Technical data
3-10 Fabric OS Administrator’s Guide
Publication Number: 53-0000518-09
Setting Up RADIUS AAA Service
3
To enable RADIUS service, it is strongly recommended that you access the CLI through an SSH
connection so that the shared secret is protected. Multiple login sessions can configure simultaneously,
and the last session to apply a change leaves its configuration in effect. After a configuration is applied,
it persists after a reboot or an HA failover.
The configuration is chassis-based, so it applies to all logical switches (domains) on the switch and
replicates itself on a standby CP blade, if one is present. It is saved in a configuration upload and
applied in a configuration download.
You should configure at least two RADIUS servers so that if one fails, the other will assume service.
You can set the configuration with both RADIUS service and local authentication enabled so that if all
RADIUS servers do not respond (because of power failure or network problems), the switch uses
local authentication.
Consider the following effects of the use of RADIUS service on other Fabric OS features:
• When RADIUS service is enabled, all account passwords must be managed on the RADIUS server.
The Fabric OS mechanisms for changing switch passwords remain functional; however, such
changes affect only the involved switches locally. They do not propagate to the RADIUS server,
nor do they affect any account on the RADIUS server.
When RADIUS is set up for a fabric that contains a mix of switches with and without RADIUS
support, the way a switch authenticates users depends on whether or not a RADIUS server is set up
for that switch. For a switch with RADIUS support and configuration, authentication bypasses the
local password database. For a switch without RADIUS support or configuration, authentication
uses the switch’s local account names and passwords.
• When Secure Fabric OS secure mode is enabled, the following behaviors apply:
- Account passwords stored in the switch-local password database are distributed among all
switches in the same fabric. RADIUS configuration is not affected.
- There are separate admin and nonfcsadmin roles in secure mode. A nonfcsadmin account on a
RADIUS server cannot access FCS switches, even if the account is properly authenticated.
- If a nonfcsadmin account on a RADIUS server logs in to a switch in nonsecure mode, the
switch grants the user admin role privileges.
• The following behaviors apply to Web Tools:
- Web Tools client and server keep a session open after a user is authenticated. A password
change on a switch invalidates an open session and requires the user to log in again. When
integrated with RADIUS, a switch password change on the RADIUS server does not invalidate
an existing open session, although a password change on the local switch does.
- If you cannot log in because of a RADIUS server connection problem, Web Tools displays a
message indicating server outage.
Configuring the RADIUS Server
You must know the switch IP address or name to connect to switches. Use the ipAddrShow command
to display a switch IP address.
For SilkWorm directors (chassis-based systems), the switch IP addresses are aliases of the physical
Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in
such systems, make sure that the CP blade IP addresses are used. For accessing both the active and
standby CP blade, and for the purpose of HA failover, both of the CP blade IP addresses should be
included in the RADIUS server configuration.