Reference Guide

ManualsBrandsDell ManualsAccess PlatformsBrocade G620

161

162

163

164

165

166

167

168

169

170

TABLE 25 Authentication configuration options (continued)

aaaConfig options Description

--authspec "tacacs+; local" --backup Authenticates management connections against any TACACS+ databases

first. If TACACS+ fails for any reason, it then authenticates against the local

user database. The --backup option states to try the secondary

authentication database only if the primary authentication database is not

available.

--authspec -nologout Prevents users from being logged out when you change authentication.

Default behavior is to log out users when you change authentication.

Setting the switch authentication mode

1. Connect to the switch and log in using an account with admin permissions.

2. Enter the aaaConfig --authspec command.

Fabric OS user accounts

RADIUS, LDAP, and TACACS+ servers allow you to set up user accounts by their true network-wide identities rather than by the account

names created on a Fabric OS switch. With each account name, assign the appropriate switch access permissions. For LDAP servers,

you can use the ldapCfg --maprole command to map LDAP server permissions.

RADIUS, LDAP, and TACACS+ support all the defined RBAC roles described in Role-Based Access Control on page 145.

Users must enter their assigned RADIUS, LDAP, or TACACS+ account name and password when logging in to a switch that has been

configured with remote authentication. After the remote authentication (RADIUS, LDAP, or TACACS+) server authenticates a user, it

responds with the assigned switch role in a

Brocade Vendor-Specific Attribute

(VSA). If the response does not have a VSA permissions

assignment, the user role is assigned.

You can set a user password expiration date and add a warning for RADIUS login and TACACS+ login. The password expiry date must

be specified in UTC and in MM/DD/YYYY format. The password warning specifies the number of days prior to the password expiration

that a warning of password expiration notifies the user. You either specify both attributes or none. If you specify a single attribute or there

is a syntax error in the attributes, the password expiration warning will not be issued. If your RADIUS server maintains its own password

expiration attributes, you must set the exact date

twice

to use this feature, once on your RADIUS server and once in the VSA. If the dates

do not match, then the RADIUS server authentication fails.

Table 26 describes the syntax used for assigning VSA-based account switch roles on a RADIUS server.

TABLE 26 Syntax for VSA-based account roles

Item Value Description

Type 26 1 octet

Length 7 or higher 1 octet, calculated by the server

Vendor ID 1588 4 octet, Brocade SMI Private Enterprise Code

Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for

the Brocade-Auth-Role are:

Admin

BasicSwitchAdmin

FabricAdmin

Operator

SecurityAdmin

SwitchAdminUser

Managing User Accounts

Brocade Fabric OS Administration Guide, 8.0.1

53-1004111-02 163