The authentication, authorization, and accounting (AAA) framework is vital to securing network devices. The AAA framework provides authentication of management sessions, limits users to specific administrator-defined commands, and logs all commands entered by all users.
RADIUS and TACACS+ are both supported on the UCS compute system. TACACS+ encrypts the entire TCP payload, which includes both the username and password. RADIUS only encrypts the password. Therefore, TACACS+ is more secure. Additionally, you can use LDAP for user authentication. To encrypt the LDAP authentication exchange, enable the SSL option.
1. Authentication: Authentication is the process of establishing whether a client is who or what it claims to be in a particular context. A client can be an end user, a machine, or an application. Authentication mechanisms differ depending on the components that are communicating.
Cisco UCS provides two methods of user authentication:
Local accounts on the Cisco UCS Manager
Remote authentication using LDAP, RADIUS, or TACACS+
2. Authorization: Role management helps to manage authorization, which enables you to specify the resources that users are allowed to access. Role management lets you treat groups of users as a unit by assigning users to roles such as manager, sales, or member.
After you have established roles, you can create access rules. By using roles, you can establish these types of rules independent from individual users. Users can belong to more than one role.
Cisco UCS user roles include the following:
AAA administrator: Read/write access to users, roles, and AAA configuration. Read access to the rest of the system.
Facility Manager: Read-and-write access to power management operations through the power management privilege. Read access to the remaining system.
Server Compute: Read and write access to most aspects of service profiles. However, the user cannot create, modify or delete vNICs or vHBAs.
Administrator: Complete read/write access to the entire system. The default admin account is assigned this role by default and cannot be changed.
Network administrator: Read/write access to the fabric interconnect infrastructure and network security operations. Read access to the rest of the system.
Operations: Read/write access to system logs, including the syslog servers, and faults. Read access to the rest of the system.
Read-only: Read-only access to the system configuration with no privileges to modify the system state.