Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

By default, the remote authentication services are disabled, so AAA services default to the switch’s local

connection so that the shared secret is protected. Multiple login sessions can configure simultaneously,

and the last session to apply a change leaves its configuration in effect. After a configuration is applied,

it persists after a reboot or an HA failover.

To enable the secure LDAP service, you must install a certificate from the Microsoft Active Directory

server or the OpenLDAP server. By default, the LDAP service does not require certificates.

The configuration applies to all switches. On a Backbone, the configuration replicates itself on a standby

CP blade if one is present. It is saved in a configuration upload and applied in a configuration download.

Brocade recommends configuring at least two authentication servers, so that if one fails, the other will

the authentication server. The Fabric OS mechanisms for changing switch passwords remain functional;

however, such changes affect only the involved switches locally. They do not propagate to the

authentication server, nor do they affect any account on the authentication server. Authentication

servers also support notifying users of expiring passwords.

When RADIUS, LDAP, or TACACS+ is set up for a fabric that contains a mix of switches with and

without RADIUS, LDAP, and TACACS+ support, the way a switch authenticates users depends on

whether a RADIUS, LDAP, or TACACS+ server is set up for that switch. For a switch with remote

authentication support and configuration, authentication bypasses the local password database. For a

switch without remote authentication support or configuration, authentication uses the switch’s local

account names and passwords.