Configuration Guide User guide

ManualsBrandsBrocade ManualsComputer AccessoriesFastIron

211

212

213

214

215

216

217

218

219

220

FastIron Configuration Guide 161

53-1002494-02

RADIUS security

• You can select only one primary authentication method for each type of access to a device (CLI

through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as

the primary authentication method for Telnet CLI access, but you cannot also select TACACS+

authentication as the primary method for the same type of access. However, you can configure

backup authentication methods for each access type.

Configuring RADIUS

Follow the procedure given below to configure a Brocade device for RADIUS.

1. Configure Brocade vendor-specific attributes on the RADIUS server. Refer to “Brocade-specific

attributes on the RADIUS server” on page 161.

2. Identify the RADIUS server to the Brocade device. Refer to “Identifying the RADIUS server to the

Brocade device” on page 163.

3. Optionally specify different servers for individual AAA functions. Refer to “Specifying different

servers for individual AAA functions” on page 163.

4. Optionally configure the RADIUS server as a “port only” server. Refer to “RADIUS server per

port” on page 164.

5. Optionally bind the RADIUS servers to ports on the Brocade device. Refer to “RADIUS server to

individual ports mapping” on page 165.

6. Set RADIUS parameters. Refer to “RADIUS parameters” on page 166.

7. Configure authentication-method lists. Refer to “Setting authentication-method lists for

RADIUS” on page 167.

8. Optionally configure RADIUS authorization. Refer to “RADIUS authorization” on page 169.

9. Optionally configure RADIUS accounting. “RADIUS accounting” on page 171.

Brocade-specific attributes on the RADIUS server

NOTE

For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login

authentication.

During the RADIUS authentication process, if a user supplies a valid username and password, the

RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user.

Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:

• The privilege level of the user

• A list of commands

• Whether the user is allowed or denied usage of the commands in the list

You must add these three Brocade vendor-specific attributes to your RADIUS server configuration,

and configure the attributes in the individual or group profiles of the users that will access the

Brocade device.

Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade

vendor-specific attributes.