Conditions for conformance, Configuring remote server authentication – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

By default, external AAA services are disabled, and AAA services default to the switch-local user
database. Any environment requiring more than 64 users should adopt AAA servers for user
management.

When the authentication, authorization, and accounting (AAA) mode is changed, an appropriate
message is broadcast to all logged-in users, and the active login sessions end. If the primary source is
set to an external AAA service (RADIUS, LDAP, or TACACS+) and the secondary source is not
configured, the following events occur:

• For Telnet-based and SSH connections-based logins, the login authentication fails if none of the

configured (primary source) AAA servers respond or if an AAA server rejects the login.

• For a serial port (console) connection-based login, if a user’s login fails for any reason with the

primary source, failover occurs and the same user credentials are used for login through the local
source. This failover is not explicit.

• If the primary source is set to an external AAA service, and the secondary source is configured to

be local (for example, by means of the aaa authentication login radius local command), then, if
login fails through the primary source either because none of the configured servers is responding
or the login is rejected by a server, failover occurs and authentication occurs again through the
secondary source (local) for releases earlier than Network OS 4.0.

In Network OS 4.0 and later, when local is specified as the secondary authentication service, failover
to local does not occur if login is rejected by a server. In addition, when the authentication service is
changed, the user sessions are not logged out. If a user wants to log out all connected user sessions,
the clear sessions command should be used.

• In Network OS 4.0 and later, when local is specified as the secondary authentication service, local

authentication is tried only when the primary AAA authentication service (TACACS+/Radius/LDAP)
is either unreachable or not available. Local authentication will not be attempted if authentication
with the primary service fails.

• In Network OS 4.0 and later, you can specify to use the local switch database if prior authentication

methods on a RADIUS or TACACS+ server are not active or if authentication fails. To specify this
option, use the local-auth-failback command. In the following example, the local switch database
will be used if the RADIUS server is unavailable.

switch(config)# aaa authentication login radius local-auth-fallback

Conditions for conformance

• If the first source is specified as default, do not specify a second source. A second source signals a

request to set the login authentication mode to its default value, which is local. If the first source is
local, the second source cannot be set to any value, because the failover will never occur.

• The source of authentication (except local) and the corresponding server type configuration are

dependent on each other. Therefore, at least one server should be configured before that server
type can be specified as a source.

• If the source is configured to be a server type, you cannot delete a server of that type if it is the only

server in the list. For example, if there are no entries in the TACACS+ server list, the authentication
mode cannot be set to tacacs+ or tacacs+ local. Similarly, when the authentication mode is radius
or radius local, a RADIUS server cannot be deleted if it is the only one in the list.

Configuring remote server authentication

This section introduces the basics of configuring remote server authentication using RADIUS and
TACACS+.

•

Understanding and configuring RADIUS

on page 280

•

Understanding and configuring TACACS+

on page 285

•

Understanding and configuring LDAP

on page 293

Conditions for conformance

278

Network OS Administrator’s Guide

53-1003225-04