Fibre Channel (SAN)

Reply
New Contributor
Posts: 2
Registered: ‎06-22-2011

AAA with RSA RADIUS

I have a problem while trying to set up aaa with RSA radius authentication the switches in question are brocade 4gb blade switches running FOS 6.2.2

The switches configuration seems to be correct

aaaconfig --add (ip) -conf radius -p 1645 -s (pw) -a pap

aaaconfig --authspec "radius;local"

and the switch authenticates, But the problem is the radius server does not pass the role of the user to the switch.

Radius server is set up as instructed in the user manual:

@radius.dct
MACRO Brocade-VSA(t,s) 26
ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r
ATTRIBUTE Brocade-Passwd-ExpiryDate Brocade-VSA(6,string) r
ATTRIBUTE Brocade-Passwd-WarnPeriod Brocade-VSA(7,integer) r

and on the return attributes tab the Brocade-Auth-Role is set to admin.

but when i try to log in to the switch i get a error message:

"profile not defined" and the user role is defaulted to "User". I have tryed the sugestions found on the forums but with out result so far.

If anyone has had the same problem and has found a fix or a workaround I am open to sugestions.

Also I have tryed adding the aditional VSA-s required for vf or ad -s but ended with the same result.

Mikk

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: AAA with RSA RADIUS

Hi,

I run RADIUS Implementation from MS.

In my environment it was important that the attribute number matches to that Brocade has defind.

Please check following thread:

http://community.brocade.com/message/17835

The default RADIUS ports are 1812 and 1813.

Not sure if RSA uses other ports.

I hope this helps,

Andreas

Highlighted
Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: AAA with RSA RADIUS

Hello Mikk,

I have done a quick look into FOS6.4 and FOS 6.3 admin guides and have seen that the MACRO has been defind in a different way.

Did you try these settings without any success?

Andreas

New Contributor
Posts: 2
Registered: ‎06-22-2011

Re: AAA with RSA RADIUS

Thank you for the answers.

I tryed the proposed ideas, but with out a result

Mikk

Super Contributor
Posts: 635
Registered: ‎04-12-2010

Re: AAA with RSA RADIUS

Did you ever tried to use switchadmin as Chassis role?

I had a little play with a new switch and VF enabled.

My findings are that this order and attribute numbers are important for IAS RADIUS impleemntation.

Attribute-Name               Attribute number     assigned value

Brocade-Auth-Role         1                           "admin"

Brocade-AVPairs1          2                          "HomeLF=128"

Brocade-AVPairs2         3                           "LFRoleList="admin:1-128"

Brocade-AVPairs3         4                           "ChassisRole=admin"

With this definitions you should get Chassis Role Admin permissions.

In one document I have read that if the switch gets the first unexpected attribute value is stops any further readings and gruant the access at this stage. My assumtions is that the switch gets the wrong order with wrong assosiation between attribute number, Attribute name and vale.

I hope this helps you out.

Andreas

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook