07-08-2010 08:18 AM
Question about login permissions with FOS 6.3 on a Brocade DCX. We have recently purchased 2 new Directors and are trying to authenticate with Radius. We have been using a Cisco ACS for many years to authenticate to are SAN switches with FOS 6.2 and earlier with no issues. Long before I started working here someone loaded the VSA's on the ACS and we can log in with no issues.
With these new Directors we can log in no problem and it shows are role as admin but the chassis permissions say no access and we lose a lot of the commands that we need to configure them. I see when you set up a local account you can set the chassis permissions to whatever you want but when we log in using are remote accounts I do not see a way to set chassis permissions. I am also assuming this is why our remote accounts lose a lot of the command abilitys.
So my question is has anybody ran into this before? Do I have to change the VSA's to have a different attribute in them to give are remote accounts admin abilities for the chassis permissions? Any help would be greatly appreciated. I have been searching for any information on this since yesterday and have not found any useful information. Thanks in advance for any assistance given.
07-19-2010 02:34 AM
I assume that the DCX are configured with Virtual Fabric enabled. So you have to configure some more attributes on you RADIUS servers.
You need to configure on the RADIUS server the Chassisrole, HomeLF and switch permission. The order is important.
Please check the admin guide from Brocade.
07-21-2010 07:44 AM
thanks for your response. I assumed that I would have to change the attributes for are radius server, and going through the admin guide I didnt see anything that related to chassis role and home LF. It talks about it but does not give the settings. Thanks again for taking the time to awnser.
07-22-2010 12:07 PM
Did you have checked if Virtual Fabric is enabled?
Which code are you running?
Please check with user config --show
if all attributes are set correct after a login.
Some of the attributes are:
HomeLF=128; <-- Home Logical fabric in which the user is logged in as default
LFRoleList=admin:128,10; <-- Logical fabric in which the user can login with "set context"
ChassisRole=admin; <-- Chassis permission
Take a look at a newer version of admin guides. In some older releases there were some typo errors. I think 6.3 is OK.
I have attached the admin guide from 6.3. Chapter 5 page 89 is a good place to start.
10-15-2010 07:33 AM
Thank you Andreas,
Sorry took so long to come back, Work put me on a different program and havnt even thought of it. Now that I am back they threw this back in my plate because no one could figure it out.lol. I spoke with Brocade and Cisco and both did the finger pointing for a while. I gave up on them and Figured it out on my own. The admin guide did end up having all the awnsers just had to figure out how, Cisco interpreted them. Again thanks for your responses.
10-15-2010 07:36 AM
I did want to add for anyone that has this issue with Cisco ACS that Andreas gave the Key and value, Chassisrole=admin. The 2 above that are optional but if you intend on having more then one virtual fabric you must add those lines in as Virtual fabric home 128 is the default when none are specified. If you create VF 127 you will not have admin access. Thanks again Andreas. Always feel free to send me a message if you have any questions on this.