beautypg.com

Brocade-specific attributes on the radius server, Brocade-specific, Attributes on the radius server – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 62

background image

8. Optionally configure RADIUS authorization. Refer to

RADIUS authorization

on page 69.

9. Optionally configure RADIUS accounting. Refer to

RADIUS accounting

on page 71.

Brocade-specific attributes on the RADIUS server

NOTE
For all Brocade devices, RADIUS Challenge is supported for 802.1x authentication but not for login
authentication.

During the RADIUS authentication process, if a user supplies a valid username and password, the
RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the user. Within
the Access-Accept packet are three Brocade vendor-specific attributes that indicate:

• The privilege level of the user
• A list of commands
• Whether the user is allowed or denied usage of the commands in the list

You must add these three Brocade vendor-specific attributes to your RADIUS server configuration,
and configure the attributes in the individual or group profiles of the users that will access the Brocade
device.

Brocade Vendor-ID is 1991, with Vendor-Type 1. The following table describes the Brocade vendor-
specific attributes.

Brocade vendor-specific attributes for RADIUS

TABLE 6

Attribute name

Attribute ID Data type Description

foundry-privilege-
level

1

integer

Specifies the privilege level for the user. This attribute can be set
to one of the following:

0 - Super User level - Allows complete read-and-write

access to the system. This is generally for system
administrators and is the only management privilege level
that allows you to configure passwords.

4 - Port Configuration level - Allows read-and-write access

for specific ports but not for global (system-wide) parameters.

5 - Read Only level - Allows access to the Privileged EXEC

mode and User EXEC mode of the CLI but only with read
access.

foundry-command-
string

2

string

Specifies a list of CLI commands that are permitted or denied to
the user when RADIUS authorization is configured.

The commands are delimited by semi-colons (;). You can specify
an asterisk (*) as a wildcard at the end of a command string.

For example, the following command list specifies all show and
debug ip commands, as well as the write terminal command:

show *; debug ip *; write term*

Brocade-specific attributes on the RADIUS server

62

FastIron Ethernet Switch Security Configuration Guide

53-1003088-03

See also other documents in the category Brocade Computer Accessories: