beautypg.com

Setting the switch authentication mode, Fabric os user accounts – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Page 151

background image

Authentication configuration options (Continued)

TABLE 24

aaaConfig options

Description

--authspec "tacacs+; local" --backup

Authenticates management connections against any
TACACS+ databases first. If TACACS+ fails for any
reason, it then authenticates against the local user
database. The --backup option states to try the
secondary authentication database only if the primary
authentication database is not available.

--authspec -nologout

Prevents users from being logged out when you change
authentication. Default behavior is to log out users
when you change authentication.

Setting the switch authentication mode

1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig --authspec command.

Fabric OS user accounts

RADIUS, LDAP, and TACACS+ servers allow you to set up user accounts by their true network-wide
identities rather than by the account names created on a Fabric OS switch. With each account name,
assign the appropriate switch access permissions. For LDAP servers, you can use the ldapCfg --
maprole command to map LDAP server permissions.

RADIUS, LDAP, and TACACS+ support all the defined RBAC roles described in

Role-Based Access

Control

on page 134.

Users must enter their assigned RADIUS, LDAP, or TACACS+ account name and password when
logging in to a switch that has been configured with remote authentication. After the remote
authentication (RADIUS, LDAP, or TACACS+) server authenticates a user, it responds with the
assigned switch role in a Brocade Vendor-Specific Attribute (VSA). If the response does not have a
VSA permissions assignment, the user role is assigned. If no Administrative Domain is assigned, then
the user is assigned to the default Admin Domain AD0.

You can set a user password expiration date and add a warning for RADIUS login and TACACS+ login.
The password expiry date must be specified in UTC and in MM/DD/YYYY format. The password
warning specifies the number of days prior to the password expiration that a warning of password
expiration notifies the user. You either specify both attributes or none. If you specify a single attribute or
there is a syntax error in the attributes, the password expiration warning will not be issued. If your
RADIUS server maintains its own password expiration attributes, you must set the exact date twice to
use this feature, once on your RADIUS server and once in the VSA. If the dates do not match, then the
RADIUS server authentication fails.

Table 25

describes the syntax used for assigning VSA-based account switch roles on a RADIUS server.

Syntax for VSA-based account roles

TABLE 25

Item

Value

Description

Type

26

1 octet

Length

7 or higher

1 octet, calculated by the server

Setting the switch authentication mode

Fabric OS Administrators Guide

151

53-1003130-01

See also other documents in the category Brocade Computer Accessories: