04-19-2010 08:33 AM
There may be an answer to this question already, but I am having issues searching the forums. ALL of my searches either come up blank, or will only show me people matches.
Anyway, I have 3 switches in the same fabric (all at Firmware v6.3.1a). I setup a few useraccount on switch1. I used the command 'distribute -p PWD -d *' to distribute the local user database to the other 2 switches. I then connected to the other 2 switches and ran the following command to accept the database from the master: 'fddcfg --localaccept PWD' This succesfully pulled the user accounts from switch1 to the other 2 switches. My issue now is, when I change a password on a user account on Switch1, I would like it to synchronize the passwords on switch2 and switch3 so that they are all the same, but they are not doing that. Is there another command that I need to run to on the switches to auto-synchronize them?
Thanks in advance for any help!
04-19-2010 09:52 AM
Here is the output of that command:
Local Switch Configuration for all Databases:-
DATABASE - Accept/Reject
SCC - accept
DCC - accept
PWD - accept
FCS - accept
AUTH - accept
IPFILTER - accept
Fabric Wide Consistency Policy:- ""
I set them all to accept with 'fddcfg --localaccept PWD'. All of the user accounts propogated correctly, but when I change a password to a user account on the master switch, the other switches do not recieve the updated password so they are out of sync.
05-04-2010 01:48 PM
Does anyone have any more input on this? Is it the "Fabric Wide Consistency policy" that I need to be worried about? I am pretty stuck, so if anyone has any tips, or can point me in the general direction, it would be much appreciated.
05-05-2010 09:47 AM
The PWD policy can't be automatically distributed. Try using the distribute command on switch1:
distribute -p "PWD" -d "*"
I believe the only ones that can be automatically distributed are SCC, DCC, and FCS.
05-05-2010 10:31 AM
Rats!! That was the answer I expected, but not Hoped for. My biggest issue is that it's great that I don't have to create each user account on each switch (thought it is quick to do from a command prompt), but I am not going to know when user Joe.Schmoe changes his password on one switch to run the fddcfg command on all of the different switches. I will have to tell them that they will need to change the password on all the switches manually, i was just hoping for a more elegant way (Brocade, if you are reading this, Can you PLEASE Add this to the next code revision? Seems like the distribute command is useless without the ability to auto-push password changes!!)
Thanks for the response!
05-05-2010 08:25 PM
Integrate Brocade switch password management with Active Directory.
If you have a set policy on AD for a 30 day password change, then thats applicable for your SAN as well.
The problem is AD works only with switches having 6.x+ code, so old switches cannot be included.
The other way is to have a privileged user management product work with SAN switches, these can change passwords automatically. But there is not a single software available in the market which does this out of the box for brocade switches, so you'll have to talk to a PIM vendor and ask for customization.
05-06-2010 06:35 AM
For Active Directory Integration, I would need to purchase a Radius Server, correct? We are on FOS v6.3.1a. We only have 5 switches in the fabric so I can't justify purchasing a Radius Server, so I was hoping to be able to do it with the distribute command, or other commands built into the switches.
05-06-2010 07:36 AM
If you have an existing AD setup, you can configure your brocade switches to authenticate via AD. RADIUS is altogether a different concept, and there is openradius which is free.
Configure AD on a test switch before you try it on production as there are cases where users have locked their switches. Most cases the users havent read the user manual properly and understood the consequences.
Read the admin guide for your FOS version, I'm sure it has a section explaining AD integration. You can even create AD groups to match standard brocade groups, like fabric admin, admin, user etc.
Hope this helps.