Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 12
Registered: ‎09-22-2008

Brocade dcx permissions with Radius questions

Hello,

Question about login permissions with FOS 6.3 on a Brocade DCX. We have recently purchased 2 new Directors and are trying to authenticate with Radius. We have been using a Cisco ACS for many years to authenticate to are SAN switches with FOS 6.2 and earlier with no issues. Long before I started working here someone loaded the VSA's on the ACS and we can log in with no issues.

With these new Directors we can log in no problem and it shows are role as admin but the chassis permissions say no access and we lose a lot of the commands that we need to configure them. I see when you set up a local account you can set the chassis permissions to whatever you want but when we log in using are remote accounts I do not see a way to set chassis permissions. I am also assuming this is why our remote accounts lose a lot of the command abilitys. 

So my question is has anybody ran into this before? Do I have to change the VSA's to have a different attribute in them to give are remote accounts admin abilities for the chassis permissions? Any help would be greatly appreciated. I have been searching for any information on this since yesterday and have not found any useful information. Thanks in advance for any assistance given.

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: Brocade dcx permissions with Radius questions

Hi,

I assume that the DCX are configured with Virtual Fabric enabled. So you have to configure some more attributes on you RADIUS servers.

You need to configure on the RADIUS server the Chassisrole, HomeLF and switch permission. The order is important.

Please check the admin guide from Brocade.

Regards,

Andreas

Occasional Contributor
Posts: 12
Registered: ‎09-22-2008

Re: Brocade dcx permissions with Radius questions

Hello,

thanks for your response. I assumed that I would have to change the attributes for are radius server, and going through the admin guide I didnt see anything that related to chassis role and home LF. It talks about it but does not give the settings. Thanks again for taking the time to awnser.

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: Brocade dcx permissions with Radius questions

Hi,

Did you have checked if Virtual Fabric is enabled?

Which code are you running?

Please check with user config --show

if all attributes are set correct after a login.

Some of the attributes are:

HomeLF=128;                    <-- Home Logical fabric in which the user is logged in as default

LFRoleList=admin:128,10;   <-- Logical fabric in which the user can login with "set context"

ChassisRole=admin;          <-- Chassis permission

Take a look at a newer version of admin guides. In some older releases there were some typo errors. I think 6.3 is OK.

I have attached the admin guide from 6.3. Chapter 5 page 89 is a good place to start.

Good luck.

Regards,

Andreas

Occasional Contributor
Posts: 12
Registered: ‎09-22-2008

Re: Brocade dcx permissions with Radius questions

Thank you Andreas,

Sorry took so long to come back, Work put me on a different program and havnt even thought of it. Now that I am back they threw this back in my plate because no one could figure it out.lol.  I spoke with Brocade and Cisco and both did the finger pointing for a while. I gave up on them and Figured it out on my own. The admin guide did end up having all the awnsers just had to figure out how, Cisco interpreted them. Again thanks for your responses.

Occasional Contributor
Posts: 12
Registered: ‎09-22-2008

Re: Brocade dcx permissions with Radius questions

I did want to add for anyone that has this issue with Cisco ACS that Andreas gave the Key and value, Chassisrole=admin. The 2 above that are optional but if you intend on having more then one virtual fabric you must add those lines in as Virtual fabric home 128 is the default when none are specified. If you create VF 127 you will not have admin access. Thanks again Andreas. Always feel free to send me a message if you have any questions on this.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.