ACS 4.2 Appliance / VSAs for Brocade

Unanswered Question

I'm attempting to use an ACS 4.2 appliance to authenticate / authorize users on Brocade SAN switches. I have added the AVP and VSA to ACS, and they all show up in the web interface to select. When I configure a specific attribute for authorization level (ie., admin, user, operator, etc.), the authentication fails completely. Sniffer trace between the Brocade and the ACS shows the correct value for the AVP, but the VSA show "unknown-attribute" coming back from the ACS. The attribute shows the actual value I put in for the attribute, plus some other junk. Is there any way to "dump" the current AVPs / VSAs on the ACS to make sure things are correct? I've verified all the values are correct; just need some more eyes / ears.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Thu, 02/26/2009 - 09:12

Are we completely certain that we have the correct VSA attribute values, I have seen some cases where if the VSA value (not attribute string) is not the one the Brocade device knows it will fail are the values matching these:

[User Defined Vendor]


IETF Code=1588

VSA 1=Brocade-Auth-Role



Profile=IN OUT












Also quick question, did you reboot the appliance after importing those VSAs

The Brocade info states that it should be a string, and not an integer. As well, I'm having to do this through RDBMS, as this is an appliance. That being the case, I'm not should how I'd format the CSV file for integer values (I'd have to look that one up). I'm willing to trying anything at this point, as I'm a little confused as to why it's rejecting the value.

Ivan Martinon Thu, 02/26/2009 - 09:37

You are actually right about the string part, it has to be string, I gather you are using RDBMS this was just an example that I got from a previous issue of mine with a ini file. What I needed you to look at was the actual VSA value. Take a look at this PDF, did you also reboot the appliance?

Ivan Martinon Thu, 02/26/2009 - 10:17

Here is the one I crated, check if this makes more sense, since your role is just a string and depends on the string it is selected you just only need to define a single VSA with ID 1 and with string features to define the role.


The CSV file that you created has the same information in the same fields as what I had created. The only difference that I can see is that I created the AVP in one file, with a restart (action 355) at the end, then used a second file to create the VSA, with a restart at the end. Does that make method a difference?

Ivan Martinon Thu, 02/26/2009 - 10:42

You have several "Brocade-AVPairs" values there as per my understanding these values should be entered manually via a string like Operator and so on... so I don't see why these should be there. As for the other roles those are all ok

I had originally started with just the AVP and the one VSA for Auth-Role, and could not get it to work. I then added the other AVPairs, figuring those were needed. Once I found the stuff in the sniffer trace, I removed the AVP (also removing the VSA's) and redid the AVP with one VSA, and it still does the same thing. The way the trace shows it, the traffic coming from the ACS to the Brocade states "unknown-attribute"; that's why I thought the ACS server is putting out something unusual. Can I post the cap?

Ivan Martinon Thu, 02/26/2009 - 11:14

I see what you are saying, just a little thought, I see that the string shows

"Ad min" as if there was a space there, can you post the sceenshot of the values that ACS has?

nehakulsum Wed, 07/29/2009 - 06:37

Hi Mars,

I have the same issue. Has your problem resolved? If yes can you please share what needs to be changed to work this????

Appriciate your help.



nehakulsum Wed, 07/29/2009 - 07:15

Hi imartino,

Would you like to add any comment on this???




This Discussion