Understanding and configuring radius, Authentication and accounting, Authorization – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 280: Account password changes

Understanding and configuring RADIUS
The remote authentication dial-in user service (RADIUS) protocol manages authentication,
authorization, and accounting (AAA) services centrally. The supported management access channels
that integrate with RADIUS are serial port, Telnet, and SSH.
If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster.
Authentication and accounting
When a Brocade switch is configured with a set of RADIUS servers to be used for authentication, the
switch also sends accounting data to the RADIUS server implicitly. The only accounting events
supported on Brocade VDX switches configured to use RADUS are successful login and logout of the
RADIUS user.
During the user authentication process, the switch sends its IP address. When the switch also has a
Virtual IP address (in Brocade VCS Fabric mode), it still sends only its unique IP address to the
RADIUS server.
NOTE
If the RADIUS server is not configured to support accounting, the accounting events sent by the switch
to the server are dropped.
Authorization
User authorization through the RADIUS protocol is not supported. The access control of RADIUS
users is enforced by the Brocade role-based access control (RBAC) protocol at the switch level. A
RADIUS user should therefore be assigned a role that is present on the switch using the Vendor
Specific Attribute (VSA) Brocade-Auth-Role . After the successful authentication of the RADIUS user,
the role of the user configured on the server is obtained. If the role cannot be obtained or if the
obtained role is not present on the switch, the user will assigned "user" role and a session is granted
to the user with "user" authorization.
Account password changes
All existing mechanisms for managing switch-local user accounts and passwords remain functional
when the switch is configured to use RADIUS. Changes made to the switch-local database do not
propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server;
therefore, changes to a RADIUS user password must be done on the RADIUS server.
RADIUS authentication through management interfaces
You can access the switch through Telnet or SSH from either the Management interface or the data
ports (TE interface or in-band). The switch goes through the same RADIUS-based authentication with
either access method.
Understanding and configuring RADIUS
280
Network OS Administrator’s Guide
53-1003225-04