Reference Guide
TABLE 28 Brocade custom TACACS+ attributes
Attribute Purpose
brcd-role Role assigned to the user account
brcd-AV-Pair1 The Virtual Fabric member list, and chassis role
brcd-AV-Pair2 The Virtual Fabric member list, and chassis role
brcd-passwd-expiryDate The date on which the password expires
brcd-passwd-warnPeriod The time before expiration for the user to receive a warning message
Adding a user and assigning a role
When adding a user to the tac_plus.cfg file, you should at least provide the brcd-role attribute. The value assigned to this attribute should
match a role defined for the switch. When a login is authenticated, the role specified by the brcd-role attribute represents the permissions
granted to the account. If no role is specified, or if the specified role does not exist on the switch, the account is granted user role
permissions only.
Refer to Role-Based Access Control on page 145 for details about roles.
The following fragment from a tac_plus.cfg file adds a user named fosuser1 and assigns the securityAdmin role to the account.
user = fosuser1 {
chap = cleartext "my$chap$pswrd"
pap = cleartext "pap-password"
service = exec {
brcd-role = securityAdmin;
}
}
Configuring Virtual Fabric lists
If your network uses Virtual Fabrics, you should create Virtual Fabric lists for each user to identify the Virtual Fabrics to which the account
has access.
Assign the following key-value pairs to the brcd-AV--Pair1 and, optionally, brcd-AV-Pair2 attributes to grant the account access to the
Virtual Fabrics:
∙ HomeLF is the designated home Virtual Fabric for the account. The valid values are from 1 through 128 and chassis context.
The first valid HomeLF key-value pair is accepted by the switch. Additional HomeLF key-value pairs are ignored.
∙ LFRoleList is a comma-separated list of Virtual Fabric ID numbers to which this account is a member, and specifies the role the
account has on those Virtual Fabrics. Valid numbers range from 1 through 128. A - between two numbers specifies a range.
The following example sets the home Virtual Fabric for the userVF account to 30 and allows the account admin role access to Virtual
Fabrics 1, 3, and 4 and securityAdmin access to Virtual Fabrics 5 and 6.
user = userVF {
pap = clear "password"
service = shell {
set brcd-role = zoneAdmin
set brcd-AV-Pair1 = "homeLF=30;LFRoleList=admin:1,3,4;securityAdmin:5,6"
set brcd-AV-Pair2 = "chassisRole=admin"
}
}
Configuring the password expiration date
FabricOS allows you to configure a password expiration date for each user account and to configure a warning period for notifying the
user that the account password is about to expire. To configure these values, set the following attributes:
∙ brcd-passwd-expiryDate sets the password expiration date in
mm
/
dd
/
yyyy
format.
Managing User Accounts
Brocade Fabric OS Administration Guide, 8.0.1
53-1004111-02 181