beautypg.com

Configuring tacacs+ on the server side, Server-side user account administration overview, Establishing a server-side user account – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Page 291

background image

Example: Command accounting

The following example record shows the successful execution of the username command by the admin
user.

<102> 2012-04-09 15:21:43 4/9/2012 3:21:43 PM NAS_IP=10.17.37.150 Port=0

rem_addr=Console User=admin Flags=Stop task_id=1 timezone=Etc/GMT+0 service=shell

priv-lvl=0 Cmd=username Stop_time=Mon Apr 9 09:43:56 2012

Status=Succeeded

The following record shows the failed execution of the radius-server command by the admin user due
to an invalid host name or server IP address.

<102> 2012-04-09 14:19:42 4/9/2012 2:19:42 PM NAS_IP=10.17.37.150 Port=0

rem_addr=Console User=admin Flags=Stop task_id=1 timezone=Etc/GMT+0 service=shell

priv-lvl=0 Cmd=radius-server Stop_time=Mon Apr 9 08:41:56 2012

Status=%% Error: Invalid host name or IP address

Example: Login (EXEC) accounting

The following example record shows the successful login of the trial user.

<102> 2012-05-14 11:47:49 5/14/2012 11:47:49 AM NAS_IP=10.17.46.42 Port=/dev/ttyS0

rem_addr=Console User=trial Flags=Start task_id=1 timezone=Asia/Kolkata service=shell

Example: The following example record shows the successful logout of the trial user.

<102>2012-05-14 11:49:52 5/14/2012 11:49:52 AM NAS_IP=10.17.46.42 Port=/dev/ttyS0

rem_addr=console User=trial Flags=Stop task_id=1 timezone=Asia/Kolkata service=shell

elapsed_time=123 reason=admin reset

Configuring TACACS+ on the server side

Step-by-step instructions for installing and configuring can be obtained from

www.cisco.com

. Confer

with your system or network administrator prior to configuration for any special needs your network
environment may have.

Server-side user account administration overview

With TACACS+ servers, you should set up user accounts by their true network-wide identity, rather than
by the account names created on a Brocade switch. Along with each account name, you must assign
appropriate switch access roles. A user account can exist on TACACS+ server with the same name as
a user on the switch at the same time.

When logging in to a switch configured with a TACACS+ server, users enter their assigned TACACS+
account names and passwords when prompted. Once the TACACS+ server authenticates a user, it
responds with the assigned switch role and information associated with the user account information
using a Brocade Vendor-Specific Attribute (VSA). An Authentication-Accept response without the role
assignment automatically grants the "user" role.

User accounts, protocols passwords, and related settings are configured by editing the server
configuration files. The following configuration examples are based on the documentation provided by
Cisco for its TACACS+ daemon users.

Establishing a server-side user account

The following example assigns the user "Mary" the Brocade role of "vlanadmin" and different passwords
depending on whether the CHAP or the PAP protocol is used. In the following example, the brcd-role
attribute is mandatory, which works in a Brocade-only environment. In a mixed vendor environment, the
brcd-role attribute most be set to optional. Refer to

Configuring TACACS+ for a mixed vendor

environment

on page 293 for more information.

user = Mary {

chap = cleartext "chap password"

Configuring TACACS+ on the server side

Network OS Administrator’s Guide

291

53-1003225-04