Fabric OS Administrator’s Guide 99
53-1002446-01
The authentication model using RADIUS and LDAP
5
Setting the switch authentication mode
1. Connect to the switch and log in using an account with admin permissions.
2. Enter the aaaConfig
--authspec command.
Fabric OS user accounts
RADIUS and LDAP servers allow you to set up user accounts by their true network-wide identity
rather than by the account names created on a Fabric OS switch. With each account name, assign
the appropriate switch access permissions. For LDAP servers, you can use the ldapCfg
-–maprole
ldap_role name switch_role command to map an LDAP server permissions.
RADIUS and LDAP support all the defined RBAC roles described in Table 11 on page 82.
Users must enter their assigned RADIUS or LDAP account name and password when logging in to a
switch that has been configured with RADIUS or LDAP. After the RADIUS or LDAP server
authenticates a user, it responds with the assigned switch role in a Brocade Vendor-Specific
Attribute (VSA). If the response does not have a VSA permissions assignment, the User role is
assigned. If no Administrative Domain is assigned, then the user is assigned to the default Admin
Domain AD0.
You can set a user password expiration date and add a warning for RADIUS login. The password
expiry date must be specified in UTC and in MM/DD/YYYY format. The password warning specifies
the number of days prior to the password expiration that a warning of password expiration notifies
the user. You either specify both attributes or none. If you specify a single attribute or there is a
--authspec “ldap” Authenticates management connections
against any LDAP databases only. If LDAP
service is not available or the credentials do
not match, the login fails.
n/a n/a
--authspec “ldap; local” Authenticates management connections
against any LDAP databases first. If LDAP fails
for any reason, it then authenticates against
the local user database.
n/a On
--authspec “ldap; local” --backup Authenticates management connections
against any LDAP databases first. If LDAP fails
for any reason, it then authenticates against
the local user database. The --backup option
states to try the secondary authentication
database only if the primary authentication
database is not available.
n/a On
--authspec -nologout Prevents users from being logged out when
you change authentication. Default behavior is
to log users out when you change
authentication.
n/a n/a
1. Fabric OS v5.1.0 and earlier aaaConfig --switchdb <on | off> setting.
TABLE 15 Authentication configuration options (Continued)
aaaConfig options Description Equivalent setting in Fabric
OS v5.1.0 and earlier
--radius --switchdb
1
To Next Page
Loading...
Need help?
General