Managing User Access and Security Policies
This chapter describes the user access control and authentication mechanisms available in the BMC web interface. It provides configuration options for local user accounts, role-based permissions, directory-based authentication (LDAP and Active Directory), and external authentication services such as RADIUS and TACACS+. Administrators can also manage certificates, define security requirements, and control network-based access to ensure the BMC operates in a secure and compliant environment.
Managing Current Users
The Current Users page displays all active sessions currently connected to the BMC. This view helps administrators monitor who is accessing the system and identify unauthorized or suspicious activity in real time.
Viewing Active Sessions
For each active session, the following information is displayed:
Username — The account name currently logged in.
Type — The access protocol used to connect (e.g., Web (HTTPS), SSH, IPMI).
IP Address — The source IP address of the client initiating the session.
This information allows administrators to perform basic security auditing and ensure that only approved users are logged in.
Disconnecting a Session
Administrators can manually disconnect any active session if necessary—for example, when responding to suspicious activity or enforcing access policies. To disconnect a session:
Locate the target session in the list.
Click Disconnect next to the corresponding entry.
The BMC immediately terminates the session. The user must log in again to regain access.
Pro Tip: Use this feature to quickly remove stale sessions or terminate connections from unknown IP addresses during incident response.
Configuring LDAP and AD Authentication
The BMC supports centralized authentication through LDAP and Active Directory (AD). These directory services allow administrators to manage user identities, enforce access policies, and assign privileges based on group membership rather than relying solely on local user accounts.
LDAP Authentication
The LDAP page allows administrators to configure Lightweight Directory Access Protocol (LDAP) settings and define role groups used for centralized authentication.
LDAP Settings
Enable Activates LDAP-based authentication.
Secure LDAP using SSL Enables encrypted LDAP communication (LDAPS). This option requires uploading both a CA certificate and an LDAP certificate.
Service Type Select the LDAP service in use:
OpenLDAP
Active Directory
Server Selects the LDAP authentication server from the available server list.
Server URI Specifies the connection URI in the format:
ldap://
ldaps://
Bind DN The distinguished name (DN) used by the BMC to authenticate (bind) to the LDAP server.
Bind Password Password associated with the Bind DN.
Base DN Defines the root DN used as the starting point for LDAP user and group searches.
User ID Attribute (optional) Identifies the LDAP attribute that stores the username value.
Group ID Attribute (optional) Identifies the attribute containing the group name.
Manage SSL Certificates Opens the certificate management interface for uploading or managing CA and LDAP certificates.
Role Groups (LDAP)
The Role Groups section allows administrators to map LDAP groups to BMC privilege levels. Each role group consists of:
Group Name The name of the LDAP group.
Group Privilege The BMC access privilege is assigned to members of the group (e.g., Administrator, Operator, User).
Administrators can add new role groups by clicking Add role group, allowing flexible mapping between the LDAP directory structure and BMC access controls.
Active Directory
The Active Directory page allows integration of BMC with an existing AD environment to support centralized authentication and privilege assignment based on domain group membership.
Overview
A hyperlink labeled here is provided to navigate directly to the Active Directory server configuration page.
The page displays a list of role group slots, each representing a mapping between an AD group and a corresponding privilege level within the BMC.
Role Group Table Fields
Role Group ID A unique identifier for each AD role group (1–5).
Group Name The name of the AD group associated with this role group.
Group Domain The domain in which the AD group resides.
Network Privilege Defines the access privileges assigned to this role group (default value shown as Reserved).
Actions
Each role group entry supports the following actions:
Edit (pencil icon) Modify the group name, group domain, and privilege settings.
Delete (trash icon) Remove the role group mapping.
Administrators can define up to five AD role groups, enabling fine-grained control over BMC access rights through centralized domain group membership.
Setting RADIUS and TACACS+
The BMC supports authentication through RADIUS and TACACS+, enabling centralized account management and improved security. These services allow login credentials to be validated by external AAA servers rather than local BMC user accounts.
RADIUS Authentication
The RADIUS page allows administrators to configure Remote Authentication Dial-In User Service (RADIUS) settings for centralized authentication of BMC logins.
