06-22-2012 02:08 AM
I try to do the same on ACS 5.3, with Brocade 5100.
SSH connection results in:
Your account is disabled; please contact your system administrator
Switch role not specified, use default.
On ACS logs, authentication is OK and correct attributes are sent to Brocade. So I focus on the Brocade box.
I see in your RADIUS.pdf you declare user in the Brocade, is it mandatory ?
It seems your local Brocade users are bound with an LDAP server, please explain.
thanks & regards
06-22-2012 03:32 AM
it is not mandatory to create local switch user. I assume that you not not provide the chassis role for your user and you have a VF enabled switch.
Have a look and check if you have these VSA attributes configured:
Brocade-AVPairs1 = "HomeLF=70"
Brocade-AVPairs2 = "LFRoleList=admin:2,4-8,70,80,128"
Brocade-AVPairs3 = "ChassisRole=switchadmin"
Adjust these definition for your needs depending on your configuration.
See step 2 and 3 in the PDF.
You need these attributes if VF is enabled.
The tips from above works with MS ISA RADIUS but I assume that this will work with Cicso as well.
06-22-2012 04:05 AM
Thank you Andreas for your response,
I finally succeeded. I had two issues:
The first one is that I had changed a default value in the Cisco ACS setup, relative to Brocade VSA: The parameter "Vendor Type Field Size" has to be "1" (the default), mine was "2".
The second one is on the Attribute type. It has to be "string", I tried with "Enumeration" which would permit me to choose the Brocade role selecting it in a list, but it is not OK.
So I have a setup with Cisco ACS 5.3 working with FOS v6.4.1b
- without declaring any local user on Brocade 5100
- with CHAP configured (provided you selected this protocol on ACS interface)
- with only VSA Brocade attribute #1 (brocade role) as I do not need the 3 AV-Pairs Andreas mentionned or the two other AV-pairs about password expiration.