Authentication server data, Switch configuration – Dell POWEREDGE M1000E User Manual
Page 150
150
Fabric OS Administrator’s Guide
53-1002745-02
Remote authentication
5
The supported management access channels that integrate with RADIUS, LDAP, and TACACS+
include serial port, Telnet, SSH, Web Tools, and API. All these access channels require the switch IP
address or name to connect. RADIUS, LDAP, and TACACS+ servers accept both IPv4 and IPv6
address formats. For accessing both the active and standby CP, and for the purpose of HA failover,
both CP IP addresses of a Backbone should be included in the authentication server configuration.
NOTE
For systems such as the Brocade DCX Backbone, the switch IP addresses are aliases of the physical
Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches in
such systems, make sure that the CP IP addresses are used.
Authentication server data
When configured for remote authentication, a switch becomes a RADIUS, LDAP, or TACACS+ client.
In any of these configurations, authentication records are stored in the authentication host server
database. Login and logout account name, assigned permissions, and time-accounting records are
also stored on the authentication server for each user.
Switch configuration
By default, the remote authentication services are disabled, so AAA services default to the switch’s
local database.
To enable remote authentication, it is strongly recommended that you access the CLI through an
SSH connection so that the shared secret is protected. Multiple login sessions can configure
simultaneously, and the last session to apply a change leaves its configuration in effect. After a
configuration is applied, it persists after a reboot or an HA failover.
To enable the secure LDAP service, you need to install a certificate from the Microsoft Active
Directory server or the OpenLDAP server. By default, the LDAP service does not require certificates.
The configuration applies to all switches. On a Backbone, the configuration replicates itself on a
standby CP blade if one is present. It is saved in a configuration upload and applied in a
configuration download.
Brocade recommends configuring at least two authentication servers, so that if one fails the other
will assume service. Up to five servers are supported.
You can set the configuration with any one of the supported authentication services and local
authentication enabled, so that if the authentication servers do not respond because of a power
failure or network problems, the switch uses local authentication.
Consider the effects of the use of a remote authentication service on other Fabric OS features. For
example, when a remote authentication service is enabled, all account passwords must be
managed on the authentication server. The Fabric OS mechanisms for changing switch passwords
remain functional; however, such changes affect only the involved switches locally. They do not
propagate to the authentication server, nor do they affect any account on the authentication server.
Authentication servers also support notifying users of expiring passwords.
When RADIUS, LDAP, or TACACS+ is set up for a fabric that contains a mix of switches with and
without RADIUS, LDAP, and TACACS+ support, the way a switch authenticates users depends on
whether a RADIUS, LDAP, or TACACS+ server is set up for that switch. For a switch with remote
authentication support and configuration, authentication bypasses the local password database.
For a switch without remote authentication support or configuration, authentication uses the
switch’s local account names and passwords.