To add a RADIUS or TACACS+ provider, first you need to configure RADIUS/TACACS+ properties, and after that to add RADIUS/TACACS+ server information. You can configure default settings; default properties apply to all provider connections of this type defined in the Cisco UCS Manager. If an individual provider includes a setting for any of these properties, Cisco UCS uses provider setting and ignores the default setting. The following scenario shows step by step how to create a UCS provider.
Note
RADIUS authentication uses the Password Authentication Protocol (PAP).
Note
The Cisco UCS Manager supports a maximum of 16 RADIUS providers.
This example shows you step by step how to create RADIUS/TACACS+ remote authentication. Before adding a RADIUS provider, you need to perform the following RADIUS server configurations:
Configure users with the attribute that holds the user role and locale information for the Cisco UCS Manager. You can choose whether to extend the RADIUS schema for this attribute. If you do not want to extend the schema, use an existing RADIUS attribute to hold the Cisco UCS user roles and locales. If you prefer to extend the schema, create a custom attribute, such as the cisco-avpair attribute.
The vendor ID for the Cisco RADIUS implementation is 009, and the vendor ID for the attribute is 001.
The following syntax example shows how to specify multiple user roles and locales if you choose to create the cisco-avpair attribute: shell:roles=“admin,aaa” shell:locales=“L1,abc”. Use a comma (,) as the delimiter to separate multiple values.
For a cluster configuration, add the management port IPv4 or IPv6 addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by the Cisco UCS Manager.
Similar for TACACS+, before adding the provider, you need to perform the following TACACS+ server configurations:
Create the cisco-av-pair attribute. You cannot use an existing TACACS+ attribute.
The cisco-av-pair name is the string that provides the attribute ID for the TACACS+ provider.
The following syntax example shows how to specify multiple user roles and locales when you create the cisco-av-pair attribute: cisco-av-pair=shell:roles=“admin aaa” shell:locales*“L1 abc”. Using an asterisk (*) in the cisco-av-pair attribute syntax flags the locale as optional, preventing authentication failures for other Cisco devices that use the same authorization profile. Use a space as the delimiter to separate multiple values.
For a cluster configuration, add the management port IPv4 or IPv6 addresses for both fabric interconnects. This configuration ensures that remote users can continue to log in if the first fabric interconnect fails and the system fails over to the second fabric interconnect. All login requests are sourced from these IP addresses, not the virtual IP address used by the Cisco UCS Manager.
After configuring the remote authentication server (RADIUS or TACACS+), you can configure authentication server properties. The following steps show how to configure the RADIUS server default properties:
Step 1. In the Navigation pane, click Admin.
Step 2. Expand User Management > RADIUS.
Step 3. In the Properties area, complete all fields.
Step 4. Click Save Changes.
The following steps show how to configure TACACS+ server default properties:
Step 1. In the Navigation pane, click Admin.
Step 2. Expand User Management > TACACS+.
Step 3. In the Properties area, complete the Timeout field.
Step 4. Click Save Changes.
After configuring remote authentication server properties, the next step is to configure the authentication server provider. The following steps show how to configure the UCS RADIUS server provider:
Step 1. In the Navigation pane, click Admin.
Step 2. Expand All > User Management > RADIUS.
Step 3. In the Create RADIUS Provider dialog box, specify all appropriate RADIUS service information.