Understanding and configuring radius, Authentication and accounting, Authorization – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Understanding and configuring RADIUS

The remote authentication dial-in user service (RADIUS) protocol manages authentication,
authorization, and accounting (AAA) services centrally. The supported management access channels
that integrate with RADIUS are serial port, Telnet, and SSH.

If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster.

Authentication and accounting

When a Brocade switch is configured with a set of RADIUS servers to be used for authentication, the
switch also sends accounting data to the RADIUS server implicitly. The only accounting events
supported on Brocade VDX switches configured to use RADUS are successful login and logout of the
RADIUS user.

During the user authentication process, the switch sends its IP address. When the switch also has a
Virtual IP address (in Brocade VCS Fabric mode), it still sends only its unique IP address to the
RADIUS server.

NOTE
If the RADIUS server is not configured to support accounting, the accounting events sent by the switch
to the server are dropped.

Authorization

User authorization through the RADIUS protocol is not supported. The access control of RADIUS
users is enforced by the Brocade role-based access control (RBAC) protocol at the switch level. A
RADIUS user should therefore be assigned a role that is present on the switch using the Vendor
Specific Attribute (VSA) Brocade-Auth-Role . After the successful authentication of the RADIUS user,
the role of the user configured on the server is obtained. If the role cannot be obtained or if the
obtained role is not present on the switch, the user will assigned "user" role and a session is granted
to the user with "user" authorization.

Account password changes

All existing mechanisms for managing switch-local user accounts and passwords remain functional
when the switch is configured to use RADIUS. Changes made to the switch-local database do not
propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server;
therefore, changes to a RADIUS user password must be done on the RADIUS server.

RADIUS authentication through management interfaces

You can access the switch through Telnet or SSH from either the Management interface or the data
ports (TE interface or in-band). The switch goes through the same RADIUS-based authentication with
either access method.

Understanding and configuring RADIUS

280

Network OS Administrator’s Guide

53-1003225-04