Ethernet Fabric (VDX, CNA)

Reply
New Contributor
Posts: 4
Registered: ‎09-28-2011

TACACS+ authentication on VDX 6720

I have configured our VDX 6720 switch to authenticate users via our TACACS+ server.

How can I give TACACS+ authenticated users admin privileges on the VDX?

It seems that neither "priv-lvl = 15" nor "brocade-priv-lvl = 0" av-pairs on the TACACS+ server will work for giving those users admin privileges.

Is there a way to set the default role to admin?

"User's role is unavailable, using default."

There does not seem to be any way on the TACACS+ server (tac_plus version F4.0.4.19) to specify a "role" av-pair, which is what the VDX seems to expect.

Super Contributor
Posts: 1,087
Registered: ‎12-13-2009

Re: TACACS+ authentication on VDX 6720

Hi Chris,

     Looks like the priv-level has been replaced by the "Role-based access control". The defauls ones are below.  You can create your own roles if you wish.

Then still have the account auth via RADIUS/TACACS+

Default roles

Attributes of default roles cannot be modified; however, the default roles can be assigned to

non-default user accounts. The following roles are default roles:

The admin role has the highest privileges. All CLIs are accessible to the user associated with the admin role.

The user role has limited privileges that are mostly restricted to show commands in the  Privileged EXEC mode. User accounts associated with the user role cannot access configuration CLIs that are in the Global Configuration mode. The exit command and the no command are also available to the user role.

The user role has limited privileges that are mostly restricted to show commands in the  Privileged EXEC mode. User accounts associated with the user role cannot access configuration CLIs that are in the Global Configuration mode. The exit command and the no command are also available to the user role.

The user role has limited privileges that are mostly restricted to show commands in the  Privileged EXEC mode. User accounts associated with the user role cannot access configuration CLIs that are in the Global Configuration mode. The exit command and the no command are also available to the user role.

Check out Network OS - Administrator’s Guide Chapter 8 for more information on this.

Thanks

Michael.

New Contributor
Posts: 4
Registered: ‎09-28-2011

Re: TACACS+ authentication on VDX 6720

I'm fully aware of the new role based access control, however there is currently no way to assign TACACS+ users a default role.

I'd like to have all TACACS+ users have the "admin" role. That does not work.Now, they are defaulted to "user" (since no role could be associated with the TACACS+ users).

N/A
Posts: 3
Registered: ‎11-21-2011

Re: TACACS+ authentication on VDX 6720

Hello Chris,

Were you able to assign the Admin role to the tacacs+ users? I'm currently having the same issue.

Regards,

WH

Occasional Contributor
Posts: 5
Registered: ‎11-23-2010

Re: TACACS+ authentication on VDX 6720

Have you tried attribute brcd-role= "admin". For example (this is for free radius"


group = admin {
    service = exec {
       idletime = 5
       brcd-role = "admin"

}


user = admin1 {
    name = "X is a user"
    chap = cleartext "password123"
    member = admin
}


If you want cisco tacas configs , the configs are as follows:


user = test1 {

                                login = cleartext password

                                chap = cleartext "password123"

                                pap = cleartext "password123"

                                member = admin

}

group = admin {

                                default service = permit

                                login = file passwords.db

                               

                                service = exec {

                                optional brcd-role = admin

                                priv-lvl = 15

}

In the above config it will authenticate brocade device and a cisco device and give them admin roles. If you are not using a cisco device you can just stick to  brcd-role =  "admin" for VDX switches.

I hope this solves your problem and do let me know.

Thanks,

Nandini

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook