The Cisco UCS Manager supports two-factor authentication for remote user logins, which adds a level of security to account logins. Two-factor authentication login requires a username, a token, and a password combination in the password field. You can provide a PIN, certificate, or token.
Two-factor authentication uses authentication applications that maintain token servers to generate one-time tokens for users during the login process and to store passwords in the AAA server. Requests are sent to the token server to retrieve a vendor-specific attribute. The Cisco UCS Manager expects the token server to integrate with the AAA server; therefore, it forwards the request to the AAA server. The password and token are validated at the same time by the AAA server. Users must enter the token and password sequence in the same order as it is configured in the AAA server.
Two-factor authentication is supported by associating RADIUS or TACACS+ provider groups with designated authentication domains and enabling two-factor authentication for those domains. Two-factor authentication does not support IPM and is not supported when the authentication realm is set to LDAP, local, or none.
UCS Web Session Refresh and Session Timeout Period
The Web Session Refresh Period is the maximum amount of time allowed between refresh requests for a Cisco UCS Manager GUI web session. The Web Session Timeout is the maximum amount of time that can elapse after the last refresh request before a Cisco UCS Manager GUI web session becomes inactive.
You can increase the Web Session Refresh Period to a value greater than 60 seconds up to 172,800 seconds to avoid frequent session timeouts that require regenerating and re-entering a token and password multiple times. The default value is 7200 seconds when two-factor authentication is enabled and 600 seconds when two-factor authentication is not enabled.
You can specify a value between 300 and 172,800 for the Web Session Timeout Period. The default is 8000 seconds when two-factor authentication is enabled and 7200 seconds when two-factor authentication is not enabled.
UCS LDAP Providers and Groups
UCS LDAP supports nested LDAP. You can add an LDAP group as a member of another group and nest groups to consolidate member accounts and to reduce the replication of traffic. Cisco UCS Manager release 2.1(2) and higher enable you to search LDAP groups that are nested within another group defined in an LDAP group map.
Note
Nested LDAP search support is supported only for Microsoft Active Directory servers. The supported versions are Microsoft Windows 2003 SP3, Microsoft Windows 2008 R2, and Microsoft Windows 2012.
By default, user rights are inherited when you nest an LDAP group within another group. For example, if you make Group 1 a member of Group 2, the users in Group 1 have the same permissions as the members of Group 2. You can then search users that are members of Group 1 by choosing only Group 2 in the LDAP group map, instead of having to search Group 1 and Group 2 separately. You do not always need to create subgroups in a group map in the Cisco UCS Manager.
The LDAP group rule determines whether Cisco UCS should use LDAP groups when assigning user roles and locales to a remote user. The following scenario shows step by step how to create, modify, and delete a default LDAP provider.