User Accounts in Remote Authentication Services
User accounts can exist locally in Cisco UCS Manager or in the remote authentication server.
The temporary sessions for users who log in through remote authentication services can be viewed through
Cisco UCS Manager GUI or Cisco UCS Manager CLI.
User Roles in Remote Authentication Services
If you create user accounts in the remote authentication server, you must ensure that the accounts include the
roles those users require for working in Cisco UCS Manager and that the names of those roles match the
names used in Cisco UCS Manager. Depending on the role policy, a user may not be allowed to log in or will
be granted only read-only privileges.
User Attributes in Remote Authentication Providers
For RADIUS and TACACS+ configurations, you must configure a user attribute for Cisco UCS in each remote
authentication provider through which users log in to Cisco UCS Manager. This user attribute holds the roles
and locales assigned to each user.
This step is not required for LDAP configurations that use LDAP Group Mapping to assign roles and
locales.
Note
When a user logs in, Cisco UCS Manager does the following:
1
Queries the remote authentication service.
2
Validates the user.
3
If the user is validated, checks for the roles and locales assigned to that user.
The following table contains a comparison of the user attribute requirements for the remote authentication
providers supported by Cisco UCS.
Table 7: Comparison of User Attributes by Remote Authentication Provider
Attribute ID RequirementsSchema ExtensionCustom
Attribute
Authentication
Provider
The Cisco LDAP implementation
requires a unicode type attribute.
If you choose to create the
CiscoAVPair custom attribute, use
the following attribute ID:
1.3.6.1.4.1.9.287247.1
A sample OID is provided in the
following section.
Optional. You can choose to do
either of the following:
• Do not extend the LDAP
schema and configure an
existing, unused attribute
that meets the requirements.
• Extend the LDAP schema
and create a custom attribute
with a unique name, such as
CiscoAVPair.
Not required if
group mapping
is used
Optional if
group mapping
is not used
LDAP
Cisco UCS Manager GUI Configuration Guide, Release 2.0
132 OL-25712-04
User Attributes in Remote Authentication Providers