Administrator Guide

ManualsBrandsDell ManualsserversDell Brocade 300

161

162

163

164

165

166

167

168

169

170

Fabric OS Administrator’s Guide 169

53-1002920-02

Remote authentication

Consider the effects of the use of a remote authentication service on other Fabric OS features. For

example, when a remote authentication service is enabled, all account passwords must be

managed on the authentication server. The Fabric OS mechanisms for changing switch passwords

remain functional; however, such changes affect only the involved switches locally. They do not

propagate to the authentication server, nor do they affect any account on the authentication server.

Authentication servers also support notifying users of expiring passwords.

When RADIUS, LDAP, or TACACS+ is set up for a fabric that contains a mix of switches with and

without RADIUS, LDAP, and TACACS+ support, the way a switch authenticates users depends on

whether a RADIUS, LDAP, or TACACS+ server is set up for that switch. For a switch with remote

authentication support and configuration, authentication bypasses the local password database.

For a switch without remote authentication support or configuration, authentication uses the

switch’s local account names and passwords.

Supported LDAP options

Table 21 summarizes the various LDAP options and Brocade support for each.

Command options

Table 22 outlines the aaaConfig command options used to set the authentication mode.

TABLE 21 LDAP options

Protocol Description Channel type Default port URL Brocade

supported?

LDAPv3 LDAP over TCP Unsecured 389 ldap:// No

LDAPv3 with TLS

extension

LDAPv3 over TLS Secured 389 ldap:// Yes

LDAPv3 with TLS

and Certificate

LDAPv3 over TLS channel and

authenticated using a certificate

Secured 389 ldap:// Yes

LDAPv2 with SSL

1. This protocol was deprecated in 2003 when LDAPv3 was standardized.

LDAPv2 over SSL. Port 636 is used for

SSL. Port 389 is for connecting to

LDAP.

Secured 636 and 389 ldaps:// No

TABLE 22 Authentication configuration options

aaaConfig options Description Equivalent setting in

Fabric OS v5.1.0 and

earlier

--radius --switchdb

--authspec “local” Default setting. Authenticates management

connections against the local database only.

If the password does not match or the user is

not defined, the login fails.

Off On

--authspec “radius” Authenticates management connections

against any RADIUS databases only.

If the RADIUS service is not available or the

credentials do not match, the login fails.

On Off