Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3130
Views
0
Helpful
1
Replies

Cisco ACS 4.2 and Brocade FC Switches AAA issue

florinmanaila
Level 1
Level 1

‎02-08-2010 12:07 AM - edited ‎03-10-2019 04:56 PM

Hi all,

regarding the subject I have the following issue: I can’t authenticate proper the Brocade FC Swicthes with RADIUS via Cisco ACS, here are the SAN equipments involved in the lab setup:

2 x Cisco ACS 4.2

2 x MDS 9216

2 x MDS FC Switches for IBM BladeCenter H

3 x Brocade 8Gbps FC Switches for for IBM BladeCenter H

I have implemented the AAA for all Cisco Networking and Cisco MDS with TACACS as follow:

1. I have created the User Group: san.admins

2. I have created the Network Device Group: SAN

SAN AAA Clients

http://10.10.0.68:16598/networkConfig/SH_PAGE.htm#ACCESS_SERVER

AAA Client Hostname

AAA Client IP Address

Authenticate Using

DC-MDS-9216-A

10.254.253.60

TACACS+ (Cisco IOS)

DC-MDS-9216-B

10.254.253.61

TACACS+ (Cisco IOS)

DC-MDS-BCH-A

10.254.253.14

TACACS+ (Cisco IOS)

DC-MDS-BCH-B

10.254.253.15

TACACS+ (Cisco IOS)

DC_BCH_Brocade8G_A

10.254.253.17

RADIUS (IETF)

More info I found on: http://www.cisco.com/en/US/docs/switches/datacenter/mds9000/sw/4_1/configuration/guides/cli_4_1/cradtac1.html

All MDS are working 100% with Cisco ACS!

For the Brocade8Gbps FC Switch I have used the RADIUS (IETF) from the RADIUS list presented by Cisco ACS (Juniper, Nortel etc). Now, I know that the Internet Engineering Task Force (IETF) draft standard specifies a method for communicating vendor-specific attributes (VSAs) between the network access server and the RADIUS server. The IETF uses attribute 26. VSAs allow vendors to support their own extended attributes that are not suitable for general use. The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option is vendor type 1, which is named cisco-avpair. The value is a string with the following format:

protocol : attribute separator value *

Where protocol is a Cisco attribute for a particular type of authorization, separator is = (equal sign) for mandatory attributes, and * (asterisk) is for optional attributes.

For the Cisco MDS/Nexus I have specify in the TACACS attributes the following: cisco-av-pair=shell:roles="network-admin" in order the authentication to work.

When I login to the Brocade8Gbps-FC switch via SSH with the username from Cisco ACS I get the following :

--- cut here ----

login as: florin.manaila

florin.manaila@10.254.253.17's password:

Switch role not specified, use default.

-----------------------------------------------------------------

DC_BCH_Brocade8G_A:florin.manaila>

--- cut here ----

So, the authentication of Brocade8Gbps-FC switch in Cisco ACS is working, but I get the default profile “user”. I am wondering where I have to specify the RADIUS attributes in order to send the profile to the Brocade FC switch and what I have to send to the Brocade8Gbps-FC switch? Something similar with cisco-av-pair=shell:roles="network-admin" ?

Any help will be very appreciated, thank you.

FM

Labels:
0 Helpful
1 Reply 1

AZIZ BOUHMADI
Level 1
Level 1

‎03-15-2010 03:05 AM

Hi,

Try with vendor code: 1588, and value: admin

0 Helpful
Customers Also Viewed These Support Documents