HP StorageWorks Fabric OS 6.2 administrator guide (5697-0016, May 2009)

ManualsBrandsHP ManualsStorageHP 8/80 Base (48) Full Fabric Ports Enabled SAN Switch

Fabric OS 6.2 administrator guide 85

2. Enter the following command:

switch:admin> aaaConfig --authspec ["radius" | "ldap" | "radius;local" |

"ldap;local" --backup]

Fabric OS user accounts

RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than

by the account names created on a Fabric OS switch. With each account name, assign the appropriate

switch access roles. For LDAP servers, you can use the ldapCfg

-–maprole <ldap_role name>

<switch_role> to map an LDAP server role to one of the default roles available on a switch.

RADIUS and LDAP support all the defined RBAC roles described in Table 8 on page 68.

Users must enter their assigned RADIUS or LDAP account name and password when logging in to a switch

that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server authenticates a user, it

responds with the assigned switch role in a B-Series Vendor-Specific Attribute (VSA). If the response does

not have a VSA role assignment, the User role is assigned. If no Administrative Domain is assigned, the

user is assigned to the default Admin Domain AD0.

You can set a user password expiration date and add a warning for RADIUS login. The password

expiration date must be specified in UTC and in MM/DD/YYYY format. The password warning value

specifies the number of days prior to the password expiration that a warning of password expiration

notifies the user. You either specify both attributes or none. If you specify a single attribute or there is a

syntax error in the attributes, the password expiration warning will not be displayed. If your RADIUS server

maintains its own password expiration attributes, you must set the exact date twice to use this feature, once

on your RADIUS server and once in the VSA attribute. If the dates do not match, the RADIUS server

authentication fails.

The syntax used for assigning VSA-based account switch roles on a RADIUS server is described in

Table 14.

Table 14 Syntax for VSA-based account roles

Item Value Description

Type 26 1 octet

Length 7 or higher 1 octet, calculated by the server

Vendor ID 1588 4 octets, Brocade's SMI Private Enterprise Code

Vendor type 1 1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role

are:

Admin

BasicSwitchAdmin

FabricAdmin

Operator

SecurityAdmin

SwitchAdmin

User

ZoneAdmin

2 Optional: Specifies the Admin Domain or Virtual Fabric member list.

For more information on Admin Domains or Virtual Fabrics, see

”RADIUS configuration with Admin Domains or Virtual Fabrics” on

page 87.

Brocade-AVPairs1

3Brocade-AVPairs2

4Brocade-AVPairs3

5Brocade-AVPairs4

6Brocade Password ExpiryDate

7Brocade Password ExpiryWarning