Fabric OS Administrator's Guide v7.0.0 (53-1002148-02, June 2011)

ManualsBrandsHP ManualsSoftwareHP StorageWorks ISL quick loop

141

142

143

144

145

146

147

148

149

150

108 Fabric OS Administrator’s Guide

53-1002148-02

The authentication model using RADIUS and LDAP

Configuring RADIUS service on Windows 2000 consists of the following steps:

1. Installing internet authentication service (IAS)

For more information and instructions on installing IAS, refer to the Microsoft website.

2. Enabling the Challenge Handshake Authentication Protocol (CHAP)

If CHAP authentication is required, then Windows must be configured to store passwords with

reversible encryption. Reverse password encryption is not the default behavior; it must be

enabled.

NOTE

If a user is configured prior to enabling reverse password encryption, then the user’s password

is stored and cannot utilize CHAP. To use CHAP, the password must be re-entered after

encryption is enabled. If the password is not re-entered, then CHAP authentication will not work

and the user will be unable to authenticate from the switch.

Alternatives to using CHAP are Password Authentication Protocol (PAP), or PEAP-MS-CHAP-v2.

3. Configuring a user

IAS is the Microsoft implementation of a RADIUS server and proxy

. IAS uses the Windows

native user database to verify user login credentials; it does not list specific users, but instead

lists user groups. Each user group should be associated with specific switch role. For example,

you should configure a user group for root, admin, factory, switchAdmin, and user, and then

add any users whose logins you want to associate to the appropriate group.

4. Configuring the server

For more information and instructions on configuring the server, refer to the Microsoft website.

Below is the information you will need to configure the RADIUS server for a Brocade switch. A

client is the device that uses the RADIUS server; in this case, it is the switch.

a. For the Add RADIUS Client window, provide the following:

Client address (IP or DNS)—Enter the IP address of the switch.

Client-Vendor—Select RADIUS Standard.

Shared secret—Provide a password. Shared secret is a password used between the client

device and server to prevent IP address spoofing by unwanted clients. Keep your shared

secret password in a safe place. You will need to enter this password in the switch

configuration.

After clicking Finish, add a new client for all switches on which RADIUS authentication will

be used.

b. In the Internet Authentication Service window, right-click the Remote Access Policies

folder; then select New Remote Access Policy from the pop-up window.

A remote access policy must be created for each group of Brocade login permissions

(Root, Admin, Factory, SwitchAdmin, and User) for which you want to use RADIUS. Apply

this policy to the user groups that you already created.

c. In the Vendor-Specific Attribute Information window, enter the vendor code value 1588.

Click the Yes. It conforms radio button and then click Configure Attribute.