Managing Fabric Os Users On The Radius Server; Switch To Radius Server Interaction; Creating Fabric Os User Accounts - HP A7533A - Brocade 4Gb SAN Switch Base Administrator's Manual
Hp storageworks fabric os 5.3.x administrator guide (5697-0244, november 2009)
Hide thumbs
Also See for A7533A - Brocade 4Gb SAN Switch Base:
- Administrator's manual (576 pages) ,
- Hardware reference manual (256 pages) ,
- User manual (248 pages)
Table of Contents
Advertisement
Managing Fabric OS users on the RADIUS server
All existing Fabric OS mechanisms for managing switch-local user accounts and passwords remain
functional when the switch is configured to use RADIUS. Changes made to the switch-local database do
not propagate to the RADIUS server, nor do the changes affect any account on the RADIUS server.
Switch to RADIUS server interaction
When configured to use RADIUS, the switch acts as a Network Access Server (NAS) and RADIUS client.
The switch sends all AAA service requests to the RADIUS server, following the RFC 2865 protocol. The
RADIUS server receives the request packet, validates the request and sends responses packet back to the
switch.
A switch can be configured to try both RADIUS and local switch authentication.
For chassis-based systems such as the 4/256 SAN Director, the switch IP addresses are aliases of the
physical Ethernet interfaces on the CP blades. When specifying client IP addresses for the logical switches
in such systems, make sure the CP IP addresses are used. For accessing both the active and standby CP,
and for the purpose of HA failover, both CP IP addresses of a chassis should be included in the RADIUS
server configuration.
Creating Fabric OS user accounts
With RADIUS servers, set up user accounts by their true network wide identity rather than by the account
names created on a Fabric OS switch. Along with each account name, assign appropriate switch access
roles.
RADIUS supports all the defined RBAC roles described in
Users must enter their assigned RADIUS account name and password when logging in to a switch that has
been configured with RADIUS. After the RADIUS server authenticates a user, it responds with the assigned
switch role in a
"user" role is assigned. If no Administrative Domain is assigned then they are assigned to the default
Admin Domain AD0.
The syntax used for assigning VSA-based account switch roles on a RADIUS server is described in
Table
14.
Table 14
Syntax for VSA-based account roles
Item
Type
Length
Vendor ID
Vendor type
74
Managing user accounts
Vendor-Specific Attribute
Value
Description
26
1 octet
7 or higher
1 octet, calculated by the server
1588
4 octet, Brocade's SMI Private Enterprise Code
1
1 octet, Brocade-Auth-Role; valid attributes for the
Brocade-Auth-Role are:
SwitchAdmin
ZoneAdmin
FabricAdmin
BasicSwitchAdmin
Operator
User
Admin
2
Optional: Specifies the Admin Domain member list. See
"RADIUS configuration and admin domains" on page
Brocade-AVPairs1
3
Brocade-AVPairs2
4
Brocade-AVPairs3
5
AVPairs4
Table 9
(VSA). If the response does not have a VSA role assignment, the
on page 61.
76.
- Quick Links:
- Connecting to the Cli
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
