User authentication, Server authentication, User authentication server authentication – Brocade Network OS Administrator’s Guide v4.1.1 User Manual

If you are in logical chassis cluster mode, the configuration is applied to all nodes in the cluster.

User authentication

A Brocade switch can be configured as an LDAP client for authentication with an Active Directory (AD)
server, supporting authentication with a clear text password over the Transport Layer Security (TLS)
channel. Optionally, it supports server authentication during the TLS handshake. Only the user
principal name from the AD server is supported for LDAP authentication on the Brocade switch. The
Common Name-based authentication is not supported. When you log in from the switch, the complete
user principal name, including domain, should be entered (for example,
"[email protected]").

LDAP supports alternative user principal names, such as:

• username
• [email protected]
• [email protected]
• [email protected]

Network OS supports LDAP authentication with the following AD servers:

• Windows 2000
• Windows 2003
• Windows 2008 AD

A Brocade switch configured to perform LDAP-based authentication supports its access through a
serial port, Telnet, and SSH. These access channels require that you know the switch IP address or
name to connect to the switches.

A maximum of five AD servers can be configured on a Brocade switch.

If you are in logical chassis cluster mode, all LDAP server and map role configurations (except "show
certutil" and "certutil") are applied to all switches in the cluster.

Server authentication

As a part of user authentication using LDAP, the Brocade switch can be configured to support server
certificate authentication. To enable server authentication (server certificate verification), follow these
guidelines:

• While configuring the LDAP server, the Fully Qualified Domain Name (FQDN) of the AD server

should be added as the host parameter, instead of the IP address. A FQDN is needed to validate
the server identity as mentioned in the common name of the server certificate.

• The DNS server must be configured on the switch prior to adding AD server with a domain name or

a hostname. Without a DNS server, the name resolution of the server fails, and then the add
operation fails. Use the ip dns command to configure DNS.

• The CA certificate of the AD server’s certificate should be installed on the switch. Currently, only

PEM-formatted CA certificates can be imported into the switch.

If more than one server is configured and an LDAP CA certificate is imported for one server on the
switch, the switch performs the server certificate verification on all servers. Thus, either CA certificates
for all servers should be imported, or CA certificates should not be imported for any of the servers.
After the CA certificate is imported, it is retained even if the switch is set back to its default
configuration. If the CA certificate is not required, you should explicitly delete it.

User authentication

294

Network OS Administrator’s Guide

53-1003225-04