create a trusted point containing the certificate of the root
certificate authority (CA) of the LDAP server in Cisco UCS Manager.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
On the Admin tab, expand All > User Management > LDAP.
In the Work pane, click the General tab.
Step 4
Step 5
In the Actions area, click Create LDAP Provider.
On the Create LDAP Provider page of the wizard, do the following:
a) Complete the following fields with information about the LDAP service you want to use:
Name
Description
Hostname field
The hostname or IP address on which the LDAP provider resides. If
SSL is enabled, this field must exactly match a Common Name (CN)
in the security certificate of the LDAP database.
Note
Order field
If you use a hostname rather than an IP address, you must
configure a DNS server in Cisco UCS Manager.
The order in which Cisco UCS uses this provider to authenticate
users.
Enter an integer between 1 and 16, or enter lowest-available or 0
(zero) if you want Cisco UCS to assign the next available order based
on the other providers defined in this Cisco UCS domain.
Bind DN field
The distinguished name (DN) for an LDAP database account that has
read and search permissions for all objects under the base DN.
The maximum supported string length is 127 ASCII characters.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
6
OL-25712-04
Configuring Authentication
Creating an LDAP Provider
Name
Description
Base DN field
The specific distinguished name in the LDAP hierarchy where the
server should begin a search when a remote user logs in and the
system attempts to get the user's DN based on their username. The
maximum supported string length is 127 characters.
This value is required unless a default base DN has been set on the
LDAP General tab.
Port field
The port through which Cisco UCS communicates with the LDAP
database. The standard port number is 389.
Enable SSL check box
If checked, encryption is required for communications with the LDAP
database. If unchecked, authentication information will be sent as
clear text.
LDAP uses STARTTLS. This allows encrypted communication using
port 389.
Filter field
The LDAP search is restricted to those usernames that match the
defined filter.
This value is required unless a default filter has been set on the LDAP
General tab.
Attribute field
An LDAP attribute that stores the values for the user roles and locales.
This property is always a name-value pair. The system queries the
user record for the value that matches this attribute name.
If you do not want to extend your LDAP schema, you can configure
an existing, unused LDAP attribute with the Cisco UCS roles and
locales. Alternatively, you can create an attribute named CiscoAVPair
in the remote authentication service with the following attribute ID:
1.3.6.1.4.1.9.287247.1
This value is required unless a default attribute has been set on the
LDAP General tab.
Password field
The password for the LDAP database account specified in the Bind
DN field. You can enter any standard ASCII characters except for
space, § (section sign), ? (question mark), or = (equal sign).
Confirm Password field
The LDAP database password repeated for confirmation purposes.
Timeout field
The length of time in seconds the system should spend trying to
contact the LDAP database before it times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the
global timeout value specified on the LDAP General tab. The default
is 30 seconds.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
7
Configuring Authentication
Creating an LDAP Provider
b) Click Next.
Step 6
On the LDAP Group Rule page of the wizard, do the following:
a) Complete the following fields:
Name
Description
Group Authorization field
Whether Cisco UCS also searches LDAP groups when authenticating
and assigning user roles and locales to remote users. This can be one
of the following:
• Disable—Cisco UCS does not access any LDAP groups.
• Enable—Cisco UCS searches all LDAP groups mapped in this
Cisco UCS domain. If the remote user is found, Cisco UCS
assigns the user roles and locales defined for that LDAP group
in the associated LDAP group map.
Note
Group Recursion field
Role and locale assignment is cumulative. If a user is
included in multiple groups, or has a role or locale specified
in the LDAP attribute, Cisco UCS assigns that user all the
roles and locales mapped to any of those groups or attributes.
Whether Cisco UCS searches both the mapped groups and their parent
groups. This can be one of the following:
• Non Recursive—Cisco UCS searches only the groups mapped
in this Cisco UCS domain. If none of the groups containing the
user explicitly set the user's authorization properties, Cisco UCS
uses the default settings.
• Recursive—Cisco UCS searches each mapped group and all
its parent groups for the user's authorization properties. These
properties are cumulative, so for each group Cisco UCS finds
with explicit authorization property settings, it applies those
settings to the current user. Otherwise it uses the default settings.
Target Attribute field
The attribute Cisco UCS uses to determine group membership in the
LDAP database.
The supported string length is 63 characters. The default string is
memberOf.
b) Click Finish.
What to Do Next
For implementations involving a single LDAP database, select LDAP as the authentication service.
For implementations involving multiple LDAP databases, configure an LDAP provider group.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
8
OL-25712-04
Configuring Authentication
Changing the LDAP Group Rule for an LDAP Provider
Changing the LDAP Group Rule for an LDAP Provider
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > LDAP.
Expand LDAP Providers and choose the LDAP provider for which you want to change the group rule.
In the Work pane, click the General tab.
Step 5
In the LDAP Group Rules area, complete the following fields:
Name
Description
Group Authorization field
Whether Cisco UCS also searches LDAP groups when authenticating
and assigning user roles and locales to remote users. This can be one
of the following:
• Disable—Cisco UCS does not access any LDAP groups.
• Enable—Cisco UCS searches all LDAP groups mapped in this
Cisco UCS domain. If the remote user is found, Cisco UCS assigns
the user roles and locales defined for that LDAP group in the
associated LDAP group map.
Note
Group Recursion field
Role and locale assignment is cumulative. If a user is included
in multiple groups, or has a role or locale specified in the LDAP
attribute, Cisco UCS assigns that user all the roles and locales
mapped to any of those groups or attributes.
Whether Cisco UCS searches both the mapped groups and their parent
groups. This can be one of the following:
• Non Recursive—Cisco UCS searches only the groups mapped
in this Cisco UCS domain. If none of the groups containing the
user explicitly set the user's authorization properties, Cisco UCS
uses the default settings.
• Recursive—Cisco UCS searches each mapped group and all its
parent groups for the user's authorization properties. These
properties are cumulative, so for each group Cisco UCS finds with
explicit authorization property settings, it applies those settings
to the current user. Otherwise it uses the default settings.
Target Attribute field
The attribute Cisco UCS uses to determine group membership in the
LDAP database.
The supported string length is 63 characters. The default string is
memberOf.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
9
Configuring Authentication
Deleting an LDAP Provider
Step 6
Click Save Changes.
Deleting an LDAP Provider
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
Step 5
On the Admin tab, expand All > User Management > LDAP.
Expand LDAP Providers.
Right-click the LDAP provider you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
LDAP Group Mapping
For organizations that already use LDAP groups to restrict access to LDAP databases, group membership
information can be used by UCSM to assign a role or locale to an LDAP user during login. This eliminates
the need to define role or locale information in the LDAP user object when Cisco UCS Manager is deployed.
When a user logs in to Cisco UCS Manager, information about the user's role and locale are pulled from the
LDAP group map. If the role and locale criteria match the information in the policy, access is granted.
Role and locale definitions are configured locally in Cisco UCS Manager and do not update automatically
based on changes to an LDAP directory. When deleting or renaming LDAP groups in an LDAP directory, it
is important that you update Cisco UCS Manager with the change.
An LDAP group map can be configured to include any of the following combinations of roles and locales:
• Roles only
• Locales only
• Both roles and locales
For example, consider an LDAP group representing a group of server administrators at a specific location.
The LDAP group map might be configured to include user roles like server-profile and server-equipment. To
restrict access to server administrators at a specific location, the locale could be set to a particular site name.
Note
Cisco UCS Manager includes many out-of-the-box user roles but does not include any locales. Mapping
an LDAP provider group to a locale requires that you create a custom locale.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
10
OL-25712-04
Configuring Authentication
Creating an LDAP Group Map
Creating an LDAP Group Map
Before You Begin
• Create an LDAP group in the LDAP server.
• Configure the distinguished name for the LDAP group in the LDAP server.
• Create locales in Cisco UCS Manager (optional).
• Create custom roles in Cisco UCS Manager (optional).
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > LDAP.
Right-click LDAP Group Maps and choose Create LDAP Group Map.
In the Create LDAP Group Map dialog box, do the following:
a) In the LDAP Group DN field, enter the distinguished name of the group in the LDAP database.
Important
This name must match the name in the LDAP database
exactly.
b) In the Roles table, check the check boxes for all roles that you want to assign to users who are included
in the group map.
c) In the Locales table, check the check boxes for all locales that you want to assign to users who are included
in the group map.
d) Click OK.
What to Do Next
Set the LDAP group rule.
Deleting an LDAP Group Map
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
Step 5
On the Admin tab, expand All > User Management > LDAP.
Expand LDAP Group Maps.
Right-click the LDAP group map you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
11
Configuring Authentication
Configuring RADIUS Providers
Configuring RADIUS Providers
Configuring Properties for RADIUS Providers
The properties that you configure in this task are the default settings for all provider connections of this type
defined in Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco
UCS uses that setting and ignores the default setting.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
In the Admin tab, expand User Management > RADIUS.
Complete the following fields in the Properties area:
Name
Description
Timeout field
The length of time in seconds the system should spend trying to
contact the RADIUS database before it times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the
global timeout value specified on the RADIUS General tab. The
default is 5 seconds.
Retries field
Step 4
The number of times to retry the connection before the request is
considered to have failed.
Click Save Changes.
What to Do Next
Create a RADIUS provider.
Creating a RADIUS Provider
Cisco UCS Manager supports a maximum of 16 RADIUS providers.
Before You Begin
Perform the following configuration in the RADIUS server:
• Configure users with the attribute that holds the user role and locale information for Cisco UCS Manager.
You can choose whether to extend the RADIUS schema for this attribute. If you do not want to extend
the schema, use an existing RADIUS attribute to hold the Cisco UCS user roles and locales. If you prefer
to extend the schema, create a custom attribute, such as the cisco-avpair attribute.
The vendor ID for the Cisco RADIUS implementation is 009 and the vendor ID for the attribute is 001.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
12
OL-25712-04
Configuring Authentication
Creating a RADIUS Provider
The following syntax example shows how to specify multiples user roles and locales if you choose to
create the cisco-avpair attribute: shell:roles="admin,aaa" shell:locales="L1,abc". Use a comma
"," as the delimiter to separate multiple values.
• For a cluster configuration, add the management port IP addresses for both fabric interconnects. This
configuration ensures that remote users can continue to log in if the first fabric interconnect fails and
the system fails over to the second fabric interconnect. All login requests are sourced from these IP
addresses, not the virtual IP address used by Cisco UCS Manager.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
On the Admin tab, expand All > User Management > RADIUS.
In the Create RADIUS Provider dialog box:
a) Complete the fields with the information about the RADIUS service you want to use.
Name
Description
Hostname field
The hostname or IP address on which the RADIUS provider resides.
Note
Order field
If you use a hostname rather than an IP address, you must
configure a DNS server in Cisco UCS Manager.
The order in which Cisco UCS uses this provider to authenticate
users.
Enter an integer between 1 and 16, or enter lowest-available or 0
(zero) if you want Cisco UCS to assign the next available order based
on the other providers defined in this Cisco UCS domain.
Key field
The SSL encryption key for the database.
Confirm Key field
The SSL encryption key repeated for confirmation purposes.
Authorization Port field
The port through which Cisco UCS communicates with the RADIUS
database.
Timeout field
The length of time in seconds the system should spend trying to
contact the RADIUS database before it times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the
global timeout value specified on the RADIUS General tab. The
default is 5 seconds.
Retries field
The number of times to retry the connection before the request is
considered to have failed.
If desired, enter an integer between 0 and 5. If you do not specify a
value, Cisco UCS uses the value specified on the RADIUS General
tab.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
13
Configuring Authentication
Deleting a RADIUS Provider
b) Click OK.
Step 4
Click Save Changes.
What to Do Next
For implementations involving a single RADIUS database, select RADIUS as the primary authentication
service.
For implementations involving multiple RADIUS databases, configure a RADIUS provider group.
Deleting a RADIUS Provider
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
In the Admin tab, expand User Management > RADIUS.
Right-click the RADIUS provider you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
Configuring TACACS+ Providers
Configuring Properties for TACACS+ Providers
The properties that you configure in this task are the default settings for all provider connections of this type
defined in Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco
UCS uses that setting and ignores the default setting.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
In the Admin tab, expand User Management > TACACS+.
In the Properties area, complete the Timeout field:
The length of time in seconds the system should spend trying to contact the TACACS+ database before it
times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the global timeout value specified on the
TACACS+ General tab. The default is 5 seconds.
Step 4
Click Save Changes.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
14
OL-25712-04
Configuring Authentication
Creating a TACACS+ Provider
What to Do Next
Create an TACACS+ provider.
Creating a TACACS+ Provider
Cisco UCS Manager supports a maximum of 16 TACACS+ providers.
Before You Begin
Perform the following configuration in the TACACS+ server:
• Create the cisco-av-pair attribute. You cannot use an existing TACACS+ attribute.
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.
The following syntax example shows how to specify multiples user roles and locales when you create
the cisco-av-pair attribute: cisco-av-pair=shell:roles="admin aaa" shell:locales*"L1 abc".
Using an asterisk (*) in the cisco-av-pair attribute syntax flags the locale as optional, preventing
authentication failures for other Cisco devices that use the same authorization profile. Use a space as
the delimiter to separate multiple values.
• For a cluster configuration, add the management port IP addresses for both fabric interconnects. This
configuration ensures that remote users can continue to log in if the first fabric interconnect fails and
the system fails over to the second fabric interconnect. All login requests are sourced from these IP
addresses, not the virtual IP address used by Cisco UCS Manager.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > TACACS+.
In the Actions area of the General tab, click Create TACACS+ Provider.
In the Create TACACS+ Provider dialog box:
a) Complete the fields with the information about the TACACS+ service you want to use.
Name
Description
Hostname field
The hostname or IP address on which the TACAS+ provider resides.
Note
Order field
If you use a hostname rather than an IP address, you must
configure a DNS server in Cisco UCS Manager.
The order in which Cisco UCS uses this provider to authenticate
users.
Enter an integer between 1 and 16, or enter lowest-available or 0
(zero) if you want Cisco UCS to assign the next available order based
on the other providers defined in this Cisco UCS domain.
Key field
The SSL encryption key for the database.
Confirm Key field
The SSL encryption key repeated for confirmation purposes.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
15
Configuring Authentication
Deleting a TACACS+ Provider
Name
Description
Port field
The port through which Cisco UCS should communicate with the
TACACS+ database.
Enter an integer between 1 and 65535. The default port is 49.
Timeout field
The length of time in seconds the system should spend trying to
contact the TACACS+ database before it times out.
Enter an integer from 1 to 60 seconds, or enter 0 (zero) to use the
global timeout value specified on the TACACS+ General tab. The
default is 5 seconds.
b) Click OK.
Step 5
Click Save Changes.
What to Do Next
For implementations involving a single TACACS+ database, select TACACS+ as the primary authentication
service.
For implementations involving multiple TACACS+ databases, configure a TACACS+ provider group.
Deleting a TACACS+ Provider
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
In the Admin tab, expand User Management > TACACS+.
Right-click the TACACS+ provider you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
Configuring Multiple Authentication Systems
Multiple Authentication Systems
You can configure Cisco UCS to use multiple authentication systems by configuring the following features:
• Provider groups
• Authentication domains
Cisco UCS Manager GUI Configuration Guide, Release 2.0
16
OL-25712-04
Configuring Authentication
Provider Groups
Provider Groups
A provider group is a set of providers that will be used by Cisco UCS during the authentication process. Cisco
UCS Manager allows you to create a maximum of 16 provider groups, with a maximum of eight providers
allowed per group.
During authentication, all the providers within a provider group are tried in order. If all of the configured
servers are unavailable or unreachable, Cisco UCS Manager automatically falls back to the local authentication
method using the local username and password.
Creating an LDAP Provider Group
Creating an LDAP provider group allows you to authenticate using multiple LDAP databases.
Note
Authenticating with a single LDAP database does not require you to set up an LDAP provider group.
Before You Begin
Create one or more LDAP providers.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > LDAP.
Right-click LDAP Provider Groups and choose Create LDAP Provider Group.
In the Create LDAP Provider Group dialog box, do the following:
a) In the Name field, enter a unique name for the group.
This name can be between 1 and 127 characters.
b) In the LDAP Providers table, choose one or more providers to include in the group.
c) Click the >> button to add the providers to the Included Providers table.
You can use the << button to remove providers from the group.
d) After you have added all desired providers to the provider group, click OK.
What to Do Next
Configure an authentication domain or select a default authentication service.
Deleting an LDAP Provider Group
Before You Begin
Remove the provider group from an authentication configuration.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
17
Configuring Authentication
Creating a RADIUS Provider Group
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
Step 5
On the Admin tab, expand All > User Management > LDAP.
Expand LDAP Provider Groups.
Right-click the LDAP provider group you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
Creating a RADIUS Provider Group
Creating a RADIUS provider group allows you to authenticate using multiple RADIUS databases.
Note
Authenticating with a single RADIUS database does not require you to set up a RADIUS provider group.
Before You Begin
Create one or more RADIUS providers.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > RADIUS.
Right-click RADIUS Provider Groups and choose Create RADIUS Provider Group.
In the Create RADIUS Provider Group dialog box, do the following:
a) In the Name field, enter a unique name for the group.
This name can be between 1 and 127 ASCII characters.
b) In the RADIUS Providers table, choose one or more providers to include in the group.
c) Click the >> button to add the providers to the Included Providers table.
You can use the << button to remove providers from the group.
d) After you have added all desired providers to the provider group, click OK.
What to Do Next
Configure an authentication domain or select a default authentication service.
Deleting a RADIUS Provider Group
You cannot delete a provider group if it is being used by an authentication configuration.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
18
OL-25712-04
Configuring Authentication
Creating a TACACS+ Provider Group
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
Step 5
On the Admin tab, expand All > User Management > RADIUS.
Expand RADIUS Provider Groups.
Right-click the RADIUS provider group you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
Creating a TACACS+ Provider Group
Creating a TACACS+ provider group allows you to authenticate using multiple TACACS+ databases.
Note
Authenticating with a single TACACS+ database does not require you to set up a TACACS+ provider
group.
Before You Begin
Create one or more TACACS+ providers.
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > TACACS+.
Right-click TACACS+ Provider Groups and choose Create TACACS+ Provider Group.
In the Create TACACS+ Provider Group dialog box, do the following:
a) In the Name field, enter a unique name for the group.
This name can be between 1 and 127 ASCII characters.
b) In the TACACS+ Providers table, choose one or more providers to include in the group.
c) Click the >> button to add the providers to the Included Providers table.
You can use the << button to remove providers from the group.
d) After you have added all desired providers to the provider group, click OK.
Deleting a TACACS+ Provider Group
You cannot delete a provider group if it is being used by an authentication configuration.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
19
Configuring Authentication
Authentication Domains
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
Step 5
On the Admin tab, expand All > User Management > TACACS+.
Expand TACACS+ Provider Groups.
Right-click the TACACS+ provider group you want to delete and choose Delete.
If the Cisco UCS Manager GUI displays a confirmation dialog box, click Yes.
Authentication Domains
Authentication domains are used by Cisco UCS Manager to leverage multiple authentication systems. Each
authentication domain is specified and configured during login. If no authentication domain is specified, the
default authentication service configuration is used.
You can create up to eight authentication domains. Each authentication domain is associated with a provider
group and realm in Cisco UCS Manager. If no provider group is specified, all servers within the realm are
used.
Creating an Authentication Domain
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > Authentication.
Right-click Authentication Domains and choose Create a Domain.
In the Create a Domain dialog box, complete the following fields:
Name
Description
Name field
The name of the domain.
This name can be between 1 and 16 alphanumeric characters. You
cannot use spaces or any special characters other than - (hyphen), _
(underscore), : (colon), and . (period), and you cannot change this name
after the object has been saved.
Note
For systems using RADIUS as their preferred authentication
protocol, the authentication domain name is considered part
of the user name and counts toward the 32 character limit for
locally created user names. Because Cisco UCS inserts 5
characters for formatting, authentication will fail if the
combined total of the domain name plus the user name is more
than 27 characters.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
20
OL-25712-04
Configuring Authentication
Selecting a Primary Authentication Service
Name
Description
Web Session Refresh Period field When a web client connects to Cisco UCS Manager, the client needs
to send refresh requests to Cisco UCS Manager to keep the web session
active. This option specifies the maximum amount of time allowed
between refresh requests for a user in this domain.
If this time limit is exceeded, Cisco UCS Manager considers the web
session to be inactive, but it does not terminate the session.
Specify an integer between 60 and 172800. The default is 600 seconds.
Web Session Timeout field
The maximum amount of time that can elapse after the last refresh
request before Cisco UCS Manager considers a web session to have
ended. If this time limit is exceeded, Cisco UCS Manager automatically
terminates the web session.
Specify an integer between 60 and 172800. The default is 7200 seconds.
Realm field
The authentication protocol that will be applied to users in this domain.
This can be one of the following:
• Local—The user account must be defined locally in this Cisco
UCS domain.
• Radius—The user must be defined on the RADIUS server
specified for this Cisco UCS domain.
• Tacacs—The user must be defined on the TACACS+ server
specified for this Cisco UCS domain.
• Ldap—The user must be defined on the LDAP server specified
for this Cisco UCS domain.
Provider Group drop-down list
Step 5
If the Realm is set to anything other than Local, this field allows you
to select the associated provider group, if any.
Click OK.
Selecting a Primary Authentication Service
Selecting the Console Authentication Service
Before You Begin
If the system uses a remote authentication service, create a provider for that authentication service. If the
system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
21
Configuring Authentication
Selecting the Default Authentication Service
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > Authentication.
Click Native Authentication.
In the Work pane, click the General tab.
Step 5
In the Console Authentication area, complete the following fields:
Name
Description
Realm field
The method by which a user logging into the console
is authenticated. This can be one of the following:
• Local—The user account must be defined
locally in this Cisco UCS domain.
• Radius—The user must be defined on the
RADIUS server specified for this Cisco UCS
domain.
• Tacacs—The user must be defined on the
TACACS+ server specified for this Cisco UCS
domain.
• Ldap—The user must be defined on the LDAP
server specified for this Cisco UCS domain.
• None—If the user account is local to this Cisco
UCS domain, no password is required when the
user logs into the console.
Provider Group drop-down list
Step 6
The provider group to be used to authenticate a user
logging into the console.
Click Save Changes.
Selecting the Default Authentication Service
Before You Begin
If the system uses a remote authentication service, create a provider for that authentication service. If the
system uses only local authentication through Cisco UCS, you do not need to create a provider first.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
22
OL-25712-04
Configuring Authentication
Role Policy for Remote Users
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > Authentication.
Click Native Authentication.
In the Work pane, click the General tab.
Step 5
In the Default Authentication area, complete the following fields:
Name
Description
Realm drop-down list
The default method by which a user is authenticated
during remote login. This can be one of the following:
• Local—The user account must be defined
locally in this Cisco UCS domain.
• Radius—The user must be defined on the
RADIUS server specified for this Cisco UCS
domain.
• Tacacs—The user must be defined on the
TACACS+ server specified for this Cisco UCS
domain.
• Ldap—The user must be defined on the LDAP
server specified for this Cisco UCS domain.
• None—If the user account is local to this Cisco
UCS domain, no password is required when the
user logs in remotely.
Provider Group drop-down list
Step 6
The default provider group to be used to authenticate
the user during remote login.
Click Save Changes.
Role Policy for Remote Users
By default, if user roles are not configured in Cisco UCS Manager read-only access is granted to all users
logging in to Cisco UCS Manager from a remote server using the LDAP, RADIUS, or TACACS protocols.
For security reasons, it might be desirable to restrict access to those users matching an established user role
in Cisco UCS Manager.
You can configure the role policy for remote users in the following ways:
Cisco UCS Manager GUI Configuration Guide, Release 2.0
OL-25712-04
23
Configuring Authentication
Configuring the Role Policy for Remote Users
assign-default-role
Does not restrict user access to Cisco UCS Manager based on user roles. Read-only access is granted
to all users unless other user roles have been defined in Cisco UCS Manager.
This is the default behavior.
no-login
Restricts user access to Cisco UCS Manager based on user roles. If user roles have not been assigned
for the remote authentication system, access is denied.
Configuring the Role Policy for Remote Users
Procedure
Step 1
In the Navigation pane, click the Admin tab.
Step 2
Step 3
Step 4
On the Admin tab, expand All > User Management > Authentication.
Click Native Authentication.
In the Work pane, click the General tab.
Step 5
In the Role Policy for Remote Users field, click one of the following radio buttons to determine what happens
when a user attempts to log in and the remote authentication provider does not supply a user role with the
authentication information:
• No Login—The user is not allowed to log in to the system, even if the username and password are
correct.
• Assign Default Role—The user is allowed to log in with a read-only user role.
Step 6
Click Save Changes.
Cisco UCS Manager GUI Configuration Guide, Release 2.0
24
OL-25712-04