Configuring the radius server, Windows 2000, To add a radius client – HP Brocade 4Gb SAN Switch for HP BladeSystem p-Class User Manual
Page 48: To create user and admin remote access policies
48
Configuring standard security features
Configuring the RADIUS server
You must know the switch IP address or name to connect to switches. Use the ipaddrshow command to
display a switch IP address.
For the Core Switch 2/64 and the SAN Director 2/128 (chassis-based systems), the switch IP addresses
are aliases of the physical Ethernet interfaces on the CP cards. When specifying client IP addresses for the
logical switches in such systems, make sure that the CP card IP addresses are used. For accessing both the
active and standby CP card, and for the purpose of HA failover, both of the CP card IP addresses should
be included in the RADIUS server configuration.
User accounts should be set up by their true network-wide identity, rather than by the account names
created on a Fabric OS switch. Along with each account name, the administrator should assign
appropriate switch access roles. To manage a nonsecure fabric, these roles can be user or admin. To
manage a secure fabric, these roles can be user, admin, or nonfcsadmin.
When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names
and passwords at the prompt. After RADIUS server authenticates a user, it responds with the assigned
switch role in HP Vendor-Specific Attribute (VSA) as defined in the RFC. An Authentication-Accept response
without such VSA role assignment automatically assigns the user role.
The following sections describe how to configure a RADIUS server to support HP clients under different
operating systems.
Windows 2000
Use these procedures to add a client to the RADIUS server and create remote access policies for Fabric OS
user and admin roles.
To add a RADIUS client:
1.
From the Windows Start menu, select Programs > Administrative Tools >
Internet Authentication Service to bring up the Internet Authentication Service window.
2.
In the Internet Authentication Service window, right-click the RADIUS Clients folder and select New
RADIUS Client.
3.
In the New RADIUS Client window:
• In the Friendly name space, enter a name for the switch that allows you to identify it easily.
• In the Client Address (IP or DNS) space, enter the IP address of the switch.
4.
Click Next.
5.
In the next window, enter and confirm the shared secret, in the spaces provided. Make sure the shared
secret matches that configured on the switch (as described in ”
To add a RADIUS server to the switch
6.
Click Finish.
The new client friendly name appears in the list of clients. Should you need to change the shared secret,
right-click the client, select Properties, and change the secret in the properties window.
To create user and admin remote access policies:
1.
From the Windows Start menu, select Programs > Administrative Tools >
Internet Authentication Service to bring up the Internet Authentication Service window.
2.
If you do not already have Windows groups set up, use standard Windows procedures to set up a
Windows group of login names assigned to the user role and another Windows group of login names
assigned to the admin role.
3.
Right-click the Remote Access Policies icon folder and select New Remote Access Policy.
4.
In the New Remote Access Policy Wizard window, click Next.