Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ucs rbac aaa-backu-ps


Published on

Cisco UCS RBAC for CCIE DC prep.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Ucs rbac aaa-backu-ps

  1. 1. UCS Security www.silantia.com1  Management Hierarchy / ORG and RBAC  RBAC Groups  Remote RBAC Configuration  Roles and Privileges  Users  Backup and Restore
  2. 2. Organizations www.silantia.com2  Organizations are level of hierarchy that you can create within UCS system.  A single UCS system can be divided into multiple ORGs and users can be configured to do only certain task within and ORG.  E.g. A Company Acme Gizmo has multiple departments Engineering, Finanace, Marketing and Sales. But their all Compute resources are within a single UCS system sharing common SAN and LAN infrastructure.  Organizations are used to provide administrative hierarchy to the application of policy.  Organizations can be created under server, LAN and SAN tabs in UCS manager. Once created under any of this tab it appears in all tabs.
  3. 3. Organizations www.silantia.com3  Depending on the tab context in UCS manager, ORGs can contain service profiles, identity pools, resource pools, policies and thresholds. All these pools and policies created within an ORG are localized to that ORG or can be used in its sub- organizations.  If MAC/UUID/WWN pool is exhausted within an ORG and more MAC/UUID/WWN is requested by service profile then it is borrowed from parent ORG.  Even if organizations are not created in UCS system, there is always one organization called root. All other ORGs are created under root root Engineering Finance Marketing AcmeGizmo
  4. 4. Organizations www.silantia.com4
  5. 5. Locales www.silantia.com5  You can create one or more locale and assign Organizations to it.  In a Locale you can assign more than one Organizations.  The purpose of creating locale is to restrict the privileges of the user to a particular organization or a set of organizations.  Unlike Organizations, Locales are created under Admin tab.
  6. 6. Locales www.silantia.com6  To create Locale go to Admin tab user management -> user services -> right click on Local and create Locale.
  7. 7. Locales www.silantia.com7  You can then Drag and drop one or more than one Organizations.
  8. 8. Locales www.silantia.com8  You can then Drag and drop one or more than one Organizations.
  9. 9. Roles and Privileges www.silantia.com9  Roles defines a collection of privileges that determines user privileges inside UCS manager  When user is authenticated with username and password the UCS manager authorization system is used o enforce the property of the least privilege.  Effective rights of a user, is an intersection of mapped roles and Locale.
  10. 10. Roles and Privileges www.silantia.com10  There are about 10 predefined roles with UCS manager 2.0  Aaa  Admin  Facility manager  Network  Operations  Read-only  Server-equipment  Server-profile  Server security  Storage  Each roles has certain priviledges assigned to it.  You can create customer roles with own set of privileges.  There are 34 system defined privileges. Privileges cannot be deleted and, unlike roles, new privileges cannot be created.
  11. 11. Roles and Privileges www.silantia.com11
  12. 12. Role Based Access Control (RBAC) www.silantia.com12  RBAC and Organizations are complementary constructs, they can be used separately or together.  If no Locale is defined then user rights begin at root organization and flow to all sub-organizations.  If locale is applied to user profile, rights begin at sub- organizations contained in Locale and flow to all organizations beneath that sub-organizations  Admin has unrestricted privilege from root organization down to every sub-organization; cannot be restricted by locale
  13. 13. RBAC www.silantia.com13  Effective rights for user Bob are the intersection of the server-equipment, server-profile and server-security roles and the Finance Locale.
  14. 14. Local and remote Authentication www.silantia.com14  Local AAA is performed by Fabric interconnect  The local user database is limited to 40 users (39 plus admin user) .  For additional scalability and security options, UCS manager supports the LDAP and Active directory, RADIUS and TACACS protocols.  When remote authentication method is enabled, the local username database is no longer used.  UCS falls back to the local database only if all remote authentication servers are unresponsive.
  15. 15. Configuration example TACACS+ www.silantia.com15  Create TACACS+ providers : Go to Admin Tab user management right click on TACACS+
  16. 16. Configuration example TACACS+ www.silantia.com16  Create TACACS+ provider group
  17. 17. LDAP www.silantia.com17  Create LDAP provider :Go to Admin Tab user management right click on LDAP
  18. 18. LDAP www.silantia.com18  Create LDAP provider :Go to Admin Tab user management right click on LDAP
  19. 19. LDAP www.silantia.com19  Create LDAP provider group
  20. 20. LDAP www.silantia.com20  UCS manager supports ability to map AD groups to user roles within UCS manager  This allows the UCS domain admin to assign UCS roles to the AD user groups  Allows for authenticating against multiple Active Directory domains  UCS manager Supports all authentication methods simultaneously user has to select their authentication domain during login.
  21. 21. LDAP www.silantia.com21  Create LDAP group maps Which maps groups created on AD server to roles and Locales within UCS manager.
  22. 22. LDAP www.silantia.com22  Create LDAP group maps Which maps groups created on AD server to roles and Locales within UCS manager.
  23. 23. LDAP www.silantia.com23  Finally Create an Authentication domain
  24. 24. UCS Backup and restore www.silantia.com24  Full State backups  Performs a complete binary dump of database; stored as a.tar.gz file  Contains all configuration, runtime state and status  Restored only through complete configuration wipe and reboot  Useful during UCS manager upgrades, out of date after associations have changed  It cannot be modified selectively  Configuration backups  All configuration: Union of cofig-logical and config- system  Logical configuration: service profiles, templates, VLANs, VSANs, ORGs, locales etc  System configuration: AAA config, RBAC, user database, UCSM configuration.  Stored as XML file.  Preserve identities allowes identities derived from pools to be preserved on restore.  Can be selectively modified inside xml file.
  25. 25. UCS Backup and restore www.silantia.com25
  26. 26. UCS Backup operation www.silantia.com26
  27. 27. UCS restore operation www.silantia.com27 1. All, System, and Logical can be “on the fly” 2. Full State must be imported at initial setup only 3. Other options:
  28. 28. Restoring Full State Backup at Startup www.silantia.com28
  29. 29. www.silantia.com29