Fibre Channel (SAN)

Reply
New Contributor
Posts: 3
Registered: ‎04-19-2012

Re: CISCO ACS Radius Setup

New Contributor
Posts: 3
Registered: ‎06-22-2012

Re: CISCO ACS Radius Setup

Hi dbzhaniya,

I try to do the same on ACS 5.3, with Brocade 5100.

SSH connection results in:

<BEGIN>

Your account is disabled; please contact your system administrator

Switch role not specified, use default.

<END>

On ACS logs, authentication is OK and correct attributes are sent to Brocade. So I focus on the Brocade box.

I see in your RADIUS.pdf you declare user in the Brocade, is it mandatory ?

It seems your local Brocade users are bound with an LDAP server, please explain.

thanks & regards

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: CISCO ACS Radius Setup

Hi,

it is not mandatory to create local switch user. I assume that you not not provide the chassis role for your user and you have a VF enabled switch.

Have a look and check if you have these VSA attributes configured:

Brocade-AVPairs1 = "HomeLF=70"

Brocade-AVPairs2 = "LFRoleList=admin:2,4-8,70,80,128"

Brocade-AVPairs3 = "ChassisRole=switchadmin"

Adjust these definition for your needs depending on your configuration.

See step 2 and 3 in the PDF.

You need these attributes if VF is enabled.

The tips from above works with MS ISA RADIUS but I assume that this will work with Cicso as well.

Regards,

Andreas


New Contributor
Posts: 3
Registered: ‎06-22-2012

Re: CISCO ACS Radius Setup

Thank you Andreas for your response,

I finally succeeded. I had two issues:

The first one is that I had changed a default value in the Cisco ACS setup, relative to Brocade VSA: The parameter "Vendor Type Field Size" has to be "1" (the default), mine was "2".

The second one is on the Attribute type. It has to be "string", I tried with "Enumeration" which would permit me to choose the Brocade role selecting it in a list, but it is not OK.

So I have a setup with Cisco ACS 5.3 working with FOS v6.4.1b

- without declaring any local user on Brocade 5100

- with CHAP configured (provided you selected this protocol on ACS interface)

- with only VSA Brocade attribute #1 (brocade role) as I do not need the 3 AV-Pairs Andreas mentionned or the two other AV-pairs about password expiration.

Cheers

Michael

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.