06-22-2011 02:51 AM
I have a problem while trying to set up aaa with RSA radius authentication the switches in question are brocade 4gb blade switches running FOS 6.2.2
The switches configuration seems to be correct
aaaconfig --add (ip) -conf radius -p 1645 -s (pw) -a pap
aaaconfig --authspec "radius;local"
and the switch authenticates, But the problem is the radius server does not pass the role of the user to the switch.
Radius server is set up as instructed in the user manual:
MACRO Brocade-VSA(t,s) 26
ATTRIBUTE Brocade-Auth-Role Brocade-VSA(1,string) r
ATTRIBUTE Brocade-Passwd-ExpiryDate Brocade-VSA(6,string) r
ATTRIBUTE Brocade-Passwd-WarnPeriod Brocade-VSA(7,integer) r
and on the return attributes tab the Brocade-Auth-Role is set to admin.
but when i try to log in to the switch i get a error message:
"profile not defined" and the user role is defaulted to "User". I have tryed the sugestions found on the forums but with out result so far.
If anyone has had the same problem and has found a fix or a workaround I am open to sugestions.
Also I have tryed adding the aditional VSA-s required for vf or ad -s but ended with the same result.
06-22-2011 07:37 AM
I run RADIUS Implementation from MS.
In my environment it was important that the attribute number matches to that Brocade has defind.
Please check following thread:
The default RADIUS ports are 1812 and 1813.
Not sure if RSA uses other ports.
I hope this helps,
06-23-2011 10:18 PM
I have done a quick look into FOS6.4 and FOS 6.3 admin guides and have seen that the MACRO has been defind in a different way.
Did you try these settings without any success?
06-30-2011 09:33 AM
Did you ever tried to use switchadmin as Chassis role?
I had a little play with a new switch and VF enabled.
My findings are that this order and attribute numbers are important for IAS RADIUS impleemntation.
Attribute-Name Attribute number assigned value
Brocade-Auth-Role 1 "admin"
Brocade-AVPairs1 2 "HomeLF=128"
Brocade-AVPairs2 3 "LFRoleList="admin:1-128"
Brocade-AVPairs3 4 "ChassisRole=admin"
With this definitions you should get Chassis Role Admin permissions.
In one document I have read that if the switch gets the first unexpected attribute value is stops any further readings and gruant the access at this stage. My assumtions is that the switch gets the wrong order with wrong assosiation between attribute number, Attribute name and vale.
I hope this helps you out.