Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13021
Views
30
Helpful
9
Replies

Setting up CIMC on C220 stand-alone server for LDAP authentication.

Go to solution
Julian.Milano
Level 1
Level 1

‎03-31-2015 08:55 PM - edited ‎03-01-2019 12:06 PM

I'm trying to setup the CIMC so that all users who require access to the console of the server have to be authenticated by Active Directory. I have placed my authenticated users in an AD group called "APAC IT Administrators".

 

Here are the fields I have so far:

Enable LDAP: Checked

BaseDN: DC=mydomain,DC=com

Domain: mydomain.com

 

Enable Encryption: Checked

Time Out: 60s

 

Configure LDAP Servers: Checked

Server 1: 10.0.0.100

Port: 389

Server 1: 10.0.0.101

Port: 389

 

Binding paramters:

Method: Login Credentials

 

Search Parameters:

Filter Attribute: sAMAccountName

Group Attribute: memberOf

Attribute: CiscoAVPair

 

LDAP Group Auhtorisation: Checked

Index: 1

Group Name: APAC IT Administrators

Group Domain: mydomain.com

Role: Admin

 

 

I've read here (http://www.aaviso.com/tech/?p=94) something about having to create a new attribute for domain users then assigning the attribute to the specific users, which I have not done so far as I do not have permission to do this and needs to be done by a higher source, but would this be the reason I cannot get the CIMC logon to authenticate against AD? Is there a log I can check to see what the problem is?

 

When I try to log onto the CIMC using the format "mydomain\myusername", I get the error "Login failed. Verify that your username and password are correct."

 

CIMC is version 2.0(3e).

 

Thanks.

 

 

6 people had this problem
1 Accepted Solution

Accepted Solutions

Go to solution
Justin Welch
Level 1
Level 1

‎09-17-2015 06:39 AM

Hello,

 

Here are the steps that need to be followed for LDAP authentication to work:

 

Step one: test network connectivity:

Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…

SSH to the CIMC IP address

# scope cimc

# scope network

# ping IP-ADDRESS-OF-SERVER


Step two: prepare the authentication domain

Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll

 

http://technet.microsoft.com/en-us/library/cc732110.aspx

 

Step 2: Run MMC and add the Active Directory Schema snap-in

 

  1. Click Start, click Run, type mmc /a, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.

 

For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles. 

 

Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx ):

 

Properties

Value

Common Name

CiscoAVPair

LDAP Display Name

CiscoAVPair

Unique X500 Object ID

1.3.6.1.4.1.9.287247.1

Description

CiscoAVPair

Syntax

Case Sensitive String

 

 

Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class

 

add_attribute_toclass-1024x514.png

 

 

Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.

 

Start ADSI Edit and connect to the default context.  Find the User you want to modify.  Right click and select “properties” and add the text to the attribute.

 

shell_roles.png

 

Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...

 

Role

CiscoAVPair Attribute Value

admin

shell:roles="admin"

user

shell:roles="user"

read-only

shell:roles="read-only"

 

And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.

 

Step three: configure the CIMC

 

While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...

 

ldapconfig.png

 

LDAP Settings:
Enable LDAP: Check mark

Base DN: The domain name as it appears in Windows.

Example: mstizza.local would be entered as DC=mstizza,DC=local

Example: microsoft.com would be entered as DC=microsoft,DC=com

 

Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article. 

 

LDAP Servers:

Enter the IP address and LDAP port of each server you are attempting to authenticate to. 

 

Search parameters:

Filter Attribute: sAMAccountName

Group Attribute: memberOf

Attribute: CiscoAVPair

 

And that's it! The CIMC should now successfully authenticate to Microsoft AD. 

 

Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.

 

 

Hope this helps,

 

Justin

View solution in original post

9 Replies 9

Go to solution
Julian.Milano
Level 1
Level 1

‎08-17-2015 11:26 PM

So no one was able to integrate their CIMC into active directory? WoW!

0 Helpful

Go to solution
Walter Dey
VIP Alumni
VIP Alumni
In response to Julian.Milano

‎08-18-2015 06:55 AM

Did you try without encryption, resp. encryption with port 636 ?

0 Helpful

Go to solution
chris.krusch
Level 1
Level 1
In response to Walter Dey

‎12-19-2016 09:39 AM

I was able to get login working using LDAP group authorization, without needing to modify the AD schema to add the CiscoAvPair attribute, and without having to use an alternate attribute.

This was done on a C220 M4 running CIMC Firmware Version 2.0(13f).

  • Enable Ldap, enter a base DN and domain
  • Select "Use DNS to Configure LDAP Servers" and ensure Source is set to "Extracted"
  • Check "LDAP Group Authorization"
  • Click on "Group Name" column next to Index 1 - enter a group name, domain, and role.
  • Save changes

You can now log in using "username@my.domain.ca"  - example screen shot attached:

Go to solution
james.hutch
Level 1
Level 1
In response to Julian.Milano

‎09-17-2015 06:12 AM

Hi Julian,

I note that you are trying to log on to the CIMC with domain\username. This format doesn't appear to work for me.

If your LDAP settings are correct, you should be able to log on with username@domain.com and also even username on its own appears to work.

