Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

RADIUS configuration with Admin Domains or Virtual Fabrics

When configuring users with Admin Domains or Virtual Fabrics, you must also include the Admin
Domain or Virtual Fabric member list. This section describes the way that you configure attribute types
for this configuration.

The values for these attribute types use the syntax key=val[;key=val], where key is a text description of
attributes, val is the attribute value for the given key, the equal sign (=) is the separator between key
and value, and the semicolon (;) is an optional separator for multiple key-value pairs.

Multiple key-value pairs can appear for one Vendor-Type code. Key-value pairs with the same key
name may be concatenated across multiple Vendor-Type codes. You can use any combination of the
Vendor-Type codes to specify key-value pairs. Note that a switch always parses these attributes from
Vendor-Type code 2 to Vendor-Type code 4 .

Only the following keys are accepted; all other keys are ignored.

• HomeAD is the designated home Admin Domain for the account. The valid range of values is from

0 through 255. The first valid HomeAD key-value pair is accepted by the switch, and any additional
HomeAD key-value pairs are ignored.

• ADList is a comma-separated list of Administrative Domain numbers of which this account is a

member. Valid numbers range from 0 through 255. A dash between two numbers specifies a range.
Multiple ADlist key-value pairs within the same or across the different Vendor-Type codes are
concatenated. Multiple occurrences of the same Admin Domain number are ignored.

• HomeLF is the designated home Virtual Fabric for the account. The valid values are from 1 through

128 and chassis context. The first valid HomeLF key-value pair is accepted by the switch; additional
HomeLF key-value pairs are ignored.

• LFRoleList is a comma-separated list of Virtual Fabric ID numbers of which this account is a

member. Valid numbers range from 1 through 128. A dash between two numbers specifies a range.
Multiple Virtual Fabric list key-value pairs within the same or across different Vendor-Type codes
are concatenated. Multiple occurrences of the same Virtual Fabric ID number are ignored.

• ChassisRole is the account access permission at the chassis level. The chassis role allows the

user to execute chassis-related commands in a Virtual Fabrics-enabled environment. Valid chassis
roles include the default roles and any of the user-defined roles.

RADIUS authentication requires that the account have valid permissions through the attribute type
Brocade-Auth-Role. The additional attribute values ADList, HomeAD, HomeLF, and LFRoleList are
optional. If they are unspecified, the account can log in with AD0 as its member list and home Admin
Domain or VF128 as its member list and home Virtual Fabric. If there is an error in the ADlist,
HomeAD, LFRoleList, or HomeLF specification, the account cannot log in until the AD list or Virtual
Fabric list is corrected; an error message is displayed.

For example, on a Linux FreeRADIUS Server, the user (user-za) with the following settings takes the
"zoneAdmin" permissions, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain will
be 1.

user-za Auth-Type := Local, User-Password == "password"

Brocade-Auth-Role = "ZoneAdmin",

Brocade-AVPairs1 = "ADList=1,2,6,"

Brocade-AVPairs2 = "ADList=4-8;ADList=7,9,12"

In the next example, on a Linux FreeRADIUS Server, the user has the "operator" permissions, with
ADList 1, 2, 4, 5, 6, 7, 8, 9, 12, 20 and HomeAD 2.

user-opr Auth-Type := Local, User-Password == "password"

Brocade-Auth-Role = "operator",

Brocade-AVPairs1 = "ADList=1,2;HomeAD=2",

Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"

RADIUS configuration with Admin Domains or Virtual Fabrics

154

Fabric OS Administrators Guide

53-1003130-01