11-30-2011 04:18 AM
Dear support of Brocade,
I have a question about the working of RADIUS (Win2k8) with the combination of the FastIron WS 648G Switch ( We use firmware version : 07.2.00 )
We have RADIUS working on the switch, but we can’t find a way to give users privileges.
This is bad because we don’t want that all our staff have the opportunity to log on the switch and configure things.
There are 3 valid privileges (brocade privilege level 0,4,5), we try to use them in the Vendor-Specific Attributes ( attribute number 26 on RADIUS ).
Even try'd "User / Admin" (as seen in the screenshots ) and other properties, but none of them seems to work. The vendor-code that we used is 1588.
We used Wireshark to see what information was send to the switch. It is possible because we use PAP instead of CHAP.
The vendor code seems to be correct but all other attributes where unknown.
Our question is, where is our problem ? Is it at the switch side or the Windows wk8 server side.
if it's the switch side, what are we doing wrong ? We are aware of your great FastIron Config Guide and it helps us a lot,
but we couldn’t find the answer in there.
My apology's if i forgot to post some relevant information,
12-07-2011 04:35 AM
Your vendor code looks to be incorrect.
During the RADIUS authentication process, if a user supplies a valid username and password, the
RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user.
Within the Access-Accept packet are three Brocade vendor-specific attributes that indicate:
The privilege level of the user
A list of commands
Whether the user is allowed or denied usage of the commands in the list You must add these three Brocade vendor-specific attributes to your RADIUS server configuration, and configure the attributes in the individual or group profiles of the users that will access the
Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendor-specific attributes.
Brocade vendor-specific attributes for RADIUS
Attribute name Attribute ID Data type Description
foundry-privilege-level 1 integer Specifies the privilege level for the user. This
attribute can be set to one of the following:
0 - Super User level – Allows complete
read-and-write access to the system. This is
generally for system administrators and is
the only management privilege level that
allows you to configure passwords.
4 - Port Configuration level – Allows
read-and-write access for specific ports but
not for global (system-wide) parameters.
5 - Read Only level – Allows access to the
Privileged EXEC mode and User EXEC mode
of the CLI but only with read access.
12-08-2011 12:16 AM
Hi Mr Mschipp,
First of all thanks for the fast reply on our question. I changed the Vendor code to the correct number you described.
Also i added more attribute information, as seen in the screenshots. What i am trying to do here, is to create a read only account with no access to the show and debug ip commands. Because i need to send the information over the Access-Accept packet with the Brocade vendor-specific attributes, i used the follow;
- Used the Privilege level of the user to "5"
- The list of commands "show *,debug ip *"
- And whether the user is allowed or denied the usage of the commands "1"
- We enable Framed protocol with "PPP" and set Service type to "Framed"
My question is, what am i doing wrong. Because the authentication works perfectly, but i still have Administrator privileges when we log into the Brocade switch. As a example the commands; show and debug are still useable, even when i put them into the VSA on the RADIUS server.
12-08-2011 01:11 AM
Vendor assigned attribute number 1 (this is correct)
Attribute format nees to integer and not string
value of 5 is correct
For Attribute 2 needs to be a string (think you have that correct) however I think you need a space after the ';' e.g. show *; debug ip *
You are missing attribute 3 which needs to be an integer with a value of 1 to deny commands in attribute 2
You are getting closer.
12-08-2011 01:37 AM
Thanks for your time, we appreciate it a lot!
We changed it to decimal because thats the closest option. We did this because we cant select the option Integer ( screen "Decimal" ).
Suppose Decimal == Integer ?
We configure the 3th attribute to 1 and changed the space between show and debug.
Unfortunately it still doesn't work .
Also included the switch configuration, Maybe there is something wrong here ?
We are looking forward to your reply.
12-08-2011 01:54 AM
I think you AAA authe login command needs to be the below
Brocade(config)#aaa authentication login default radius local
Please give this a try.
12-08-2011 02:14 AM
Ok think I might of found the problem
you need to enter
Brocade(config)#aaa authorization exec default radius
Configuring exec authorization
When RADIUS exec authorization is performed, the Brocade device consults a RADIUS server to
determine the privilege level of the authenticated user. To configure RADIUS exec authorization on
the Brocade device, enter the following command.
Brocade(config)#aaa authorization exec default radius
Syntax: aaa authorization exec default radius | none
If you specify none, or omit the aaa authorization exec command from the device configuration, no
exec authorization is performed.
If the aaa authorization exec default radius command exists in the configuration, following
successful authentication the device assigns the user the privilege level specified by the
foundry-privilege-level attribute received from the RADIUS server. If the aaa authorization exec
default radius command does not exist in the configuration, then the value in the
foundry-privilege-level attribute is ignored, and the user is granted Super User access.
Also note that in order for the aaa authorization exec default radius command to work, either the
aaa authentication enable default radius command, or the aaa authentication login privilege-mode
command must also exist in the configuration.
12-08-2011 02:24 AM
We try'd that without any results, after that we turned the privilege-mode on and off to see it that made any diffrence, without succes.
As you can see in the screen we still have administrator access.
I notice that we dont have any Authorization options enabled in the switch. If i am correct, the RADIUS is sending the authenticating (Username etc.) and authorization information (VSA) within the Access-Accept Package right? And therefor not needed in the Switch ?
we are going to try your new awnser first
12-08-2011 02:37 AM
Thanks for your great support, it seems to work now. The only thing that doesn't work perfectly is the blocking specific commands, like *show users*.
But thats a minor problem, the major problem has been fixed! So we can give users admin and read only rights through RADIUS.
We will post result of our testing here soon, about the blocking of specific commands. For the people that have the same problem.
Yet again Thanks a lot for helping us out!