One thing that did catch us out was that we needed to set the Binding Parameters Method to "Login Credentials". Once this was changed we could log in with our domain accounts (I note that you already have this set in your config above).

However, I should iterate that we couldn't get it working until we modified our AD schema to add a the CiscoAVPair attribute as per your quoted link (also described in the UCS CLI config guide ).

Hope this helps.

 

0 Helpful

Go to solution
Justin Welch
Level 1
Level 1

‎09-17-2015 06:39 AM

Hello,

 

Here are the steps that need to be followed for LDAP authentication to work:

 

Step one: test network connectivity:

Please ensure the C240 M3S is able to reach the LDAP server. This can be done by the following…

SSH to the CIMC IP address

# scope cimc

# scope network

# ping IP-ADDRESS-OF-SERVER


Step two: prepare the authentication domain

Step 1: Add Active Directory Schema snap-in to MMC – open a command window as administrator and run regsvr32 schmmgmt.dll

 

http://technet.microsoft.com/en-us/library/cc732110.aspx

 

Step 2: Run MMC and add the Active Directory Schema snap-in

 

  1. Click Start, click Run, type mmc /a, and then click OK.
  2. On the File menu, click Add/Remove Snap-in, and then click Add.
  3. Under Available Standalone Snap-ins, double-click Active Directory Schema, click Close, and then click OK.

 

For our example, we will create a new attribute called "CiscoAVPair" but you can use a custom name or an existing attribute that is mapped to the CIMC user roles. 

 

Step 3: Using the Active Directory schema snap-in, add a new attribute with the following properties (for a visual guide, see here: http://social.technet.microsoft.com/wiki/contents/articles/20319.how-to-create-a-custom-attribute-in-active-directory.aspx ):

 

Properties

Value

Common Name

CiscoAVPair

LDAP Display Name

CiscoAVPair

Unique X500 Object ID

1.3.6.1.4.1.9.287247.1

Description

CiscoAVPair

Syntax

Case Sensitive String

 

 

Step 4: Select Classes in the left pane, right click the “user” class and select properties, select “attributes” and add the new CiscoAVPair attribute to the user class

 

add_attribute_toclass-1024x514.png

 

 

Step 5: Add the ‘shell:roles=”admin”‘ to the CiscoAVPair attribute for a specific user.

 

Start ADSI Edit and connect to the default context.  Find the User you want to modify.  Right click and select “properties” and add the text to the attribute.

 

shell_roles.png

 

Note: the last step must be performed on a per User basis. So each user which needs access to the CIMC will need given the shell:roles="<role>" syntax. The three default options are as always...

 

Role

CiscoAVPair Attribute Value

admin

shell:roles="admin"

user

shell:roles="user"

read-only

shell:roles="read-only"

 

And that is it! You're MS AD is now fully prepped. The final step is to configure the CIMC.

 

Step three: configure the CIMC

 

While there are many options for configuring LDAP authentication, here are the three main areas we are concerned with...

 

ldapconfig.png

 

LDAP Settings:
Enable LDAP: Check mark

Base DN: The domain name as it appears in Windows.

Example: mstizza.local would be entered as DC=mstizza,DC=local

Example: microsoft.com would be entered as DC=microsoft,DC=com

 

Enable encryption: This requires an SSL certification from a valid Certificate Authority be uploaded the CIMC. However this topic goes outside the scope of this article. 

 

LDAP Servers:

Enter the IP address and LDAP port of each server you are attempting to authenticate to. 

 

Search parameters:

Filter Attribute: sAMAccountName

Group Attribute: memberOf

Attribute: CiscoAVPair

 

And that's it! The CIMC should now successfully authenticate to Microsoft AD. 

 

Anything outside of this configuration is not going to work. Let me know if this is what you've done and we can discuss troubleshooting steps.

 

 

Hope this helps,

 

Justin

Go to solution
wisam.qazzaz1
Level 1
Level 1
In response to Justin Welch

‎07-18-2016 04:22 AM

thanks for this tutorial,working 100%

0 Helpful

Go to solution
jpawlic01
Level 1
Level 1
In response to Justin Welch

‎07-02-2018 05:45 PM

 

Step 4

Add the following user role values to the CiscoAVPair attribute, for the users that you want to have access to Cisco IMC:

 

Role

CiscoAVPair Attribute Value

admin

shell:roles="admin"

user

shell:roles="user"

read-only

shell:roles="read-only"

 

Hi love you document, I just don't know how to do Step4

Can you explain please.

Thank you

0 Helpful

Go to solution
niki.ciurlea
Level 1
Level 1

‎12-10-2015 04:59 AM

Julian, did you find a solution ? 

I do not have access to schema to create the new attribute and I'm wondering if there is a way to authenticate users against AD without modifying the schema . Still searching... 

 

0 Helpful

Go to solution
michaelleach1
Level 1
Level 1
In response to niki.ciurlea

‎12-31-2015 07:26 AM

@niki.ciurlea -You can use an existing attribute, just change the field from CiscoAVPair to some unused field like otherMailbox or otherPager.  I don't recommend using fields that start with "ms".  Depending on what field you pick, you may have to use the Attribute Editor field of the user object to set it.

I think you can also use group authentication without setting a field on the user account, I haven't tried that yet.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking products for a $25 gift card