beautypg.com

Tacacs+ service, Tacacs+ configuration overview – Dell POWEREDGE M1000E User Manual

Page 171

background image

Fabric OS Administrator’s Guide

171

53-1002745-02

Remote authentication

5

objectClass: uidObject
cn: Sachin
sn: Mishra
description: First user
brcdAdVfData: HomeLF=30;LFRoleList=admin:1-128;ChassisRole=admin
userPassword: pass
uid: [email protected]

The following command adds the user to the LDAP directory.

> ldapadd -D cn=Sachin,dc=mybrocade,dc=com -x -w secret -f test4.ldif

TACACS+ service

FabricOS can authenticate users with a remote server using the Terminal Access Controller
Access-Control System Plus (TACACS+) protocol. TACACS+ is a protocol used in AAA server
environments consisting of a centralized authentication server and multiple Network Access
Servers (NAS) or clients. Once configured to use TACACS+, a Brocade switch becomes a Network
Access Server (NAS).

The following authentication protocols are supported by the TACACS+ server for user
authentication:

Password Authentication Protocol (PAP)

Challenge Handshake Authentication Protocol (CHAP)

TACACS+ is not a FIPS-supported protocol, so you cannot configure TACACS+ in FIPS mode. To
enable FIPS, any TACACS+ configuration must be removed.

The TACACS+ server can be a Microsoft Windows server or a LINUX server. For LINUX servers, use
TACACS+ 4.0.4 or later from Cisco. For Microsoft Windows servers, use any TACACS+ freeware that
uses TACACS+ protocol v1.78 or later.

TACACS+ configuration overview

Configuration is required on both the TACACS+ server and the Brocade switch. On the TACACS+
server, you should assign a role for each user and, if Admin Domains or Virtual Fabrics are in use,
provide lists of Admin Domains or Virtual Fabrics to which the user should have access. For details,
refer to

“The tac_plus.cfg file”

on page 172.

On the Brocade switch, use the aaaConfig command to configure the switch to use TACACS+ for
authentication. The aaaConfig command also allows you to specify up to five TACACS+ servers.
When a list of servers is configured, failover from one server to another server happens only if a
TACACS+ server fails to respond. It does not happen when user authentication fails.

Failover to another TACACS+ server is achieved by means of a timeout. You can configure a timeout
value for each TACACS+ server, so that the next server can be used in case the first server is
unreachable. The default timeout value is 5 seconds.

Retry is also allowed for each server. The default value is 5. If authentication is rejected or times
out, FabricOS will try again. The retry value can also be customized for each user.

Refer to

“Remote authentication configuration on the switch”

on page 174 for details about

configuring the Brocade switch for authenticating users with a TACACS+ server.