Manualshelf

Users Guide

ManualsBrandsDell ManualsComputer equipmentBrocade M5424
181182183184185186187188189190
Fabric OS Administrator’s Guide 189
53-1002920-02
Remote authentication
6
objectClass: organizationalRole
cn: Users
description: User
# User entries
dn: cn=Sachin,cn=Users,dc=mybrocade,dc=com
objectClass: user
objectClass: person
objectClass: uidObject
cn: Sachin
sn: Mishra
description: First user
brcdAdVfData: HomeLF=30;LFRoleList=admin:1-128;ChassisRole=admin
userPassword: pass
uid: mishras@mybrocade.com
The following command adds the user to the LDAP directory.
> ldapadd -D cn=Sachin,dc=mybrocade,dc=com -x -w secret -f test4.ldif
TACACS+ service
Fabric OS can authenticate users with a remote server using the Terminal Access Controller
Access-Control System Plus (TACACS+) protocol. TACACS+ is a protocol used in AAA server
environments consisting of a centralized authentication server and multiple Network Access
Servers or clients. Once configured to use TACACS+, a Brocade switch becomes a Network Access
Server (NAS).
The following authentication protocols are supported by the TACACS+ server for user
authentication:
Password Authentication Protocol (PAP)
Challenge Handshake Authentication Protocol (CHAP)
TACACS+ is not a FIPS-supported protocol, so you cannot configure TACACS+ in FIPS mode. To
enable FIPS, any TACACS+ configuration must be removed.
The TACACS+ server can be a Microsoft Windows server or a Linux server. For Linux servers, use
TACACS+ 4.0.4 or later from Cisco. For Microsoft Windows servers, use any TACACS+ freeware that
uses TACACS+ protocol v1.78 or later.
TACACS+ configuration overview
Configuration is required on both the TACACS+ server and the Brocade switch. On the TACACS+
server, you should assign a role for each user and, if Admin Domains or Virtual Fabrics are in use,
provide lists of Admin Domains or Virtual Fabrics to which the user should have access. For details,
refer to “The tac_plus.cfg file” on page 190.
On the Brocade switch, use the aaaConfig command to configure the switch to use TACACS+ for
authentication. The aaaConfig command also allows you to specify up to five TACACS+ servers.
When a list of servers is configured, failover from one server to another server happens only if a
TACACS+ server fails to respond. It does not happen when user authentication fails.
Failover to another TACACS+ server is achieved by means of a timeout. You can configure a timeout
value for each TACACS+ server, so that the next server can be used in case the first server is
unreachable. The default timeout value is 5 seconds.