Fibre Channel (SAN)

Reply
Senior Member
Posts: 1
Registered: ‎02-02-2015

remote authentication with RSA RADIUSv8.1/FabicOSv7.0.2

Hello,

 

Has anyone ever successfully implemented remote authentication solution using RSA Radius?

 

I am stuck in getting my Brocade 300B SAN switch authenticating with RSA Radius, it looks like the switch does not understand the vendor attribute response from the RSA Radius server by the look of the packet trace

 

05:18:48.194345 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto UDP (17), length 104)
    XX.XX.**filtered**.**filtered**.28700 > YY.YYY.YYY.YYY.1812: [udp sum ok] RADIUS, length: 76
    Access Request (1), id: 0xde, Authenticator: b62caee403c4d37fb244c61f1f9c1706
      Username Attribute (1), length: 7, Value: alexn
        0x0000:  616c 6578 6e
      Password Attribute (2), length: 18, Value:
        0x0000:  bb60 acfb c3f0 19e7 51ea 8f3f b516 85ce
      NAS IP Address Attribute (4), length: 6, Value: XX.XX.**filtered**.**filtered**
        0x0000:  c0a8 0efc
      NAS ID Attribute (32), length: 13, Value: sw0-san0-XX
        0x0000:  7377 302d 7361 6e30 2d65 6e
      NAS Port Attribute (5), length: 6, Value: 27675
        0x0000:  0000 6c1b
      NAS Port Type Attribute (61), length: 6, Value: Virtual
        0x0000:  0000 0005
05:18:50.215478 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 149)
    YY.YYY.YYY.YYY.1812 > XX.XX.**filtered**.**filtered**.28700: [udp sum ok] RADIUS, length: 121
    Access Accept (2), id: 0xde, Authenticator: dfa251338f90f758de3c13b32b8df2b9
      Class Attribute (25), length: 56, Value: SBR2CL.........?.?#.?....?.?.........?...........????.
        0x0000:  5342 5232 434c c7cc 8eec 8698 97c1 9480
        0x0010:  1180 2301 8003 8198 ce80 0280 0681 b0db
        0x0020:  8cd7 c3b8 1280 0e81 c7cc 8eec 8698 97c1
        0x0030:  9480 8080 8088
      Vendor Specific Attribute (26), length: 14, Value: Vendor: Unknown (1588)
        Vendor Attribute: 1, Length: 6, Value: admin.
        0x0000:  0000 0634 0108 6164 6d69 6e00
      Vendor Specific Attribute (26), length: 19, Value: Vendor: Unknown (1588)
        Vendor Attribute: 6, Length: 11, Value: 01/01/2020.
        0x0000:  0000 0634 060d 3031 2f30 312f 3230 3230
        0x0010:  00
      Vendor Specific Attribute (26), length: 12, Value: Vendor: Unknown (1588)
        Vendor Attribute: 7, Length: 4, Value: ....
        0x0000:  0000 0634 0706 0000 001e

Once the switch has received above response from Radius server, it wait for few secs before prompting for another login (I use console to test). Logs on the Radius server indicate it has "sent accepted response to user alexn to client xxxxx".

 

I have followed FOSv701 Admin Guide, My setting on RSA are:

- Update vendor.ini

- update dictiona.dcm

- Upload Vendor.ini to the server

- Create Radius profile with maping of VSA, then associate with user

- create Radius client with above profile link to it

My Vendor.ini is

#######################################################################
# brocade.dct -- Brocade Dictionary
#
# (See readme.dct for more details on the format of this file)
#######################################################################
#
# Use the Radius specification attributes in lieu of the Brocade one:
#
@radius.dct

MACRO Brocade-VSA(t,s) 26 [vid=1588 type1=%t% len1=+2 data=%s%]

ATTRIBUTE    Brocade-Auth-Role             Brocade-VSA(1,string) r
ATTRIBUTE     Brocade-Passwd-ExpiryDate     Brocade-VSA(6,string) r
ATTRIBUTE     Brocade-Passwd-WarnPeriod    Brocade-VSA(7,integer) r

#######################################################################
# brocade.dct -- Brocade Dictionary
#######################################################################

 

the config on the switch is:

aaaconfig --add YY.YYY.YYY.YYY -conf radius -s {secret} -a peap-mschapv2

aaaconfig --authspec“radius;local” --backup

 

Alex

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

Click to Register
Download FREE NVMe eBook