Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1541
Views
16
Helpful
5
Replies

Why do I need a Local User Policy in Intersight for UCS X210c servers?

Go to solution
RedNectar
VIP
VIP

‎01-04-2023 03:22 PM

Hi all,

First of all, I think I know the answer to this, but I'd like someone more knowledgeable than me to confirm and expand.  And let me explain that the reason for even asking this is because the Cisco UCS X-Series Quick Start Guide begins the process of creating a Server Profile Template by creating a Local User Policy.  I'd like to know why, and if it is totally unnecessary (I suspect it is) I'll let the document owners know.

My understanding is that a Local User Policy is ONLY needed in a Server Profile if there is ALSO an IPMI Over LAN Policy defined as well for the Server Profile, and that the policy is not used until an installed operating system attempts to query the IPMI, at which point the Local User Policy is consulted to see if a matching user has been defined and if so, that user is used to attempt to log into the IPMI.  Oh, and if the user (as defined in the Local User Policy) has a Role that doesn't match the IPMI Over LAN Policy Privilege Level than the login will fail.  How the local user relates to the OS user I have no idea!

Since the Cisco UCS X-Series Quick Start Guide does not mention any IPMI Policy at all, I'm confused as to need for the Local User Policy at all.

I'd love someone who understand Intersight and IPMI better than I so to provide a much better description of the relationship between these two policies that I have above.  And then we can put some pressure on the Intersight document writers to improve the docs! 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
Brian Morrissey
Cisco Employee
Cisco Employee

‎01-04-2023 07:54 PM

It's been a while and difficult to go back and check but I believe prior to host firmware 4.1(3a) single sign on for the KVM didn't exist so when you went to launch the KVM from Intersight it wouldn't pass your credentials through and you had to enter in a username/password from the defined local user policy. This was during the tech preview of Intersight Managed Mode and way before the x210c.

However, the other still relevant use case is for direct kvm access if you can't connect to Intersight for some reason to launch the KVM. You can still browse to https://[blade-mgmt-ip] and it'll launch the vkvm with a login screen to enter the credentials from one of the users defined in the local user policy.

BrianMorrissey_0-1672890725078.png

 

View solution in original post

Go to solution
alexandru_gheorghita
Level 1
Level 1
In response to RedNectar

‎01-05-2023 05:18 AM

Hi,

I discovered that without any Local User Policy configured, the admin password (from the FI) does not work on the vKVM, you get auth failure.I am running the latest version today.

The only way how to allow access to the vKVM from the Device Console or direct access to the blade https://mgmt_ip_address/kvm is to push the local user in a server profile. So even users without the admin password can access the KVM.

Thanks,

Alex

View solution in original post

Go to solution
Brian Morrissey
Cisco Employee
Cisco Employee
In response to RedNectar

‎01-06-2023 06:50 AM

Local user policy is also used for IPMI over LAN authentication with some caveats in the tooltip text box when configuring the policy on which roles are supported based on the type of server (eg. RoleType USER is supported only in Racks).

 

If an admin role is defined for the user, you can access IPMI on the blade remotely with:

ipmitool -I lanplus -H blade.mgmt.ip -U 'testuser' -P 'testpassword' power status

 

If its a readonly user role you'll need an extra parameter in ipmitool to avoid errors establisthing the session:

ipmitool -I lanplus -H blade.mgmt.ip -U 'testuser' -P 'testpassword' power status -L USER

View solution in original post

5 Replies 5

Go to solution
Brian Morrissey
Cisco Employee
Cisco Employee

‎01-04-2023 07:54 PM

It's been a while and difficult to go back and check but I believe prior to host firmware 4.1(3a) single sign on for the KVM didn't exist so when you went to launch the KVM from Intersight it wouldn't pass your credentials through and you had to enter in a username/password from the defined local user policy. This was during the tech preview of Intersight Managed Mode and way before the x210c.

However, the other still relevant use case is for direct kvm access if you can't connect to Intersight for some reason to launch the KVM. You can still browse to https://[blade-mgmt-ip] and it'll launch the vkvm with a login screen to enter the credentials from one of the users defined in the local user policy.

