Aaa settings tab, Configuring radius server authentication – Brocade Network Advisor SAN + IP User Manual v12.3.0 User Manual
Page 662
590
Brocade Network Advisor SAN + IP User Manual
53-1003155-01
AAA Settings tab
13
AAA Settings tab
Authentication enables you to configure an authentication server and establish authentication
policies. You can configure the Management application to authenticate users against the local
database (Management application server), an external server (RADIUS, LDAP, CAC or TACACS+), or
a switch. Authentication is configured to the local database by default. When you use an external
server, the Management application sends the login information to the external server to make
sure the name and password are valid.
If you configure primary authentication to an external or switch authentication, you can also
configure secondary authentication to the local server. When you log in to the Management
application, if the primary server is unavailable, the Management application attempts with the
next configured primary server. If all primary servers are unavailable, then the Management
application falls back to the secondary authentication. Fall back can occur when the server is
unavailable, authentication fails, or the user is not found.
Configuring Radius server authentication
If you are using a Radius server for authentication, make the following preparations first:
•
Make sure that the server you want to use is on the network that the Management application
manages.
•
Make sure that the Radius server and its user accounts have been properly configured (refer to
on page 603). For example, you must define the Management
application client, users, and dictionary on the Radius server.
•
Make sure that the external server and its user accounts have been properly configured. For
example, you must define roles and areas of responsibility (AOR) in the external server to
match the Management application roles and AOR.
•
Select an Authentication Type (you will be prompted to provide a type in the Add or Edit Radius
Server dialog box). The Authentication Type is the authentication policy you choose for
handling authentication. The options are PAP and CHAP.
-
PAP, password protected protocol, is based on password verification. Passwords are not
encrypted, and are not secure from eavesdroppers during transmission.
-
CHAP, challenge handshake protocol, uses a three-way handshake method of verification
based on a shared secret. If you are using CHAP, have the shared secret available to you.
You will need to type it in as a configuration parameter.
•
Know the Shared Secret.
•
Have the IP address of the server available.
•
Know the TCP port you are using and make sure it is open in the firewall. For Radius servers,
ports 1812 or 1813 (actually UDP ports) are commonly used. Some older Radius server use
1645 or 1646 instead of 1812 and 1813; check with the Radius server vendor if you are not
sure which port to specify.
•
Know how long you want to wait between attempts to reach the server if it is busy. This is
expressed as a timeout value (default is 3 seconds) in seconds. Values are between 1 and 15.
•
Determine how many attempts (default is 3 times) to make to reach the server before stopping
and assuming it is unreachable. Values are between 1 and 5.
•
If possible, establish an active connection with the Radius server before configuration. This
enables you to test the connection as part of the configuration procedure.