Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 19
Registered: ‎04-13-2010

reseting RADIUS config

Hi all,

I was just trying to configure RADIUS authentication on a 5100 with FOS v6.4.0b. First I have configured a win2008 server with the NPS role. Than configured aaaConfig on the switch. After the command aaaconfig --authspec radius;locate -backup  - I can not longer connect to the switch. Neither with serial console, HTTP - nothing. Passwords were not changed.

How can I reset this configuration to default?

Gunter

Occasional Contributor
Posts: 19
Registered: ‎04-13-2010

Re: reseting RADIUS config

the command was   aaaconfig --authspec radius;local -backup   ----  not locate   ---- sorry

Gunter

External Moderator
Posts: 4,788
Registered: ‎02-23-2004

Re: reseting RADIUS config

RADIUS is wrong configured.

Workaround:

Disconnect LAN cable, wait for a Time 15-20 Munutes, without LAN Connection the RADIUS get Offline, Connect trough Serial Port as admin and delete or set the RADUIS parameters correct, for details refer Command Reference Manuals

TechHelp24
Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: reseting RADIUS config

Hi,

Is your Windows server running the RADIUS service?

If so just stop all RADIUS services before you login. Try to login with a local switch account.

This will take some seconds longer to validate your local user depending on your configured timeout vaules and number of RADIUS server.

But you should be able to login without the pain to go directly to the switch.

Important is that the switch can not reach all of the RADIUS servers.

I hope this helps,

Andreas

Occasional Contributor
Posts: 19
Registered: ‎04-13-2010

Re: reseting RADIUS config

Hi,

have done so - and now I can login again.

Thank you very much.

Any tips for RADIUS configuration?

Regards,

Gunter

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: reseting RADIUS config

Do it correct then it will work :-)

Ask your questions I will try to assist.

Take care aout the VSA which are very important other wise you will not get the corrects user rights.

Post your FOS version and if you have VF enabled or not. Did you need specific access right (RBAC) for different users?

Andreas

Occasional Contributor
Posts: 19
Registered: ‎04-13-2010

Re: reseting RADIUS config

Hi Andreas,

before I can progress in test the RADIUS config - I have another problem. On the switch were VF enabled. I think there was a FID 128 as default switch an a logical switch witch FID 30. This is the FID where I be loged in. Currently FCSW3-LOC1:FID30:admin> fosexec --fid 128 -cmd "switchshow"
0 VF ID is deleted  - I can't acces this default switch.

FCSW3-LOC1:FID30:admin> fosconfig --show
FC Routing service:             enabled
iSCSI service:                  Service not supported on this Platform
iSNS client service:            Service not supported on this Platform
Virtual Fabric:                 enabled
Ethernet Switch Service:        Service not supported on this Platform

On the switch I currently logged in, I can do nothing - alsways failed -1

FCSW3-LOC1:FID30:admin> switchshow
switchshow: fabosInit failed with -1

Do you know, what I have to do, that the switch works in default mode - factory defaults.

Regards,

Gunter

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: reseting RADIUS config

Hi Gunter,

first question did you configure aaaconfig --authspec "RADIUS;local" -backup?

If so stop your radius server and login as local admin to check if the logical switches are accessible.

Second please post which VSA attributes you have configured. I assume that you provide the wrong information and that you have currently not the chassis and VF rights.

Andreas

Occasional Contributor
Posts: 19
Registered: ‎04-13-2010

Re: reseting RADIUS config

Hi Andreas,

first - now I have a clean switch.

I configured aaaconfig --authspec radius;local -backup .

Ok, but only radius as primary database secondary NONE - Why ? This is one problem. The other -yes- is the correct configuration of the wi server2008 NPS role, policies.

RADIUS client - server IP and shared secret, Advanced --> RADIUS client is NAP-capable - correct?

Policy - Connection Request Policies --> Secure Wired (Ethernet) Connections --> Overview --> network connection method --> vendor specific 26 (?)

            Network Policioes --> Windows Group --> Settings --> RADIUS Attributes --> vendor specific --> ADD (and now the correct settings?)

                                                                                                                                                  --> custom --> Vendor Specific --> ADD

Vendor-Specific Attribute Information --> Enter Vendor Code (?)  ....  and so on.

Fabric OS Administrator’s Guide --> Table 16 there are all Infos I think, but no a good example, how to this in NPS .

Have you a example?

Regards,

Gunter

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: reseting RADIUS config

You should configure two radius servers and local database as backup. A single RADIUS server will workl as well. To have

aaaconfig --authspec "RADIUS;local" -backup ensures that you have a fall back in case of RADIUS issues.

Can you explain what NPS is? I have Windows 2003 and IAS which is the RADIUS implementation from Microsoft.

I have set Client-Vendor as "Radius Standard" and it works with IAS in a perfect way.

You need a Vendor specific attribute and have to provide the Vendor code of 1588 (OUI of Brocade).

In case of VF you need customize the attribute LFRoleList.

If I remember it correctly the order was important and may be the attributes are case sensitve.Here is a picture which works fine since years. If you create the attribute values you have to define a vendor assigned attribute number. This is very important to have the correct number. Otherwise you have no success and get the wrong rights. These values are in table 16 on page 102 FOS Admin Guide of version 6.4.

hcs_100.png

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.