beautypg.com

Tacacs+ service, Tacacs+ configuration overview – Brocade Fabric OS Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Page 166

background image

The HomeLF field specifies the user’s home Logical Fabric.

The LFRole list field specifies the additional Logical Fabrics to which the user has
access and the user’s access permissions for those Logical Fabrics. Logical Fabric
numbers are separated by commas ( , ). A hyphen ( - ) indicates a range.

The ChassisRole field designates the permissions that apply to the ChassisRole subset
of commands.

Example for adding Virtual Fabrics

In the following example, the logical switch that would be logged in to by default is 10. If 10 is not
available, then the lowest FID available will be chosen.The user is given permission to enter logical
switches 1 through 128 in an admin role and is also given the chassis role permission of admin.

brcdAdVfData: HomeLF=10;LFRoleList=admin:1-128;ChassisRole=admin

The following fragment from a file named test4.ldif provides an entry for a user with Virtual Fabric
access roles.

# Organizational Role for Users

dn: cn=Users,dc=mybrocade,dc=com

objectClass: organizationalRole

cn: Users

description: User

# User entries

dn: cn=Sachin,cn=Users,dc=mybrocade,dc=com

objectClass: user

objectClass: person

objectClass: uidObject

cn: Sachin

sn: Mishra

description: First user

brcdAdVfData: HomeLF=30;LFRoleList=admin:1-128;ChassisRole=admin

userPassword: pass

uid: [email protected]

The following command adds the user to the LDAP directory.

switch:admin> ldapadd -D cn=Sachin,dc=mybrocade,dc=com -x -w secret -f test4.ldif

TACACS+ service

Fabric OS can authenticate users with a remote server using the Terminal Access Controller Access-
Control System Plus (TACACS+) protocol. TACACS+ is a protocol used in AAA server environments
consisting of a centralized authentication server and multiple Network Access Servers or clients. Once
configured to use TACACS+, a Brocade switch becomes a Network Access Server (NAS).

The following authentication protocols are supported by the TACACS+ server for user authentication:

• Password Authentication Protocol (PAP)
• Challenge Handshake Authentication Protocol (CHAP)

TACACS+ is not a FIPS-supported protocol, so you cannot configure TACACS+ in FIPS mode. To
enable FIPS, any TACACS+ configuration must be removed.

The TACACS+ server can be a Microsoft Windows server or a Linux server. For Linux servers, use
TACACS+ 4.0.4 or later from Cisco. For Microsoft Windows servers, use any TACACS+ freeware that
uses TACACS+ protocol v1.78 or later.

TACACS+ configuration overview

Configuration is required on both the TACACS+ server and the Brocade switch. On the TACACS+
server, you should assign a role for each user and, if Admin Domains or Virtual Fabrics are in use,

TACACS+ service

166

Fabric OS Administrators Guide

53-1003130-01

See also other documents in the category Brocade Computer Accessories: