Configuring external server authentication, Remote server authentication overview, Login authentication mode – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 277

Configuring External Server Authentication
Understanding and configuring remote server authentication.......................................277
Understanding and configuring remote server authentication
Remote server authentication overview
Network OS supports various protocols to provide external Authentication, Authorization, and
Accounting (AAA) services for Brocade devices. Supported protocols include the following:
• RADIUS — Remote authentication dial-in user service
• LDAP/AD — Lightweight directory access protocol using Microsoft Active Directory (AD) in Windows
• TACACS+ — Terminal access controller access-control system plus
When configured to use a remote AAA service, the switch acts as a network access server client. The
switch sends all authentication, authorization, and accounting (AAA) service requests to the remote
RADIUS, LDAP, or TACACS+ server. The remote AAA server receives the request, validates the
request, and sends a response back to the switch.
The supported management access channels that integrate with RADIUS, TACACS+, or LDAP include
serial port, Telnet, or SSH.
When configured to use a remote RADIUS, TACACS+, or LDAP server for authentication, a switch
becomes a RADIUS, TACACS+, or LDAP client. In either of these configurations, authentication records
are stored in the remote host server database. Login and logout account name, assigned permissions,
and time-accounting records are also stored on the AAA server for each user.
Brocade recommends that you configure at least two remote AAA servers to provide redundancy in the
event of failure. For each of the supported AAA protocols, you can configure up to five external servers
on the switch. Each switch maintains its own server configuration.
Login authentication mode
The authentication mode is defined as the order in which AAA services are used on the switch for user
authentication during the login process. Network OS supports two sources of authentication: primary
and secondary. The secondary source of authentication is used in the event of primary source failover
and is optional for configuration. You can configure four possible sources for authentication:
• Local — Use the default switch-local database (default)
• RADIUS — Use an external RADIUS server
• LDAP — Use an external LDAP server
• TACACS+ — Use an external TACACS+ server
Network OS Administrator’s Guide
277
53-1003225-04