Fibre Channel (SAN)

Reply
N/A
Posts: 1
Registered: ‎09-06-2005

CISCO ACS Radius Setup

Would anyone in the brocade would have any experience in setting up the Radius AAA Authentication to a Cisco ACS radius server ?

External Moderator
Posts: 4,778
Registered: ‎02-23-2004

Re: CISCO ACS Radius Setup

Hi DeanC,I have doubts that Cisco ACS is compatible whit the Brocade AAA Radius.

TechHelp24
New Contributor
Posts: 2
Registered: ‎07-12-2007

Re: CISCO ACS Radius Setup

I can confirm that Cisco ACS with RADIUS can run in combination with the Brocade switches.BCFP BCSM

N/A
Posts: 1
Registered: ‎11-22-2007

Re: CISCO ACS Radius Setup

Hi Paul,Naaman Campbell

N/A
Posts: 1
Registered: ‎08-28-2008

Re: CISCO ACS Radius Setup

Hi Paul

Is there a documentation about the configuration of Cisco ACS Radius and Brocade SAN Switch? Or do you have an exampel of how to do it? Help would be highly appreciated.

Cheers

Patrick

N/A
Posts: 1
Registered: ‎10-16-2007

Re: CISCO ACS Radius Setup

I am having an issue getting the Radius server to login in with "admin" based roles.  I can login through the Cisco ACS Radius however, i only get "user" privilages which allows me to do nothing on the switch.  Anybody using the Cisco ACS Radius successfully?

fm
N/A
Posts: 1
Registered: ‎02-07-2010

Re: CISCO ACS Radius Setup

Hi all,

regarding the subject I have same issue:

2 x Cisco ACS 4.2

2 x MDS 9216

2 x MDS FC Switches for IBM BladeCenter H

3 x Brocade 8Gbps FC Switches for for IBM BladeCenter H

I have implement the AAA for all Cisco Networking and Cisco MDS with TACACS as follow:

1. I have created the User Group: san.admins

2. I have created the Network Device Group: SAN

SAN AAA Clients

Help on SAN AAA Clients

AAA Client Hostname

AAA Client IP Address

Authenticate Using

DC-MDS-9216-A

10.254.253.60

TACACS+ (Cisco IOS)

DC-MDS-9216-B

10.254.253.61

TACACS+ (Cisco IOS)

DC-MDS-BCH-A

10.254.253.14

TACACS+ (Cisco IOS)

DC-MDS-BCH-B

10.254.253.15

TACACS+ (Cisco IOS)

DC_BCH_Brocade8G_A

10.254.253.17

RADIUS (IETF)

More info I found on: http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/cradtac1.html

For the Brocade8Gbps FC Switch I have used the RADIUS (IETF) from the RADIUS list presented by Cisco ACS (Juniper, Nortel etc). Now, I know that the Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-avpair. The value is a string with the following format:

protocol : attribute separator value *

Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for mandatory attributes, and * (asterisk) is for optional attributes.

For the Cisco MDS/Nexus I have specify in the TACACS attributes the following: cisco-av-pair=shell:roles="network-admin" in order the authentication to work.

When I login to the Brocade8Gbps-FC switch via SSH with the username from Cisco ACS I get the following :

--- cut here ----

login as: florin.manaila

florin.manaila@10.254.253.17's password:

Switch role not specified, use default.

-----------------------------------------------------------------

DC_BCH_Brocade8G_A:florin.manaila>

--- cut here ----

So, the authentication of Brocade8Gbps-FC switch in Cisco ACS is working, but I get the default profile “user”. I am wondering where I have to specify the RADIUS attributes in order to send the profile to the Brocade FC switch and what I have to send to the Brocade8Gbps-FC switch? Something similar with cisco-av-pair=shell:roles="network-admin" ?

Any help will be very appreciated, thank you.

FM



Visitor
Posts: 1
Registered: ‎09-15-2010

Re: CISCO ACS Radius Setup

I recently opened a case (#451351) with Brocade since I am receiving the same error below.  AAA has been implemented on all the other devices (Cisco, Raritan, Dell, etc) in our infrastructure, with the exception of the brocade switches. So far, I have sent screenshots, links to post, and file dumps on the switch.  So far I have not received much help.  In the event this is resolved, I will update this post accordingly.

--UPDATE (Resolved)

The solution for this has been found!  In order for this to work correctly, an attribute specifying the role must be sent as an attribute in the radius packet.  This was discovered in the AdminGuid FOSv520_AdminGuide on page 91 (attached). Good luck everyone!

aaa_step12.jpgaaa_step13.jpg

New Contributor
Posts: 3
Registered: ‎04-19-2012

Re: CISCO ACS Radius Setup

Does anyone know how to configure AAA on brocade 300 with CISCO ACS 5.26?

ACS 5.26

Fabric OS: 6.2.0d

New Contributor
Posts: 3
Registered: ‎04-19-2012

Re: CISCO ACS Radius Setup

Hi folks,

I'll appreciate any help regarding radius vsa configuration on cisco acs 5.26. Can't figure out how to get admin access via radius. I'd like to know if anyone managed to get a new ACS working with brocade 300?

Thanks

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.