Configuring The Radius Server; Configuring Radius Server Support With Linux - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual

• ADList is a comma-separated list of Administrative Domain numbers to which this account is a member.
Valid numbers range from 0 to 255, inclusive. A dash between two numbers specifies a range. Multiple
ADList key-value pairs within the same or across the different Vendor-Type codes are concatenated.
Multiple occurrences of the same AD number are ignored.
RADIUS authentication requires that the account have a valid role through the attribute type
Brocade-Auth-Role. The additional attribute values ADList and HomeAD are optional. If they are
unspecified, the account can log in with AD0 as its member list and home Admin Domain. If there is an
error in ADList or HomeAD specification, the account cannot log in until the AD list is corrected; an error
message is displayed.
For example, on a Linux FreeRadius Server, the user (user-za) with the following settings takes the
"ZoneAdmin" role, with AD member list: 1, 2, 4, 5, 6, 7, 8, 9, 12; the Home Admin Domain will be 1.
user-za Auth-Type := Local, User-Password == "password"
Brocade-Auth-Role = "ZoneAdmin",
Brocade-AVPairs1 = "ADList=1,2,6,
Brocade-AVPairs2 = "ADList=4-8;ADList=7,9,12"
In the next example, on a Linux FreeRadius Server, the user takes the "Operator" role, with ADList 1, 2, 4,
5, 6, 7, 8, 9, 12, 20 and homeAD 2.
user-opr
Brocade-Auth-Role = "operator",
Brocade-AVPairs1 = "ADList=1,2;HomeAD=2",
Brocade-AVPairs2 = "ADList=-4-8,20;ADList=7,9,12"

Configuring the RADIUS server

You must know the switch IP address, in either IPv4 or IPv6 notation, or name to connect to switches. Use
the ipAddrShow command to display a switch IP address.
For Directors, the switch IP addresses are aliases of the physical Ethernet interfaces on the CP blades.
When specifying client IP addresses for the logical switches in these systems, make sure the CP blade IP
addresses are used. For accessing both the active and standby CP blade, and for the purpose of HA
failover, both of the CP blade IP addresses should be included in the RADIUS server configuration.
User accounts should be set up by their true network-wide identity, rather than by the account names
created on a Fabric OS switch. Along with each account name, the administrator should assign
appropriate switch access roles. To manage a fabric, these roles can be User, Admin, and SecurityAdmin.
When they log in to a switch configured with RADIUS, users enter their assigned RADIUS account names
and passwords at the prompt. After the RADIUS server authenticates a user, it responds with the assigned
switch role in a Brocade Vendor-Specific Attribute (VSA), as defined in the RFC. An Authentication-Accept
response without such VSA role assignment automatically assigns the user role.
The following sections describe how to configure a RADIUS server to support clients under different
operating systems.

Configuring RADIUS server support with Linux

The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware
RADIUS server that you can find at the following website:
www.freeradius.org
Follow the installation instructions at the website. FreeRADIUS runs on Linux (all versions), FreeBSD,
NetBSD, and Solaris. If you make a change to any of the files used in this configuration, you must stop the
server and restart it for the changes to take effect.
FreeRADIUS installation places the configuration files in $PREFIX/etc/raddb. By default, the PREFIX is
/usr/local.
Configuring RADIUS service on Linux consists of the following tasks:
• Adding the Brocade attribute to the server
• Creating the user
• Enabling clients
74 Managing user accounts
Auth-Type := Local, User-Password == "password"