02-25-2009 12:39 PM - edited 03-10-2019 04:21 PM
I'm attempting to use an ACS 4.2 appliance to authenticate / authorize users on Brocade SAN switches. I have added the AVP and VSA to ACS, and they all show up in the web interface to select. When I configure a specific attribute for authorization level (ie., admin, user, operator, etc.), the authentication fails completely. Sniffer trace between the Brocade and the ACS shows the correct value for the AVP, but the VSA show "unknown-attribute" coming back from the ACS. The attribute shows the actual value I put in for the attribute, plus some other junk. Is there any way to "dump" the current AVPs / VSAs on the ACS to make sure things are correct? I've verified all the values are correct; just need some more eyes / ears.
Thanks!
02-26-2009 09:12 AM
Are we completely certain that we have the correct VSA attribute values, I have seen some cases where if the VSA value (not attribute string) is not the one the Brocade device knows it will fail are the values matching these:
[User Defined Vendor]
Name=Brocade
IETF Code=1588
VSA 1=Brocade-Auth-Role
[Brocade-Auth-Role]
Type=Integer
Profile=IN OUT
Enums=Values
[Values]
0=SwitchAdmin
1=ZoneAdmin
2=FabricAdmin
3=BasicSwitchAdmin
4=Operator
5=User
6=Admin
;Type=STRING
;Profile=OUT
Also quick question, did you reboot the appliance after importing those VSAs
02-26-2009 09:25 AM
The Brocade info states that it should be a string, and not an integer. As well, I'm having to do this through RDBMS, as this is an appliance. That being the case, I'm not should how I'd format the CSV file for integer values (I'd have to look that one up). I'm willing to trying anything at this point, as I'm a little confused as to why it's rejecting the value.
02-26-2009 09:37 AM
You are actually right about the string part, it has to be string, I gather you are using RDBMS this was just an example that I got from a previous issue of mine with a ini file. What I needed you to look at was the actual VSA value. Take a look at this PDF, did you also reboot the appliance?
02-26-2009 09:41 AM
The value for the VSA in the CSV file is "1" (no quotes). I had also rebooted it as well. I had gotten the same info that you have in the PDF; I believe it comes from the Brocade FabricOS manual.
02-26-2009 09:45 AM
Yep, can you post your CSV file here
02-26-2009 09:48 AM
02-26-2009 10:17 AM
02-26-2009 10:35 AM
The CSV file that you created has the same information in the same fields as what I had created. The only difference that I can see is that I created the AVP in one file, with a restart (action 355) at the end, then used a second file to create the VSA, with a restart at the end. Does that make method a difference?
02-26-2009 10:42 AM
You have several "Brocade-AVPairs" values there as per my understanding these values should be entered manually via a string like Operator and so on... so I don't see why these should be there. As for the other roles those are all ok
02-26-2009 10:53 AM
I had originally started with just the AVP and the one VSA for Auth-Role, and could not get it to work. I then added the other AVPairs, figuring those were needed. Once I found the stuff in the sniffer trace, I removed the AVP (also removing the VSA's) and redid the AVP with one VSA, and it still does the same thing. The way the trace shows it, the traffic coming from the ACS to the Brocade states "unknown-attribute"; that's why I thought the ACS server is putting out something unusual. Can I post the cap?
02-26-2009 10:57 AM
Please :) post it
02-26-2009 11:00 AM
02-26-2009 11:14 AM
I see what you are saying, just a little thought, I see that the string shows
"Ad min" as if there was a space there, can you post the sceenshot of the values that ACS has?
02-26-2009 11:19 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: