beautypg.com

Brocade Multi-Service IronWare Security Configuration Guide (Supporting R05.6.00) User Manual

Page 68

background image

50

Multi-Service IronWare Security Configuration Guide

53-1003035-02

Configuring RADIUS security

1

1. A user triggers RADIUS authentication by doing one of the following:

Logging in to the Brocade device using Telnet, SSH, or the Web Management Interface

Entering the Privileged EXEC level or CONFIG level of the CLI

2. The user is prompted for a username and password.

3. The user enters a username and password.

4. The Brocade device sends a RADIUS Access-Request packet containing the username and

password to the RADIUS server.

5. The RADIUS server validates the Brocade device using a shared secret (the RADIUS key).

6. The RADIUS server looks up the username in its database.

7. If the username is found in the database, the RADIUS server validates the password.

8. If the password is valid, then:

a. If the RADIUS server is configured to use multi-factor authentication, it may send an

Access-Challenge packet to the Brocade device. If so, the user may be asked for additional
input (for example, an RSA SecurID PIN or RSA SecurID next tokencode) which the Brocade
device will forward to the RADIUS server. If the additional input is valid, then the process
moves to the next step.

b. If the RADIUS server is configured to use single-factor authentication, then the process

moves immediately to the next step.

9. The RADIUS server sends an Access-Accept packet to the Brocade device, authenticating the

user. Within the Access-Accept packet are three Brocade vendor-specific attributes that
indicate:

The privilege level of the user

A list of commands

Whether the user is allowed or denied usage of the commands in the list

The last two attributes are used with RADIUS authorization, if configured.

10. The user is authenticated, and the information supplied in the Access-Accept packet for the

user is stored on the Brocade device. The user is granted the specified privilege level. If you
configure RADIUS authorization, the user is allowed or denied usage of the commands in the
list.

Multi-factor RADIUS authentication
The Brocade device supports multi-factor authentication (for example, RSA SecurID) through a
RADIUS server. For access by Telnet, no further configuration is needed on the Brocade device to
enable multi-factor RADIUS authentication.

The default is yes (interactive authentication is supported by default); therefore, all you must do is
configure SSH to use multi-factor authentication.

Brocade(config)# ip ssh interactive-authentication

Syntax: ip ssh interactive-authentication [no | yes]

Refer to “Configuring Secure Shell and Secure Copy” for SSH configuration details.

A sample interactive authentication session (with RSA SecurID) is shown below.

Telnet_DMT_MLXe_16k - 08-25-2010 -- 11:20:18 Session Log Start --

10.20.179.55|Telnet - 08-25-2010 -- 11:20:18

See also other documents in the category Brocade Computer Accessories: