Reference Guide
NOTE
For systems such as the Brocade DCX Backbone, the switch IP addresses are aliases of the physical Ethernet interfaces on the
CP blades. When specifying client IP addresses for the logical switches in such systems, make sure that the CP IP addresses
are used.
Authentication server data
When configured for remote authentication, a switch becomes a RADIUS, LDAP, or TACACS+ client. In any of these configurations,
authentication records are stored in the authentication host server database. Login and logout account name, assigned permissions, and
time-accounting records are also stored on the authentication server for each user.
Switch configuration
By default, the remote authentication services are disabled, so AAA services default to the switch’s local database.
To enable remote authentication, it is strongly recommended that you access the CLI through an SSH connection so that the shared
secret is protected. Multiple login sessions can configure simultaneously, and the last session to apply a change leaves its configuration
in effect. After a configuration is applied, it persists after a reboot or an HA failover.
To enable the secure LDAP service, you must install a certificate from the Microsoft Active Directory server or the OpenLDAP server. By
default, the LDAP service does not require certificates.
The configuration applies to all switches. On a Backbone, the configuration replicates itself on a standby CP blade if one is present. It is
saved in a configuration upload and applied in a configuration download.
Brocade recommends configuring at least two authentication servers, so that if one fails, the other will assume service. Up to five servers
are supported.
You can set the configuration with any one of the supported authentication services and local authentication enabled, so that if the
authentication servers do not respond because of a power failure or network problems, the switch uses local authentication.
Consider the effects of the use of a remote authentication service on other Fabric OS features. For example, when a remote
authentication service is enabled, all account passwords must be managed on the authentication server. The Fabric OS mechanisms for
changing switch passwords remain functional; however, such changes affect only the involved switches locally. They do not propagate to
the authentication server, nor do they affect any account on the authentication server. Authentication servers also support notifying users
of expiring passwords.
When RADIUS, LDAP, or TACACS+ is set up for a fabric that contains a mix of switches with and without RADIUS, LDAP, and TACACS+
support, the way a switch authenticates users depends on whether a RADIUS, LDAP, or TACACS+ server is set up for that switch. For a
switch with remote authentication support and configuration, authentication bypasses the local password database. For a switch without
remote authentication support or configuration, authentication uses the switch’s local account names and passwords.
Supported LDAP options
The following table summarizes the various LDAP options and Brocade support for each.
TABLE 24 LDAP options
Protocol Description Channel type Default port URL Brocade supported?
LDAPv3 LDAP over TCP Unsecured 389 ldap:// No
LDAPv3 with TLS
extension
LDAPv3 over TLS Secured 389 ldap:// Yes
LDAPv3 with TLS and
Certificate
LDAPv3 over TLS
channel and
Secured 389 ldap:// Yes
Managing User Accounts
Brocade Fabric OS Administration Guide, 8.0.1
53-1004111-02 161