Overview
When RADIUS authentication is enabled, the BMC validates user login attempts through the configured RADIUS server. This integration improves security by enforcing centralized credential policies and eliminating the need for separate BMC-specific passwords.
RADIUS Settings
Enable RADIUS Toggles RADIUS authentication on or off.
Port Specifies the port used for RADIUS communication (default: 1812).
IPv4 Address / IPv6 Address Defines the address of the RADIUS authentication server.
Secret Shared secret used for secure communication between the BMC and the RADIUS server.
Authorizing Account The username is authorized to access the RADIUS server.
Authorizing Password Password for the authorizing account.
Vendor-Specific Attributes (Optional) Used for defining role-based access or custom authentication behavior.
Available fields include: Admin Vendor Specific/Operator Vendor Specific/User Vendor Specific/Callback Vendor Specific
Actions
Save Settings Applies and saves the configured RADIUS parameters.
Clear Resets all RADIUS fields to their default or empty values.
TACACS+ Authentication
The TACACS+ page provides configuration for Terminal Access Controller Access-Control System Plus, enabling centralized Authentication, Authorization, and Accounting (AAA) for BMC logins.
Overview
When TACACS+ is enabled, the BMC delegates user authentication to an external TACACS+ server. This centralization simplifies account management and strengthens security by enforcing enterprise-wide credential policies.
TACACS+ Settings
Enable TACACS+ Toggles TACACS+ authentication on or off.
Port Specifies the communication port used for TACACS+ (default: 49).
IP Address The IPv4 address of the TACACS+ server.
Secret Shared secret key used for secure communication with the TACACS+ server.
Actions
Save Applies and saves the TACACS+ configuration.
Managing Local Users and Roles
The Users and Policies pages provide tools to manage local BMC accounts and define which remote management services are permitted. Together, these settings ensure secure, role-based access control while allowing administrators to limit or expand BMC capabilities based on organizational requirements.
Local User Management
The Users page allows administrators to view, add, edit, and delete BMC user accounts. This interface provides full control over account status, privileges, and protocol-specific permissions.
Displayed Information
For each configured user, the following fields are shown:
User ID A unique numeric identifier assigned to the account.
User Name The login name used for authentication.
Status Indicates whether the account is currently Enabled or Disabled.
Privilege The assigned user role (e.g., Administrator, Operator, User) that determines access level.
SNMPv3 Access Shows whether SNMPv3 access is Enabled or Disabled for this user.
IPMI Messaging Indicates if the user is permitted to issue IPMI commands.
Email Displays the email address associated with the account (if configured).
Available Actions
Add User Create a new account by specifying:
Username
Password
Privilege level
Protocol access permissions (SNMPv3, IPMI messaging, etc.)
Edit Modify an existing user’s credentials or permissions.
Delete Remove the selected user account from the BMC.
These tools enable administrators to maintain strong access control and enforce user-specific privileges across the system.
Access Policies
The Policies page provides settings to enable or disable essential network-based management services. These controls allow administrators to balance accessibility with security by limiting which remote protocols are available for use.
Available Settings
BMC Shell (via SSH)
Enables or disables remote shell access to the BMC through SSH on port 22.
When enabled, administrators may log in to manage the BMC using command-line tools.
Disabling SSH helps reduce potential attack surfaces by eliminating remote shell access.
Network IPMI (Out-of-Band IPMI)
Enables or disables remote platform management using IPMI commands sent over the network.
Required for remote tools such as ipmitool to perform monitoring, chassis control, and sensor queries.
Disabling network IPMI blocks all IPMI communication over the network for improved security.
Each setting can be toggled independently, allowing organizations to tailor BMC remote access according to internal security policies.
Managing Certificates and Encryption
The BMC provides support for managing HTTPS certificates and enabling Kerberos-based authentication. These features ensure secure access to the BMC web interface by enforcing encrypted communication and centralized, ticket-based identity validation.
Certificate Management
The Certificate Management page allows administrators to manage the HTTPS certificates used by the BMC for secure web access. Maintaining valid certificates ensures encrypted browser communication and prevents security warnings.
Certificate List
The page displays all currently installed certificates along with key details:
Certificate Name Identifies the certificate type (e.g., HTTPS Certificate).
Issued By Shows the Certificate Authority (CA) or entity that issued the certificate.
Issued To Displays the subject to whom the certificate was assigned.
Validity Period Indicates the certificate’s active range, including Valid From and Valid Until dates.
Certificate Tools and Actions
Generate CSR Creates a Certificate Signing Request (CSR) for submission to an external Certificate Authority to obtain a signed certificate.
Add New Certificate Imports a new certificate file to replace or update the existing HTTPS certificate.
Certificate Actions Icons next to each certificate allow the administrator to:
View certificate details
Renew or replace the certificate
Delete the certificate if required
Maintaining updated certificates is essential for secure HTTPS operations and avoiding browser trust errors.
Kerberos Authentication
The Kerberos Authentication page allows administrators to configure Kerberos-based authentication for BMC access. Kerberos provides secure, ticket-based login without transmitting passwords across the network.
Key Configuration Options
Enable Kerberos Authorization Toggles Kerberos authentication on or off.
Kerberos Realm Specifies the Kerberos administrative domain (e.g., EXAMPLE.COM).
Kerberos KDC Server Domain / IPv4 / IPv6 Defines the address of the Key Distribution Center (KDC), the server responsible for issuing Kerberos tickets.
Kerberos KDC Server Port Sets the communication port for KDC access (default: 88).
Keytab File Uploads a keytab file containing encrypted credentials that allow the BMC to authenticate to the KDC without requiring a password.
Operational Notes
A functioning Kerberos environment must be pre-configured within the organization.
The keytab file must correspond to the correct realm and KDC server settings.
Changes take effect after saving the configuration; a re-login may be required.
Configuring Security Settings and IP Access Control
The BMC provides a set of security controls that allow administrators to enforce encryption standards, restrict login behavior, control network service ports, and limit system access based on IP or MAC address. These features help protect the BMC from unauthorized access and strengthen overall platform security.
Security Settings
The Security Settings page defines policies for HTTPS encryption, login security rules, and optional network services.
Key Configuration Options
SSL Cipher Policy Control Mode Selects the overall enforcement level for SSL/TLS cipher usage (e.g., Advanced for stricter encryption and stronger security).
SSL Cipher Mode Defines the specific SSL/TLS cipher suite used during HTTPS communication.
IP Blocking Settings
These controls help mitigate brute-force login attempts.
IP Blocking Enables or disables automatic IP address blocking after repeated failed logins.
Failed Login Attempts Maximum allowed consecutive failed login attempts before an IP is blocked.
Failed Login Attempts Interval Time (sec) Time window (in seconds) in which failed attempts are counted.
Remote Client Lockout Time (sec) Duration (in seconds) that a blocked client remains locked out.
Port Settings
HTTPS (Secure) Port Defines the HTTPS port used for secure access to the BMC (default: 443).
Optional Network Services
IPMI over LAN Enables or disables IPMI remote management over the network. Disabling this helps reduce the surface area for network-based IPMI access.
Operation Notes
Using Advanced SSL mode is recommended for maximum encryption strength.
Lowering failed-attempt thresholds improves protection against password-guessing attacks.
Changing the HTTPS port may require firewall updates and client configuration changes.
IP Access Control
The IP Access Control page provides rule-based access filtering, allowing administrators to explicitly permit or deny access to the BMC based on IP address, MAC address, or network port.
Key Features
Enable IP Access Control Activates access filtering for IPv4, IPv6, or both. Only traffic matching the allow rules will be permitted.
Rule Configuration Each rule can specify:
Rule Type
IP Address/Mask
IP Range
MAC Address
Port
IP Address/Mask Targets a specific host or subnet.
IP Range Allows or denies traffic across a defined IP range.
MAC Restricts access based on hardware MAC address.
Port Limits access to specific service ports.
Policy Defines whether the rule Allows or Denies the specified traffic.
Dual-Stack Support Separate rule sets are available for IPv4 and IPv6 configurations.
Operation Notes
When IP Access Control is enabled, only allow-rules are evaluated; all other traffic is rejected.
Incorrect rules may block all administrative access—apply changes carefully.
Rules are evaluated sequentially; the first matching rule is applied.
Last updated
Was this helpful?