Configuring tacacs+ on the server side, Server-side user account administration overview, Establishing a server-side user account – Brocade Network OS Administrator’s Guide v4.1.1 User Manual
Page 291

Example: Command accounting
The following example record shows the successful execution of the username command by the admin
user.
<102> 2012-04-09 15:21:43 4/9/2012 3:21:43 PM NAS_IP=10.17.37.150 Port=0
rem_addr=Console User=admin Flags=Stop task_id=1 timezone=Etc/GMT+0 service=shell
priv-lvl=0 Cmd=username Stop_time=Mon Apr 9 09:43:56 2012
Status=Succeeded
The following record shows the failed execution of the radius-server command by the admin user due
to an invalid host name or server IP address.
<102> 2012-04-09 14:19:42 4/9/2012 2:19:42 PM NAS_IP=10.17.37.150 Port=0
rem_addr=Console User=admin Flags=Stop task_id=1 timezone=Etc/GMT+0 service=shell
priv-lvl=0 Cmd=radius-server Stop_time=Mon Apr 9 08:41:56 2012
Status=%% Error: Invalid host name or IP address
Example: Login (EXEC) accounting
The following example record shows the successful login of the trial user.
<102> 2012-05-14 11:47:49 5/14/2012 11:47:49 AM NAS_IP=10.17.46.42 Port=/dev/ttyS0
rem_addr=Console User=trial Flags=Start task_id=1 timezone=Asia/Kolkata service=shell
Example: The following example record shows the successful logout of the trial user.
<102>2012-05-14 11:49:52 5/14/2012 11:49:52 AM NAS_IP=10.17.46.42 Port=/dev/ttyS0
rem_addr=console User=trial Flags=Stop task_id=1 timezone=Asia/Kolkata service=shell
elapsed_time=123 reason=admin reset
Configuring TACACS+ on the server side
with your system or network administrator prior to configuration for any special needs your network
environment may have.
Server-side user account administration overview
With TACACS+ servers, you should set up user accounts by their true network-wide identity, rather than
by the account names created on a Brocade switch. Along with each account name, you must assign
appropriate switch access roles. A user account can exist on TACACS+ server with the same name as
a user on the switch at the same time.
When logging in to a switch configured with a TACACS+ server, users enter their assigned TACACS+
account names and passwords when prompted. Once the TACACS+ server authenticates a user, it
responds with the assigned switch role and information associated with the user account information
using a Brocade Vendor-Specific Attribute (VSA). An Authentication-Accept response without the role
assignment automatically grants the "user" role.
User accounts, protocols passwords, and related settings are configured by editing the server
configuration files. The following configuration examples are based on the documentation provided by
Cisco for its TACACS+ daemon users.
Establishing a server-side user account
The following example assigns the user "Mary" the Brocade role of "vlanadmin" and different passwords
depending on whether the CHAP or the PAP protocol is used. In the following example, the brcd-role
attribute is mandatory, which works in a Brocade-only environment. In a mixed vendor environment, the
brcd-role attribute most be set to optional. Refer to
Configuring TACACS+ for a mixed vendor
on page 293 for more information.
user = Mary {
chap = cleartext "chap password"
Configuring TACACS+ on the server side
Network OS Administrator’s Guide
291
53-1003225-04