Radius configuration considerations, Configuring radius – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual
Page 61
AAA operations are performed before the commands are actually added to the running-config. The
server performing the AAA operations should be reachable when you paste the commands into the
running-config file. If the device determines that a pasted command is invalid, AAA operations are
halted on the remaining commands. The remaining commands may not be issued if command
authorization is configured.
NOTE
Since RADIUS command authorization relies on a list of commands received from the RADIUS server
when authentication is performed, it is important that you use RADIUS authentication when you also
use RADIUS command authorization.
RADIUS configuration considerations
• You must deploy at least one RADIUS server in your network.
• Brocade devices support authentication using up to eight RADIUS servers, including those used for
802.1X authentication and for management. The device tries to use the servers in the order you add
them to the device configuration. If one RADIUS server times out (does not respond), the Brocade
device tries the next one in the list. Servers are tried in the same sequence each time there is a
request.
• You can optionally configure a RADIUS server as a port server , indicating that the server will be
used only to authenticate users on ports to which it is mapped, as opposed to globally authenticating
users on all ports of the device. In earlier releases, all configured RADIUS servers are "global"
servers and apply to users on all ports of the device. Refer to
• You can map up to eight RADIUS servers to each port on the Brocade device. The port will
authenticate users using only the RADIUS servers to which it is mapped. If there are no RADIUS
servers mapped to a port, it will use the "global" servers for authentication. In earlier releases, all
RADIUS servers are "global" servers and cannot be bound to individual ports. Refer to
server to individual ports mapping
on page 65.
• You can select only one primary authentication method for each type of access to a device (CLI
through Telnet, CLI Privileged EXEC and CONFIG levels). For example, you can select RADIUS as
the primary authentication method for Telnet CLI access, but you cannot also select TACACS+
authentication as the primary method for the same type of access. However, you can configure
backup authentication methods for each access type.
Configuring RADIUS
Follow the procedure given below to configure a Brocade device for RADIUS.
1. Configure Brocade vendor-specific attributes on the RADIUS server. Refer to
attributes on the RADIUS server
on page 62.
2. Identify the RADIUS server to the Brocade device. Refer to
Identifying the RADIUS server to the
on page 64.
3. Optionally specify different servers for individual AAA functions. Refer to
on page 64.
4. Optionally configure the RADIUS server as a "port only" server. Refer to
on
page 64.
5. Optionally bind the RADIUS servers to ports on the Brocade device. Refer to
6. Set RADIUS parameters. Refer to
7. Configure authentication-method lists. Refer to
Setting authentication-method lists for RADIUS
on
page 67.
RADIUS configuration considerations
FastIron Ethernet Switch Security Configuration Guide
61
53-1003088-03