beautypg.com

Radius security, Radius authentication, Radius authorization – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 58

background image

RADIUS security

You can use a Remote Authentication Dial In User Service (RADIUS) server to secure the following
types of access to the Brocade Layer 2 Switch or Layer 3 Switch:

• Telnet access
• SSH access
• Access to the Privileged EXEC level and CONFIG levels of the CLI

RADIUS authentication, authorization, and accounting

When RADIUS authentication is implemented, the Brocade device consults a RADIUS server to verify
user names and passwords. You can optionally configure RADIUS authorization , in which the
Brocade device consults a list of commands supplied by the RADIUS server to determine whether a
user can issue a command he or she has entered, as well as accounting , which causes the Brocade
device to log information on a RADIUS accounting server when specified events occur on the device.

RADIUS authentication

When RADIUS authentication takes place, the following events occur.

1. A user attempts to gain access to the Brocade device by doing one of the following:

Logging into the device using Telnet or SSH

Entering the Privileged EXEC level or CONFIG level of the CLI

2. The user is prompted for a username and password.
3. The user enters a username and password.
4. The Brocade device sends a RADIUS Access-Request packet containing the username and

password to the RADIUS server.

5. The RADIUS server validates the Brocade device using a shared secret (the RADIUS key).
6. The RADIUS server looks up the username in its database.
7. If the username is found in the database, the RADIUS server validates the password.
8. If the password is valid, the RADIUS server sends an Access-Accept packet to the Brocade device,

authenticating the user. Within the Access-Accept packet are three Brocade vendor-specific
attributes that indicate:

The privilege level of the user

A list of commands

Whether the user is allowed or denied usage of the commands in the list

The last two attributes are used with RADIUS authorization, if configured.

9. The user is authenticated, and the information supplied in the Access-Accept packet for the user is

stored on the Brocade device. The user is granted the specified privilege level. If you configure
RADIUS authorization, the user is allowed or denied usage of the commands in the list.

RADIUS authorization

When RADIUS authorization takes place, the following events occur.

1. A user previously authenticated by a RADIUS server enters a command on the Brocade device.
2. The Brocade device looks at its configuration to see if the command is at a privilege level that

requires RADIUS command authorization.

RADIUS security

58

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: