04-29-2016 01:26 AM
Dear Brocade users,
We started a project to make a central authentication platform for all of our management devices. To make it easier to manage and make it more secure.
Now I have created a test setup with OpenLDAP 2.4.41 and FreeRadius 3.0.11. This works well and now is the part to make it compatible with our equipment.
I managed to make the switch authenticate against radius, users that are allowed can login. What we want is that we have two groups a read-only and a admin group.
I found it the best way to send radius attributes to switch with the correct permissions specified. I tried a lot but I'm unable to make it work.
It seems the switch doesn't respond to the attributes. Sadly there is no way to debug it on switch (or I didn't found it).
Hopefully someone with more experience has some advice or have a working example to show me.
Thanks in advance :P
Some information about the switch and Freeradius:
Hardware model: ICX6450-48
Running config (parts):
aaa authentication enable default local
aaa authentication login default local radius
ip address 10.0.3.175 255.255.255.0
no ip dhcp-client enable
ip default-gateway 10.0.3.1
username manager password .....
radius-server host 10.0.3.163 auth-port 1812 acct-port 1646 default
ip access-list standard SSH-TTY-ALLOWEDHOSTS
ip access-list standard TELNET-TTY-ALLOWEDHOSTS
Proof radius is sending the attributes:
(1) Sent Access-Accept Id 38 from 10.0.3.163:1812 to 10.0.3.176:1024 length 0
(1) Service-Type = Administrative-User
(1) Brocade-Auth-Role = "Admin"
(1) Foundry-Privilege-Level = 32768
(1) Foundry-Command-String = "*"
(1) Foundry-Command-Exception-Flag = 0
(1) Brocade-Passwd-ExpiryDate = "04/30/16"
(1) Brocade-Passwd-WarnPeriod = "30"
Some options to that I also tried:
Brocade-Auth-Role = "admin"
Brocade-Auth-Role = "0"
Foundry-Privilege-Level = 0
I tried a lot more but not documented it all.
Both dictionary.foundry and dictionary.brocade are installed on the freeradius server.
If you need more info please let me know!