BrianMorrissey_0-1672890725078.png

 

Go to solution
RedNectar
VIP
VIP
In response to Brian Morrissey

‎01-05-2023 01:15 AM - edited ‎01-05-2023 12:37 PM

Thanks @Brian Morrissey ,

I've validated your theory. [2023.01.06 Edit - thanks to @Brian Morrissey I understand this better now] and uncovered one of the most USELESS features I can imagine.  Here is what I did

  • I created two Server Profiles,
    • one with NO Local User Policy (Server 1)
    • one with a Local User Policy with a user called Chris (Server 2)
  • And applied the Server Profiles to two different servers in the same chassis
  • Next I logged into the local console of one of the Fabric Interconnects.
    • This had to be done using the admin user. User Chris could NOT log into the local console
    • From here,
      • I could log into the vKVM console of both Server1 and Server2 using the admin user
      • but could also log into the vKVM console of Server2 using user Chris
    • ...which to me seems absolutely pointless, because to get to the stage of being able to use the user defined in the Local User Policy (Chris), I already had to know the admin user password!
    • So why wouldn't I not just log into the vKVM console of Server2 using the admin user rather than changing users?
      [2023.01.06 Edit - the answer is that you can use the user defined in the Local User Policy to access the vKVM directly without first logging into the Fabric Interconnect]

Anyway, thanks for clearing that up for me.

If anyone has an explanation of how the Local User Policy is used in relation to the IPMI Policy I'd love to hear that too.

 

RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
alexandru_gheorghita
Level 1
Level 1
In response to RedNectar

‎01-05-2023 05:18 AM

Hi,

I discovered that without any Local User Policy configured, the admin password (from the FI) does not work on the vKVM, you get auth failure.I am running the latest version today.

The only way how to allow access to the vKVM from the Device Console or direct access to the blade https://mgmt_ip_address/kvm is to push the local user in a server profile. So even users without the admin password can access the KVM.

Thanks,

Alex

Go to solution
RedNectar
VIP
VIP
In response to alexandru_gheorghita

‎01-05-2023 12:33 PM

Thanks @alexandru_gheorghita ,

Here's what I found.

I discovered that without any Local User Policy configured, the admin password (from the FI) does not work on the vKVM, you get auth failure.I am running the latest version today.

Hmm. Yesterday I cleared all Server Profiles and applied one that had NO Local User Policy - I was able to access vKVM as the admin user without any problem via logging into the Fabric Interconnect IP address and launching the vKVM from there. Servers were running Firmware v5.0(1c) and am now in the process of upgrading to 5.0(2d) to see if that makes a difference.

The only way how to allow access to the vKVM from the Device Console or direct access to the blade https://mgmt_ip_address/kvm is to push the local user in a server profile. So even users without the admin password can access the KVM.

This same thought came to me as I was lying in bed last night - and sure enough you are correct.  If a Server Profile has a Local User Policy, you can access the vKVM of that server directly using the assigned In-band or OOB address defined in the IMC Access Policy

I'm still curious about the relationship between the Local User Policy and the IPMI Over LAN Policy (frankly I've never used an IPMI Over LAN Policy) because the Cisco Intersight Managed Mode Transition Tool User Guide states (in relation to the IPMI Over LAN Policy)

  • IPMI Over LAN Policy - IPMI Over LAN Policy of Intersight is mapped to IPMI Access Profiles in
    UCS manager. IPMI User-related information in IPMI Access Profile is moved to Local User Policy in
    Intersight
RedNectar aka Chris Welsh.
Forum Tips: 1. Paste images inline - don't attach. 2. Always mark helpful and correct answers, it helps others find what they need.
0 Helpful

Go to solution
Brian Morrissey
Cisco Employee
Cisco Employee
In response to RedNectar

‎01-06-2023 06:50 AM

Local user policy is also used for IPMI over LAN authentication with some caveats in the tooltip text box when configuring the policy on which roles are supported based on the type of server (eg. RoleType USER is supported only in Racks).

 

If an admin role is defined for the user, you can access IPMI on the blade remotely with:

ipmitool -I lanplus -H blade.mgmt.ip -U 'testuser' -P 'testpassword' power status

 

If its a readonly user role you'll need an extra parameter in ipmitool to avoid errors establisthing the session:

ipmitool -I lanplus -H blade.mgmt.ip -U 'testuser' -P 'testpassword' power status -L USER

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents