UFM®-SDN Appliance provides an authentication, authorization and accounting (AAA) mechanism which enables management of users with different roles (capabilities).
It supports local users created on the appliance, and remote (centrally managed) users created on central authentication servers such as LDAP.
UFM®-SDN Appliance supports local and centrally managed users (Using LDAP, RADIUS, TACACS).
UFM®-SDN Appliance has predefined users. For the complete list of users and their roles, please refer to the UFM®-SDN Command Reference Guide, section Users and Roles (Capabilities).
To create a local user:
Log into the CLI as admin and use the selected password.
Enter the “config” configuration mode.
ufm-appliance > enable ufm-appliance # configure terminal
Creates the users with a specific capability (role).
ufm-appliance [ mgmt-sa ] (config) # username <username> capability <capability>
Set the user’s password.
ufm-appliance [ mgmt-sa ] (config) # username <username> password <password>
To link users to an LDAP server (such as ActiveDirectory):
Create a group for UFM®-SDN Appliance users on the ActiveDirectory server
Assign users to the group.
[Optional] Add the attribute "localUserName" to the user schema for correlating it to a local username on the UFM®-SDN Appliance (If this attribute is not added, all users will be correlated with the default user - "admin")
Add LDAP as the authentication method.
ufm-appliance [ mgmt-sa ] (config) # aaa authentication login
Configure the LDAP server.
ufm-appliance [ mgmt-sa ] (config) # ldap base-dn <string> ufm-appliance [ mgmt-sa ] (config) # ldap bind-dn <string> ufm-appliance [ mgmt-sa ] (config) # ldap bind-password <string> ufm-appliance [ mgmt-sa ] (config) # ldap host <IP Address>
For further information, please refer to the UFM®-SDN Command Reference Guide, section User Management and AAA.
The default user (admin) has System Administration rights. A user with system Administration rights can manage other users' accounts, including creation, deletion, and modification of accounts.
A UFM user can belong to one of the following groups:
Monitoring Only – Users can see the fabric configuration, open monitoring sessions, define monitoring templates, and export monitoring data to CSV files. Monitoring only mode enables device hardware alerts and other device management capabilities with pre-defined device credentials.
Fabric Operator – Users can perform all operations allowed to Monitoring group users, and can also configure fabric, modify the fabric design, define logical objects, and allocate resources. Management group users cannot create, delete or modify environments or global networks.
Fabric Administrator – Users can perform all operations allowed to Management group users, and can also create, delete, and modify environments and global networks. Users in this group cannot manage other users' accounts.
System Administrator – Users can perform all operations allowed to Fabric Administration group, and can also manage other users' accounts.