Ethernet Switches & Routers

Reply
New Contributor
Posts: 2
Registered: ‎04-03-2008

Problems with User Authentication over RADIUS

We are using a VASCO Identikey Server on Windows as RADIUS Server. The FC-Switch is a Brocade SAN Switch with OS v6.1.0h.

I created a local account and gave it administrator rights. This worked fine. Then I tried the user authentication over RADIUS and this worked fine, but the authenticated User has only User rights, no administrator rights. I read in the Administrator Guide that RADIUS must be configured that it replies to an authentication request with a vendor-specific attribute, where the User is assigned to an Admin role.

Does anyone know, which Configurations have to be done on the RADIUS Server?

Thanks in advance.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Problems with User Authentication over RADIUS

Hi,

     Please post you qustion the 'Data Center' forums as this is for Ethernet only.

     I do not know the SAN switches - however for Ethernet we have the following

During the RADIUS authentication process, if a user supplies a valid username and password, the RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user. Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:

The privilege level of the user

A list of commands

Whether the user is allowed or denied usage of the commands in the list  You must add these three Brocade vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the

Brocade device.

Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendor-specific attributes.

Attribute name      Attribute ID Data type Description

foundry-privilege-level 1                      integer         Specifies the privilege level for the user. This

                                                                                attribute can be set to one of the following:

0 - Super User level – Allows complete

read-and-write access to the system. This is

generally for system administrators and is

the only management privilege level that

allows you to configure passwords.

4 - Port Configuration level – Allows

read-and-write access for specific ports but

not for global (system-wide) parameters.

5 - Read Only level – Allows access to the

Privileged EXEC mode and User EXEC mode

of the CLI but only with read access.

New Contributor
Posts: 2
Registered: ‎04-03-2008

Re: Problems with User Authentication over RADIUS

Hi,

yes, my question about the RADIUS authentication concerns Ethernet, so thanks for the answer. My problem is that I don't know where to put the attributes Vendor-ID is 1991, Vendor-Type 1, vendor-specific attributes on the RADIUS server. In the user profile, I have a tab called "Digipass User Attributes" where I can add custom attributes. When I click the Add button, there appears a box where I can fill in the following attributes: Attribute Group, Name, Usage, Value. Should I fill in the attributes like this:

- Attribute Group: Brocade

- Name: Vendor-ID

- Usage: Reply

- Value: 1991

- Attribute Group: Brocade

- Name: Vendor-Type

- Usage: Reply

- Value: 1

- Attribute Group: Brocade

- Name: foundry-privilege-level 1

- Usage: Reply

- Value: 0

Regards,

Peter

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: Problems with User Authentication over RADIUS

Sorry I do not your RADIUS product - what I could fine for your product is;

Field Name Description

Attribute Group                Attribute Groups provide a way to add different attributes to the User account for different client components.

                                           A SOAP client application may request a certain Attribute Group – it will only be given the

                                           user's attributes for the matching Attribute Group. A different application may request the same

                                           Attribute Group or a different one.

                                           An IIS Module (for example, in Digipass Pack for IIS Basic Authentication) may also request

                                           an Attribute Group. The Attribute Group entered in the Configuration GUI for the IIS Module will be requested.

                                           If the Identikey Server Data Store is shared with

                                           Digipass Plug-In for SBR, the SBR Plug-In may retrieve other Attribute Groups.

Name                                 The name of the attribute. This must match the name of an attribute expected by the client component. For the

                                            Digipass Pack for IIS Basic Authentication, this would be either User-

                                            Name or Password.

Usage                                 Specifies the usage of the User attribute. This is an optional setting.

So I think you would need

Attribute Group: Brocade

- Name: Vendor-ID

- Usage: Reply

- Value: 1991

- Attribute Group: Brocade

- Name: foundry-privilege-level

- Usage: Reply

- Value: 1

(The value of 1 denotes an admin user for the switches.

Now to be sure I would contact your RADIUS vendor for comformation.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.