2.
Enter the following command:
switch:admin> aaaConfig --authspec ["radius" | "ldap" | "radius;local" |
"ldap;local" --backup]
Fabric OS user accounts
RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity rather than
by the account names created on a Fabric OS switch. With each account name, assign the appropriate
switch access roles. For LDAP servers, you can use the ldapCfg
<switch_role> to map an LDAP server role to one of the default roles available on a switch.
RADIUS and LDAP support all the defined RBAC roles described in
Users must enter their assigned RADIUS or LDAP account name and password when logging in to a switch
that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server authenticates a user, it
responds with the assigned switch role in a B-Series Vendor-Specific Attribute (VSA). If the response does
not have a VSA role assignment, the User role is assigned. If no Administrative Domain is assigned, the
user is assigned to the default Admin Domain AD0.
You can set a user password expiration date and add a warning for RADIUS login. The password
expiration date must be specified in UTC and in MM/DD/YYYY format. The password warning value
specifies the number of days prior to the password expiration that a warning of password expiration
notifies the user. You either specify both attributes or none. If you specify a single attribute or there is a
syntax error in the attributes, the password expiration warning will not be displayed. If your RADIUS server
maintains its own password expiration attributes, you must set the exact date twice to use this feature, once
on your RADIUS server and once in the VSA attribute. If the dates do not match, the RADIUS server
authentication fails.
The syntax used for assigning VSA-based account switch roles on a RADIUS server is described in
Table
14.
Table 14
Syntax for VSA-based account roles
Item
Type
Length
Vendor ID
Vendor type
Value
Description
26
1 octet
7 or higher 1 octet, calculated by the server
1588
4 octets, Brocade's SMI Private Enterprise Code
1
1 octet, Brocade-Auth-Role; valid attributes for the Brocade-Auth-Role
are:
Admin
BasicSwitchAdmin
FabricAdmin
Operator
SecurityAdmin
SwitchAdmin
User
ZoneAdmin
2
Optional: Specifies the Admin Domain or Virtual Fabric member list.
For more information on Admin Domains or Virtual Fabrics, see
"RADIUS configuration with Admin Domains or Virtual
page 87.
Brocade-AVPairs1
3
Brocade-AVPairs2
4
Brocade-AVPairs3
5
Brocade-AVPairs4
6
Brocade Password ExpiryDate
7
Brocade Password ExpiryWarning
maprole <ldap_role name>
-–
Table 8
on page 68.
Fabrics" on
Fabric OS 6.2 administrator guide
85