Ethernet Switches & Routers

Reply
Occasional Contributor
Posts: 7
Registered: ‎11-29-2011

Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Dear support of Brocade,

I have a question about the working of RADIUS (Win2k8) with the combination of the FastIron WS 648G Switch ( We use firmware version : 07.2.00 )

We have RADIUS working on the switch, but we can’t find a way to give users privileges.
This is bad because we don’t want that all our staff have the opportunity to log on the switch and configure things.

There  are 3 valid privileges (brocade privilege level 0,4,5), we try to use  them in the Vendor-Specific Attributes ( attribute number 26 on RADIUS  ).
Even try'd "User / Admin" (as seen in the screenshots ) and other  properties, but none of them seems to work. The vendor-code that we used  is 1588.

We used Wireshark to see what information was send to the switch. It is possible because we use PAP instead of CHAP.
The vendor code seems to be correct but all other attributes where unknown.

Our question is, where is our problem ? Is it at the switch side or the Windows wk8 server side.
if it's the switch side, what are we doing wrong ? We are aware of your great FastIron Config Guide and it helps us a lot,
but we couldn’t find the answer in there.

My apology's if i forgot to post some relevant information,

Best regards,

Henq

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Hi,

     Your vendor code looks to be incorrect.

During the RADIUS authentication process, if a user supplies a valid username and password, the

RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user.

Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:

The privilege level of the user

A list of commands

Whether the user is allowed or denied usage of the commands in the list You must add these three Brocade vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the

Brocade device.

Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendor-specific attributes.

TABLE 270

Brocade vendor-specific attributes for RADIUS

Attribute name Attribute ID Data type Description

foundry-privilege-level 1 integer Specifies the privilege level for the user. This

attribute can be set to one of the following:

0 - Super User level – Allows complete

read-and-write access to the system. This is

generally for system administrators and is

the only management privilege level that

allows you to configure passwords.

4 - Port Configuration level – Allows

read-and-write access for specific ports but

not for global (system-wide) parameters.

5 - Read Only level – Allows access to the

Privileged EXEC mode and User EXEC mode

of the CLI but only with read access.

Occasional Contributor
Posts: 7
Registered: ‎11-29-2011

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Hi Mr Mschipp,

First of all thanks for the fast reply on our question. I changed the Vendor code to the correct number you described.

Also i added more attribute information, as seen in the screenshots. What i am trying to do here, is to create a read only account with no access to the show and debug ip commands. Because i need to send the information over the Access-Accept packet with the Brocade vendor-specific attributes, i used the follow;

- Used the Privilege level of the user to "5"

- The list of commands "show *,debug ip *"

- And whether the user is allowed or denied the usage of the commands "1"

- We enable Framed protocol with "PPP" and set Service type to "Framed"

My question is, what am i doing wrong. Because the authentication works perfectly, but i still have Administrator privileges when we log into the Brocade switch. As a example the commands; show and debug are still useable, even when i put them into the VSA on the RADIUS server.

With regards,

Henq

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Hi,

For VSA2.png

Vendor assigned attribute number 1  (this is correct)

Attribute format nees to integer and not string

value of 5 is correct

For Attribute 2 needs to be a string (think you have that correct) however I think you need a space after the ';' e.g. show *; debug ip *

You are missing attribute 3 which needs to be an integer with a value of 1 to deny commands in attribute 2

You are getting closer.

Thanks

Michael.

Occasional Contributor
Posts: 7
Registered: ‎11-29-2011

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Hi Micheal,

Thanks for your time, we appreciate it a lot!

We changed it to decimal because thats the closest option. We did this because we cant select the option Integer ( screen "Decimal" ).

Suppose Decimal == Integer ?

We configure the 3th attribute to 1 and changed the space between show and debug.

Unfortunately it still doesn't work .

Also included the switch configuration, Maybe there is something wrong here ?

We are looking forward to your reply.

Regards,

Henq

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

I think you AAA authe login command needs to be the below

Brocade(config)#aaa authentication login default radius local

Please give this a try.

Thanks

Michael.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

e.g.

first enter

no aaa authe login def rad enab loca

then

aaa authe login def rad loc

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Ok think I might of found the problem

you need to enter

Brocade(config)#aaa authorization exec default radius

Configuring exec authorization

When RADIUS exec authorization is performed, the Brocade device consults a RADIUS server to

determine the privilege level of the authenticated user. To configure RADIUS exec authorization on

the Brocade device, enter the following command.

Brocade(config)#aaa authorization exec default radius

Syntax: aaa authorization exec default radius | none

If you specify none, or omit the aaa authorization exec command from the device configuration, no

exec authorization is performed.

NOTE

If the aaa authorization exec default radius command exists in the configuration, following

successful authentication the device assigns the user the privilege level specified by the

foundry-privilege-level attribute received from the RADIUS server. If the aaa authorization exec

default radius command does not exist in the configuration, then the value in the

foundry-privilege-level attribute is ignored, and the user is granted Super User access.

Also note that in order for the aaa authorization exec default radius command to work, either the

aaa authentication enable default radius command, or the aaa authentication login privilege-mode

command must also exist in the configuration.

Occasional Contributor
Posts: 7
Registered: ‎11-29-2011

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

We try'd that without any results, after that we turned the privilege-mode on and off  to see it that made any diffrence, without succes.

As you can see in the screen we still have administrator access.

I notice that we dont have any Authorization options enabled in the switch. If i am correct, the RADIUS is sending the authenticating (Username etc.) and authorization information (VSA) within the Access-Accept Package right? And therefor not needed in the Switch ?

Regards,

Henq

---EDIT

we are going to try your new awnser first

Occasional Contributor
Posts: 7
Registered: ‎11-29-2011

Re: Need help with RADIUS (Win2k8 & FastIron WS 648G Switch)

Michael,

Thanks for your great support, it seems to work now. The only thing that doesn't work perfectly is the blocking specific commands, like *show users*.

But thats a minor problem, the major problem has been fixed! So we can give users admin and read only rights through RADIUS.

We will post result of our testing here soon, about the blocking of specific commands. For the people that have the same problem.

Yet again Thanks a lot for helping us out!

Regards,

Henq

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.