Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2005
Views
0
Helpful
17
Replies

ACS 4.2 Appliance / VSAs for Brocade

marcs
Level 1
Level 1

‎02-25-2009 12:39 PM - edited ‎03-10-2019 04:21 PM

I'm attempting to use an ACS 4.2 appliance to authenticate / authorize users on Brocade SAN switches. I have added the AVP and VSA to ACS, and they all show up in the web interface to select. When I configure a specific attribute for authorization level (ie., admin, user, operator, etc.), the authentication fails completely. Sniffer trace between the Brocade and the ACS shows the correct value for the AVP, but the VSA show "unknown-attribute" coming back from the ACS. The attribute shows the actual value I put in for the attribute, plus some other junk. Is there any way to "dump" the current AVPs / VSAs on the ACS to make sure things are correct? I've verified all the values are correct; just need some more eyes / ears.

Thanks!

Labels:
0 Helpful
17 Replies 17

Ivan Martinon
Level 7
Level 7

‎02-26-2009 09:12 AM

Are we completely certain that we have the correct VSA attribute values, I have seen some cases where if the VSA value (not attribute string) is not the one the Brocade device knows it will fail are the values matching these:

[User Defined Vendor]

Name=Brocade

IETF Code=1588

VSA 1=Brocade-Auth-Role

[Brocade-Auth-Role]

Type=Integer

Profile=IN OUT

Enums=Values

[Values]

0=SwitchAdmin

1=ZoneAdmin

2=FabricAdmin

3=BasicSwitchAdmin

4=Operator

5=User

6=Admin

;Type=STRING

;Profile=OUT

Also quick question, did you reboot the appliance after importing those VSAs

0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 09:25 AM

The Brocade info states that it should be a string, and not an integer. As well, I'm having to do this through RDBMS, as this is an appliance. That being the case, I'm not should how I'd format the CSV file for integer values (I'd have to look that one up). I'm willing to trying anything at this point, as I'm a little confused as to why it's rejecting the value.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to marcs

‎02-26-2009 09:37 AM

You are actually right about the string part, it has to be string, I gather you are using RDBMS this was just an example that I got from a previous issue of mine with a ini file. What I needed you to look at was the actual VSA value. Take a look at this PDF, did you also reboot the appliance?

Preview file
41 KB
0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 09:41 AM

The value for the VSA in the CSV file is "1" (no quotes). I had also rebooted it as well. I had gotten the same info that you have in the PDF; I believe it comes from the Brocade FabricOS manual.

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to marcs

‎02-26-2009 09:45 AM

Yep, can you post your CSV file here

0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 09:48 AM

I've attached the accountActions.csv file that I used.

Preview file
1 KB
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to marcs

‎02-26-2009 10:17 AM

Here is the one I crated, check if this makes more sense, since your role is just a string and depends on the string it is selected you just only need to define a single VSA with ID 1 and with string features to define the role.

Preview file
1 KB
0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 10:35 AM

The CSV file that you created has the same information in the same fields as what I had created. The only difference that I can see is that I created the AVP in one file, with a restart (action 355) at the end, then used a second file to create the VSA, with a restart at the end. Does that make method a difference?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to marcs

‎02-26-2009 10:42 AM

You have several "Brocade-AVPairs" values there as per my understanding these values should be entered manually via a string like Operator and so on... so I don't see why these should be there. As for the other roles those are all ok

0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 10:53 AM

I had originally started with just the AVP and the one VSA for Auth-Role, and could not get it to work. I then added the other AVPairs, figuring those were needed. Once I found the stuff in the sniffer trace, I removed the AVP (also removing the VSA's) and redid the AVP with one VSA, and it still does the same thing. The way the trace shows it, the traffic coming from the ACS to the Brocade states "unknown-attribute"; that's why I thought the ACS server is putting out something unusual. Can I post the cap?

0 Helpful

Ivan Martinon
Level 7
Level 7
In response to marcs

‎02-26-2009 10:57 AM

Please :) post it

0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 11:00 AM

Here's a cap.

21481-ACS-packets.pcap
0 Helpful

Ivan Martinon
Level 7
Level 7
In response to marcs

‎02-26-2009 11:14 AM

I see what you are saying, just a little thought, I see that the string shows

"Ad min" as if there was a space there, can you post the sceenshot of the values that ACS has?

0 Helpful

marcs
Level 1
Level 1
In response to Ivan Martinon

‎02-26-2009 11:19 AM

Attached is a JPG of what is in there right now.

Preview file
10 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents