Manualshelf

Administrator Guide

ManualsBrandsDell ManualsserversDell Brocade 300
171172173174175176177178179180
Fabric OS Administrator’s Guide 171
53-1002920-02
Remote authentication
6
Setting the switch authentication mode
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig
--authspec command.
Fabric OS user accounts
RADIUS, LDAP, and TACACS+ servers allow you to set up user accounts by their true network-wide
identities rather than by the account names created on a Fabric OS switch. With each account
name, assign the appropriate switch access permissions. For LDAP servers, you can use the
ldapCfg
-–maprole ldap_role name switch_role command to map LDAP server permissions.
RADIUS, LDAP, and TACACS+ support all the defined RBAC roles described in Table 17 on page 152.
Users must enter their assigned RADIUS, LDAP, or TACACS+ account name and password when
logging in to a switch that has been configured with remote authentication. After the remote
authentication (RADIUS, LDAP, or TACACS+) server authenticates a user, it responds with the
assigned switch role in a Brocade Vendor-Specific Attribute (VSA). If the response does not have a
VSA permissions assignment, the user role is assigned. If no Administrative Domain is assigned,
then the user is assigned to the default Admin Domain AD0.
You can set a user password expiration date and add a warning for RADIUS login and TACACS+
login. The password expiry date must be specified in UTC and in MM/DD/YYYY format. The
password warning specifies the number of days prior to the password expiration that a warning of
password expiration notifies the user. You either specify both attributes or none. If you specify a
single attribute or there is a syntax error in the attributes, the password expiration warning will not
be issued. If your RADIUS server maintains its own password expiration attributes, you must set the
exact date twice to use this feature, once on your RADIUS server and once in the VSA. If the dates
do not match, then the RADIUS server authentication fails.
Table 23 describes the syntax used for assigning VSA-based account switch roles on a RADIUS
server.
TABLE 23 Syntax for VSA-based account roles
Item Value Description
Type 26 1 octet
Length 7 or higher 1 octet, calculated by the server
Vendor ID 1588 4 octet, Brocade SMI Private Enterprise Code