Configuring tacacs+ for a mixed vendor environment, Understanding and configuring ldap, Configuring tacacs+ for a mixed vendor – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

Configuring TACACS+ for a mixed vendor environment

Network OS uses Role Based Access Control (RBAC) to authorize access to system objects by
authenticated users. In AAA environments users may need to be authorized across Brocade and non-
Brocade platforms. You can use TACACS+ to provide centralized AAA services to multiple network
access servers or clients. To use TACACS+ services in multi-vendor environments, you must configure
the Attribute-Value Pair (AVP) argument to be optional as shown in the example.

brcd-role*admin

The Network OS device sends the optional argument ‘brcd-role’ in the authorization request to the
TACACS+ service. Most TACACS+ servers are programmed to return the same argument in response
to the authorization request, If ‘brcd-role’ is configured as an optional argument, it is sent in the
authorization request and Network OS users are able to successfully authorize with all TACACS+
services in a mixed-vendor environment.

Example: Configuring optional arguments in tac_plus

The following is a specific example for tac_plus package. Syntax for other packages may differ.

In the example, the mandatory attribute priv-lvl=15 is set to allow Cisco to authenticate. The optional
brcd-role = admin argument is added to the tac_plus.conf file and allows Brocade VDX switches to
authenticate.

The following example configures a user with the optional attribute value pair, brcd-role = admin. A
Brocade user must match both the username and usergroup to authenticate successfully.

user = {

default service = permit

service = exec {

priv-lvl=15

optional brcd-role = admin

}

}

or

group = {

default service = permit

service = exec {

priv-lvl=15

optional brcd-role = admin

}

}

user = {

Member =

}

Understanding and configuring LDAP

Lightweight Directory Access Protocol (LDAP) is an open-source protocol for accessing distributed
directory services that act in accordance with X.500 data and service models. The LDAP protocol
assumes that one or more servers jointly provide access to a Directory Information Tree (DIT) where
data is stored and organized as entries in a hierarchical fashion. Each entry has a name called the
distinguished name that uniquely identifies it.

The LDAP protocol can also be used for centralized authentication through directory service.

Active Directory (AD) is a directory service which supports a number of standardized protocols such as
LDAP, Kerberos authentication, and DNS, to provide various network services. AD uses a structured
data store as the basis for a logical, hierarchical organization of directory information. AD includes user
profiles and groups as the part of directory information, so it can be used as a centralized database for
authenticating the third-party resources.

Configuring TACACS+ for a mixed vendor environment

Network OS Administrator’s Guide

293

53-1003225-04