11-01-2011 08:05 AM
I was just trying to configure RADIUS authentication on a 5100 with FOS v6.4.0b. First I have configured a win2008 server with the NPS role. Than configured aaaConfig on the switch. After the command aaaconfig --authspec radius;locate -backup - I can not longer connect to the switch. Neither with serial console, HTTP - nothing. Passwords were not changed.
How can I reset this configuration to default?
11-01-2011 09:05 AM
RADIUS is wrong configured.
Disconnect LAN cable, wait for a Time 15-20 Munutes, without LAN Connection the RADIUS get Offline, Connect trough Serial Port as admin and delete or set the RADUIS parameters correct, for details refer Command Reference Manuals
11-01-2011 09:47 AM
Is your Windows server running the RADIUS service?
If so just stop all RADIUS services before you login. Try to login with a local switch account.
This will take some seconds longer to validate your local user depending on your configured timeout vaules and number of RADIUS server.
But you should be able to login without the pain to go directly to the switch.
Important is that the switch can not reach all of the RADIUS servers.
I hope this helps,
11-01-2011 10:30 AM
Do it correct then it will work :-)
Ask your questions I will try to assist.
Take care aout the VSA which are very important other wise you will not get the corrects user rights.
Post your FOS version and if you have VF enabled or not. Did you need specific access right (RBAC) for different users?
11-04-2011 04:07 AM
before I can progress in test the RADIUS config - I have another problem. On the switch were VF enabled. I think there was a FID 128 as default switch an a logical switch witch FID 30. This is the FID where I be loged in. Currently FCSW3-LOC1:FID30:admin> fosexec --fid 128 -cmd "switchshow"
0 VF ID is deleted - I can't acces this default switch.
FCSW3-LOC1:FID30:admin> fosconfig --show
FC Routing service: enabled
iSCSI service: Service not supported on this Platform
iSNS client service: Service not supported on this Platform
Virtual Fabric: enabled
Ethernet Switch Service: Service not supported on this Platform
On the switch I currently logged in, I can do nothing - alsways failed -1
switchshow: fabosInit failed with -1
Do you know, what I have to do, that the switch works in default mode - factory defaults.
11-04-2011 04:17 AM
first question did you configure aaaconfig --authspec "RADIUS;local" -backup?
If so stop your radius server and login as local admin to check if the logical switches are accessible.
Second please post which VSA attributes you have configured. I assume that you provide the wrong information and that you have currently not the chassis and VF rights.
11-04-2011 08:02 AM
first - now I have a clean switch.
I configured aaaconfig --authspec radius;local -backup .
Ok, but only radius as primary database secondary NONE - Why ? This is one problem. The other -yes- is the correct configuration of the wi server2008 NPS role, policies.
RADIUS client - server IP and shared secret, Advanced --> RADIUS client is NAP-capable - correct?
Policy - Connection Request Policies --> Secure Wired (Ethernet) Connections --> Overview --> network connection method --> vendor specific 26 (?)
Network Policioes --> Windows Group --> Settings --> RADIUS Attributes --> vendor specific --> ADD (and now the correct settings?)
--> custom --> Vendor Specific --> ADD
Vendor-Specific Attribute Information --> Enter Vendor Code (?) .... and so on.
Fabric OS Administrator’s Guide --> Table 16 there are all Infos I think, but no a good example, how to this in NPS .
Have you a example?
11-04-2011 09:00 AM
You should configure two radius servers and local database as backup. A single RADIUS server will workl as well. To have
aaaconfig --authspec "RADIUS;local" -backup ensures that you have a fall back in case of RADIUS issues.
Can you explain what NPS is? I have Windows 2003 and IAS which is the RADIUS implementation from Microsoft.
I have set Client-Vendor as "Radius Standard" and it works with IAS in a perfect way.
You need a Vendor specific attribute and have to provide the Vendor code of 1588 (OUI of Brocade).
In case of VF you need customize the attribute LFRoleList.
If I remember it correctly the order was important and may be the attributes are case sensitve.Here is a picture which works fine since years. If you create the attribute values you have to define a vendor assigned attribute number. This is very important to have the correct number. Otherwise you have no success and get the wrong rights. These values are in table 16 on page 102 FOS Admin Guide of version 6.4.